"Malicious URL blocked" alerts

I’ve been receiving errors every couple of hours with Avast saying that a malicious url has been blocked, in the following format:

“Object: […]
Infection: URL:Mal
Action: Blocked
Process: C:\Windows\Explorer.EXE”

The object is slightly different each time(although some are duplicates), and extremely long, and none of them are recognisable as ones I’ve ever tried to access. I managed to access the Network Shield logs and found various versions of this:

“07.06.2011 20:30:05 Network Shield: blocked access to malicious site 190707db061e.dativism.com/get2.php?c=SOUWGXBS&d=26606B6739343E323D2F676268307D3F222023232225203177757E4469747A2214111B1B101116100E5C434F111D6F6A01097406760472050B0D0F7D097C0B0 9047104077C0374770D787F7B7D6B2C263E27372169646E617E31333F616F6668535303550143070305545A4D031E180A024C442C445329031 B12474B4C4D474CB4B4B7B6B5A3F6F5E7EAB7CEF4FDE2E0E2F4E0BDD1CDD3B1F4FDABC4F9A0AEB9C3CDCCD7FBC09B968EDE9C9F919D88CCDED5 DE8EFADCDDDCD194EAF892D5D1D2A5E7ABA7A5B1A3FAF9FAFAFCFFFAF6FEE1E0F4969B87 [ C:\Windows\Explorer.EXE ( 3756 ) ]” (spaces inserted in the main string to separate into lines as it was so long)

I have no idea what’s causing this or how to stop it, but I have noticed that it does occasionally happen when I open the Computer folder on my computer, so I’m not sure if there’s something in there triggering it. Can anyone give any suggestions as to what I should do, or what could be causing it? I did run Malwarebytes last night, which found a number of infected files and got rid of them, and this has just started after the first startup since.

Hi songbird72884,

Typically for a block for a connection to Trojan.Downloader.Agent,

polonus

Hi there let me see what you have

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

THEN

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Thanks so much for helping! I’ve been having viruses on and off lately and though I’ve managed to deal with most, this is something I’ve never faced before. Hopefully I’ve done this right, though when I was having a read through the file (I’m nosy and like to see what’s there, though I didn’t alter anything), there were a few things there that I didn’t quite recognise, so not sure if they’re things my parents use or if they’re not supposed to be there at all.

aswMBR result:

[b]aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-07 22:31:29

22:31:29.743 OS Version: Windows 6.0.6001 Service Pack 1
22:31:29.743 Number of processors: 2 586 0x6802
22:31:29.745 ComputerName: NIKKI-PC UserName: Gareth
22:31:32.766 Initialize success
22:31:39.621 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\00000070
22:31:39.625 Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 6
22:31:41.648 Disk 0 MBR read successfully
22:31:41.652 Disk 0 MBR scan
22:31:41.657 Disk 0 unknown MBR code
22:31:43.664 Disk 0 scanning sectors +625139712
22:31:43.700 Disk 0 scanning C:\Windows\system32\drivers
22:31:51.962 Service scanning
22:31:53.921 Disk 0 trace - called modules:
22:31:53.990 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
22:31:53.995 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86eaa780]
22:31:54.000 3 CLASSPNP.SYS[8073b745] → nt!IofCallDriver → [0x86d05b98]
22:31:54.006 5 acpi.sys[8060d6a0] → nt!IofCallDriver → \Device\00000070[0x86cf3030]
22:31:54.012 Scan finished successfully
22:32:26.567 Disk 0 MBR has been saved successfully to “C:\Users\Gareth\Desktop\MBR.dat”
22:32:26.573 The log file has been saved successfully to “C:\Users\Gareth\Desktop\aswMBR.txt”[/b]

I’ve tried to attach the OTS log, but it’s saying the file is too large, so not sure what I should do

The log should attach if it is saved as ANSI otherwise if it is to large to attach then upload to Mediafire and post the sharing link.

Okeedokee, I’ve uploaded it to Mediafire, and this is the link it’s given me: http://www.mediafire.com/?r0qndux4wyg7344 (hopefully I’ve done it right, I’ve never used mediafire before)

OK I found a few that do not belong… What can you tell me about this programme c:\RecInfo\RecInfo.exe

On completion of this run can you check for alerts please

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (LiveUpdate Notice Ex) LiveUpdate Notice Service Ex [Auto | Stopped] -> 
YN -> (CLTNetCnService) Symantec Lic NetConnect service [Auto | Stopped] -> 
YY -> (LiveUpdate Notice Service) LiveUpdate Notice Service [Auto | Running] -> C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
YY -> (LiveUpdate) LiveUpdate [On_Demand | Stopped] -> C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE
YY -> (Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Auto | Running] -> C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
[Driver Services - Safe List]
YY -> (eeCtrl) Symantec Eraser Control driver [Kernel | System | Running] -> C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2150399044-275700037-2335568422-1002\] > -> 
YN -> HKEY_USERS\S-1-5-21-2150399044-275700037-2335568422-1002\: URLSearchHooks\\"{472734EA-242A-422b-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< FireFox Settings [Prefs.js] > -> C:\Users\Gareth\AppData\Roaming\Mozilla\FireFox\Profiles\q8zn0dnh.default\prefs.js
YN -> network.proxy.http -> "127.0.0.1"
YN -> network.proxy.http_port -> 50370
YN -> network.proxy.type -> 4
< FireFox Extensions [Program Folders] > -> 
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
YY -> XULRunner -> C:\USERS\GARETH\APPDATA\LOCAL\{7401291A-E0D5-460C-9BF6-3CB24B5DC176}
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-2150399044-275700037-2335568422-1002\] > -> HKEY_USERS\S-1-5-21-2150399044-275700037-2335568422-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Vguyucegaq" -> C:\Users\Gareth\AppData\Local\ohuraqilaquv.dll [rundll32.exe "C:\Users\Gareth\AppData\Local\ohuraqilaquv.dll",Startup]
[Files/Folders - Created Within 30 Days]
NY ->  {7401291A-E0D5-460C-9BF6-3CB24B5DC176} -> C:\Users\Gareth\AppData\Local\{7401291A-E0D5-460C-9BF6-3CB24B5DC176}
NY ->  ohuraqilaquv.dll -> C:\Users\Gareth\AppData\Local\ohuraqilaquv.dll
[Files/Folders - Modified Within 30 Days]
NY ->  Hgidupilidarex.bin -> C:\Users\Gareth\AppData\Local\Hgidupilidarex.bin
NY ->  1103toten.exe -> C:\Users\Gareth\AppData\Roaming\1103toten.exe
NY ->  81f82bi7.bat -> C:\Users\Gareth\AppData\Roaming\81f82bi7.bat
[Files - No Company Name]
NY ->  1103toten.exe -> C:\Users\Gareth\AppData\Roaming\1103toten.exe
NY ->  81f82bi7.bat -> C:\Users\Gareth\AppData\Roaming\81f82bi7.bat
NY ->  i2152v11p7d4sg8 -> C:\Users\Gareth\AppData\Local\i2152v11p7d4sg8
NY ->  i2152v11p7d4sg8 -> C:\ProgramData\i2152v11p7d4sg8
NY ->  Nfidiyerez.dat -> C:\Users\Gareth\AppData\Local\Nfidiyerez.dat
NY ->  Hgidupilidarex.bin -> C:\Users\Gareth\AppData\Local\Hgidupilidarex.bin
NY ->  mgxoschk.ini -> C:\Windows\mgxoschk.ini
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

I will review the information when it comes back in.

I’ve been checking the details on the folder containing RecInfo and to be honest, I have absolutely no clue what it is. There’s no indication of who it’s connected with, but there are files like Recinfo.exe.manifest, Recinfo.vshost, etc.

Also, I tried to run the fix, but it didn’t seem to work. the first time, just after starting to run it, I received an error stating “Windows has encountered a critical error and wil restart automatically in one minute. Please save your work now.” after which the computer restarted itself one minute later. The second time, OTS froze, as did the computer, and I received a blue screen error with the words BUGCODE_USB_DRIVER near the top. Not sure if any of that is of any use, but after the blue screen error, the computer restarted itself a second time, so I’m not sure if I should try again or not.

I have been having the same alert message from Avast recently. I have also had Explorer crash on start-up a few times. Other very odd things have been happening too…

Running scannow might have helped, since my most recent start-up didn’t result in any problems.

Here is my aswMBR result:

[b]aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-08 19:30:11

19:30:11.546 OS Version: Windows 5.1.2600 Service Pack 3
19:30:11.546 Number of processors: 1 586 0x401
19:30:11.546 ComputerName: CHRISPC UserName: Chris
19:30:12.875 Initialize success
19:30:26.406 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
19:30:26.406 Disk 0 Vendor: HDS722580VLAT20 V32OA69A Size: 76293MB BusType: 3
19:30:26.406 Disk 0 MBR read error 0
19:30:26.406 Disk 0 MBR scan
19:30:26.406 Disk 0 unknown MBR code
19:30:26.406 MBR BIOS signature not found 0
19:30:26.421 Disk 0 scanning sectors +156232125
19:30:26.421 Disk 0 scanning C:\WINDOWS\system32\drivers
19:30:35.734 Service scanning
19:30:37.734 Disk 0 trace - called modules:
19:30:37.765 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys span.sys hal.dll >>UNKNOWN [0x87385944]<<
19:30:37.765 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x873375b0]
19:30:37.765 3 CLASSPNP.SYS[f75d6fd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x87306b00]
19:30:37.765 Scan finished successfully[/b]

When I try and run OTS avast wants to start it in the sandbox, and for some reason claims that it’s being opened by C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (I believe this is a system dll, something to do with drive letter access). I did a scan, but no log seemed to have been generated.

I am running XP SP3 on a Dell Dimension. I’ve had this for about five years, and have never encountered any serious problems before (and I’ve never used any antivirus software other than avast). Recently, though, I have had some memory issues - the machine has been giving me a 1-3-2 beep code on start-up. I resolved this by removing one of the memory cards - whether this is related to my current problems I don’t know, but I thought it best to mention it.

Many thanks in advance for any help.

Christopher

Please start a New Topic of your own as this will just confuse the topic (hijacking) when trying to give unique fixes for multiple posters and we will try to help. Open this forum link and use the New Topic button to start your topic, you could post the link to it in this topic.

Thank you David

songbird72884

We will run OTS again but slightly differently this time, as OTS is unable to remove a service that is partially uninstalled (Norton)

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2150399044-275700037-2335568422-1002\] > -> 
YN -> HKEY_USERS\S-1-5-21-2150399044-275700037-2335568422-1002\: URLSearchHooks\\"{472734EA-242A-422b-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< FireFox Settings [Prefs.js] > -> C:\Users\Gareth\AppData\Roaming\Mozilla\FireFox\Profiles\q8zn0dnh.default\prefs.js
YN -> network.proxy.http -> "127.0.0.1"
YN -> network.proxy.http_port -> 50370
YN -> network.proxy.type -> 4
< FireFox Extensions [Program Folders] > -> 
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
YY -> XULRunner -> C:\USERS\GARETH\APPDATA\LOCAL\{7401291A-E0D5-460C-9BF6-3CB24B5DC176}
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-2150399044-275700037-2335568422-1002\] > -> HKEY_USERS\S-1-5-21-2150399044-275700037-2335568422-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Vguyucegaq" -> C:\Users\Gareth\AppData\Local\ohuraqilaquv.dll [rundll32.exe "C:\Users\Gareth\AppData\Local\ohuraqilaquv.dll",Startup]
[Files/Folders - Created Within 30 Days]
NY ->  {7401291A-E0D5-460C-9BF6-3CB24B5DC176} -> C:\Users\Gareth\AppData\Local\{7401291A-E0D5-460C-9BF6-3CB24B5DC176}
NY ->  ohuraqilaquv.dll -> C:\Users\Gareth\AppData\Local\ohuraqilaquv.dll
[Files/Folders - Modified Within 30 Days]
NY ->  Hgidupilidarex.bin -> C:\Users\Gareth\AppData\Local\Hgidupilidarex.bin
NY ->  1103toten.exe -> C:\Users\Gareth\AppData\Roaming\1103toten.exe
NY ->  81f82bi7.bat -> C:\Users\Gareth\AppData\Roaming\81f82bi7.bat
[Files - No Company Name]
NY ->  1103toten.exe -> C:\Users\Gareth\AppData\Roaming\1103toten.exe
NY ->  81f82bi7.bat -> C:\Users\Gareth\AppData\Roaming\81f82bi7.bat
NY ->  i2152v11p7d4sg8 -> C:\Users\Gareth\AppData\Local\i2152v11p7d4sg8
NY ->  i2152v11p7d4sg8 -> C:\ProgramData\i2152v11p7d4sg8
NY ->  Nfidiyerez.dat -> C:\Users\Gareth\AppData\Local\Nfidiyerez.dat
NY ->  Hgidupilidarex.bin -> C:\Users\Gareth\AppData\Local\Hgidupilidarex.bin
NY ->  mgxoschk.ini -> C:\Windows\mgxoschk.ini
[Custom Items]
:Files
c:\RecInfo
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]


  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

I’ve just tried using the new fix and had the same ‘critical error’ dialog box, followed by a restart. Is there something that could be interfering with it running? I tried disabling my antivirus while the fix ran, but it didn’t seem to make any difference.

OK big boy time

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Okay, that one at least ran ;D I’m attaching the log file, but I did notice that when the computer restarted, the scroll bar on my touchpad is no longer scrolling, and the options regarding it are missing from the mouse section of the control panel, so I’m not sure if I’m looking in the wrong place or if ComboFix has affected it. It also changed some of the icons that usually load in the system tray on startup.

What sort of changes to the icons ? A further reboot should bring back the scroll functions

Could you now retry the OTS fix and let me know the result

It ran this time! The icons didn’t load at all after the reboot I posted about, but they’ve now loaded again. Also, the scroll function still wasn’t working when I restarted after the OTS fix, but it was back in the mouse menu so it was easy to re-enable it. The OTS results are attached

Have the alerts now ceased ?

Yep, everything seems to be back to normal as far as I can tell, though I’m not 100% positive since the alerts were pretty random. Does everything look okay in the log results?

It looks OK but run for a day or so and when you are happy let me know and I will remove my tools

Everything seems to be okay, I haven’t had any more redirections or anything, apart from one (I’m guessing) unrelated issue I’m dealing with at the moment about an ‘unauthorised change to Windows’. Thanks so much for helping!