'Malicious URL Blocked' constantly - even when no browser open!

Hello,

Earlier today I did the install of the upgrade that avast had been reminding me to do for almost a month, and ever since I’m getting the bubble popping up, with the voice saying “Threat Has Been Detected” The bubble says “Malicious URL Blocked” and “avast Network Shield has blocked a harmful site”, the website (which is 99.9% of the time brwxfjiypph.cm/ with lots of random letters) and that it was “URL:Mal”. The bubble appears at least once a minute, even when I have no browser or programmes open. When I click on “More Details” I get a webpage basically congratulating me for using avast because it’s stopped my computer crashing.

Why is this happening now, when it was fine before the upgrade - and how can I stop it? :-\

Thanks all :slight_smile:

if this happens when not doing anything… it indicate a infection, something is trying to phone home

could you attach a screenshot of the avast warning…

follow guide here http://forum.avast.com/index.php?topic=53253.0 and attach the requsted logs … not copy and paste

run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

when done removal experts will be notified and check the logs for infections, and remove them if any is found
when finish he will remove the tools used

Many thanks for your reply - I will get onto this right now.

I have the same problem but I do not understand the answer. Can this be fixed remotely by someone I can trust. Can Avast access my computer and fix it? Arthur Murata

No there is no remote connection, we analyse where the malware is and then give step by step instructions for it to be removed using a variety of automated tools

Bit of a delay in replying as avast has made my PC unusable online, so have had to temporarily disable the shields while I do the scans. (Although the bubble pop-ups have pretty much stopped since I first posted)


AdwCleaner log attached

If the alerts are still appearing could you run the OTL scan and attach here please

Will do - just working through the scans as requested by Pondus - currently waiting for MalwareBytes to finish so I can post that.

:slight_smile:

Malwarebytes log attached

There are some bad boys there which will need removing once I see them all

OTL logs attatched

Much appreciated essexboy, just about to use aswMBR (OTL logs attached to previous post above).

OK I can see it now

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O3 - HKU\S-1-5-21-1893033244-659061508-1042013740-1005\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB8E-AE8D-11CF-96B8-434553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[2011/08/04 22:01:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/01/08 19:00:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2012/06/30 15:53:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2011/08/04 22:00:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/01/09 14:19:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tracey\Application Data\AVG10
[2012/06/30 16:22:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tracey\Application Data\CheckPoint
[2011/06/13 16:52:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tracey\Application Data\coupons

:Reg
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll

:Files
C:\RECYCLER\S-1-5-18\$0b05a22fcf32a0152a983da59bbb5c40

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

What shall I do about aswMBR? It took an hour to download, has been running for over an hour, and seems to get stuck on one folder/file for 20 minutes or more before suddenly scanning again. Is it necessary to do this scan?

nope he probably dont need it…as he say he see the problem

Thank you Pondus - I will start using the fix now and will report back :slight_smile:

Nope no need as the culprit was found in the OTL log, there appears to be a problem with the aswmbr server hence the long download. I will wait till it gets better before I use that

Please run the fix

OTL run as requested, new scan log attached.

Just going to run the ComboFix now.

That killed the main bad boy, combofix will now tidy up for me :slight_smile: