malcious url blocked

Avast Free Antivirus / Premium Security
1

Hi !

I recently have been receiving new browsers opening while I’m on trusted sites (such as the bbc.co.uk), so I installed Avast!. I’ve run a quick and deep scan and cleaned the note book.

However, I am still experiencing an alert “malcious url blocked”, here is he file.

It appears that the file is located at:

C:\windows\system32\svchost.exe.

Does anyone know why this keeps happening and what I need to do to stop this from continuing?

Best,

David

2

Hi Davidz,

You surely need to clean up your system. So I have asked essexboy to jump in.

Make sure you obey him :wink:

nmb

3

Hi there lets see what you have

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
svchost.exe
userinit.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

4

Thanks a lot for the assistance you’ve afforded.

I’ve got those two txt files, now what action should I take?

Brgds,

David

5

Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).

Essexboy will review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine now that you have provided the logs. Thank you.

6

Thanks very much. I am “new” to this so humble apologies for asking such questions.

Best Regards,

David

7

Did you used to use Symantec/Norton on your machine? Are you/have you used Advanced System Care (ASC)?

8

David,

*** Please back up your data but no .EXE, .SCR or HTM(L) files. ***

Do you have another machine you can use to read the forum so that you are not using the infected one? If not, please limit the time you are using this one.

9

Did you used to use Symantec/Norton on your machine?

I think I am, should I disable Sumantec/Norton?

Are you/have you used Advanced System Care (ASC)?
Not sure what this is.

I do have other notebooks, I’m also experencing the issue with them… :frowning:

Thanks a lot…

David

10

Hi two antivirus programmes do not make you twice as secure, they mak you less secure - please uninstall one

Also are you saying that all computers are getting redirected ? Are you on a wireless router ?

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2007/12/25 09:57:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\DT\Application Data\Mozilla\Firefox\Profiles\3ys21ry6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22) O33 - MountPoints2\{4406ba60-8955-11dd-9268-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{4406ba60-8955-11dd-9268-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{55070428-7517-11df-9944-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{55070428-7517-11df-9944-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{602df7dd-8fc5-11dd-924c-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{602df7dd-8fc5-11dd-924c-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{63784838-07ed-11df-97ac-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{63784838-07ed-11df-97ac-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{6d39ab1c-5d78-11dd-91f6-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{6d39ab1c-5d78-11dd-91f6-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{73a32bb5-e4a2-11df-9a90-00038a000015}\Shell\AutoRun\command - "" = E:\APPInst.exe -- File not found O33 - MountPoints2\{96661a18-49d6-11dc-8e6e-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{96661a18-49d6-11dc-8e6e-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{b2da9e34-9b6b-11dc-8f11-00038a000015}\Shell - "" = AutoRun O33 - MountPoints2\{b2da9e34-9b6b-11dc-8f11-00038a000015}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{c2e3612a-a81f-11dc-8f52-00038a000015}\Shell - "" = AutoRun O33 - MountPoints2\{c2e3612a-a81f-11dc-8f52-00038a000015}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{c4beafa2-1e49-11df-9811-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{c4beafa2-1e49-11df-9811-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{f6a6dfcc-d888-11df-9a63-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found O33 - MountPoints2\{f6a6dfcc-d888-11df-9a63-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

11

@ davidz,

Here is the uninstaller tool for Symantec/Norton when Essexboy is ready for you to use it:

Download and run the Norton removal tool from here to clear them http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN. Or you can go here for additional information: http://uninstallers.blogspot.com/.

@ Essexboy,

I thought I saw in the OTL log ASC (Advanced System Care), another security software, and this has given a LOT of users on the forum grief and seems to conflict with Avast, and they have needed to uninstall ASC (NOTE: leaves lots of remnants behind). Can you check to see if you see this? Thanks.

12

For sure ;D

13

Hi,

Sorry for my late reply.

two antivirus programmes do not make you twice as secure, they mak you less secure - please uninstall one
b Norton has been removed[/b]

Also are you saying that all computers are getting redirected ? Are you on a wireless router ? appear
b all of my notebooks have this warning message appearing "malcious url blocked. However, sometimes the web page appears in a new window (which I close)[/b]

14

In that case either the router is infected or all systems are - Continue with Combofix and reset the router

Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled “reset” located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).

15

Are you on a wireless router ?
(DZ) yes i am. alas happends to the other nb which is connected to the router

Also, attached are the results of the 2nd quick scan.

Thanks so much,

DZ

16

Did you see my previous re resetting the router

17

I suspect all note books are, as they all had the same usb drive (which had a virus) plugged in…

DZ…

18

OK run Combofix on all notebooks, then post the logs giving each a name so that we can get the right fix for the right system

19

Thanks.

Here is the combofix.txt file (nookbook1)

DZ…

20

Notebook 1

\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
Main miscreant dead ;D Now run MBAM on that one please

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.