Hi there, I’m struggling with a malicious URL. Avast! pops up every 5-10 minutes telling me ‘malicious url blocked’.
What is strange is that it isnt doing it when I visit a new webpage, but just all the time, no matter what webpage.
It says it is found in C:\windows\explorer.exe and it also has another file, “vatnaya0.com/003.so” I have searched for this but it returns no results. Avast! and malwarebytes’ dont seem to find anything.
Any help would be greatly appreciated guys!
Thanks, Nails.
EDIT:
Object: vatnaya0.com/003.so
Process: C:\windows\explorer.exe
You have problem, either explorer.exe is infected or you have malware that is either hidden (likely) or undetected, which is using explorer.exe to connect. If my fears are correct this could be difficult to remove.
I have always blocked windows explorer.exe making outbound connections in my firewall as there should be no need for it to do so. The reason it can connect is that you can type a URL into the Address: field in windows explorer and it will open the web page, that I feel is a vulnerability and if you do that you should use your browser for that purpose.
I will try and get someone with more experience and the tools for the job to look at this topic.
Hi there - first I need to see what you have
Download OTL to your Desktop
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
[/b]
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Thanks for joining essexboy.
Thats what I be here for ;D
Hi guys, ok Essexboy I’ve done that, would you like me to attach extras.txt and otl.txt for you to have a look at?
Yes please
K
OK lets start
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found. O4 - HKU\S-1-5-21-1957994488-854245398-725345543-1004..\Run: [{B507B403-8344-82F2-13DB-994BEDAEE808}] C:\Documents and Settings\User\Application Data\Gielg\qaugm.exe File not found O20 - Winlogon\Notify\geede: DllName - C:\WINDOWS\system32\geede.dll - C:\WINDOWS\System32\geede.dll File not found 2007/07/30 15:06:17 | 001,059,269 | -HS- | C] () -- C:\WINDOWS\System32\edeeg.ini2 [2007/07/29 18:01:08 | 000,001,726 | -HS- | C] () -- C:\WINDOWS\System32\fhgdbcvv.ini [2007/07/29 17:22:10 | 000,001,366 | -HS- | C] () -- C:\WINDOWS\System32\maudgium.ini [2007/07/28 16:56:39 | 000,001,306 | -HS- | C] () -- C:\WINDOWS\System32\jjivypvn.ini [2007/07/28 08:47:39 | 000,001,186 | -HS- | C] () -- C:\WINDOWS\System32\lyshjlmu.ini [2007/07/26 15:55:42 | 000,064,438 | -HS- | C] () -- C:\WINDOWS\System32\ugncilal.ini [2007/07/26 14:52:42 | 003,298,284 | -HS- | C] () -- C:\WINDOWS\System32\eituwepd.ini [2007/07/23 21:18:00 | 003,172,228 | -HS- | C] () -- C:\WINDOWS\System32\hcywybpx.ini [2007/07/22 19:05:55 | 003,115,262 | -HS- | C] () -- C:\WINDOWS\System32\gigsdpfj.ini [2007/07/21 20:44:08 | 003,119,136 | -HS- | C] () -- C:\WINDOWS\System32\wpldsiya.ini [2007/07/20 12:07:41 | 003,119,016 | -HS- | C] () -- C:\WINDOWS\System32\svwyuold.ini [2007/07/19 11:27:29 | 002,929,439 | -HS- | C] () -- C:\WINDOWS\System32\xawofiak.ini [2007/07/17 16:02:30 | 002,930,513 | -HS- | C] () -- C:\WINDOWS\System32\mxnadopb.ini [2007/07/17 15:02:43 | 002,935,609 | -HS- | C] () -- C:\WINDOWS\System32\xlnvintw.ini [2007/07/16 06:47:24 | 002,805,563 | -HS- | C] () -- C:\WINDOWS\System32\vfsktvdv.ini [2007/07/14 20:42:36 | 002,805,444 | -HS- | C] () -- C:\WINDOWS\System32\cnallewr.ini [2007/07/14 19:30:37 | 002,550,299 | -HS- | C] () -- C:\WINDOWS\System32\dsfritxk.ini [2007/07/13 12:01:51 | 002,551,298 | -HS- | C] () -- C:\WINDOWS\System32\lcqnpqxi.ini [2007/07/12 09:06:29 | 002,556,097 | -HS- | C] () -- C:\WINDOWS\System32\wfplxalq.ini [2007/07/11 20:13:31 | 002,312,934 | -HS- | C] () -- C:\WINDOWS\System32\ttjvmidv.ini [2007/07/09 18:22:52 | 002,316,200 | -HS- | C] () -- C:\WINDOWS\System32\tiugsknv.ini [2007/07/09 17:22:52 | 002,321,019 | -HS- | C] () -- C:\WINDOWS\System32\nixworas.ini [2007/07/08 08:43:47 | 002,372,462 | -HS- | C] () -- C:\WINDOWS\System32\pltiysih.ini [2007/07/07 06:09:23 | 002,438,835 | -HS- | C] () -- C:\WINDOWS\System32\itihkdct.ini [2007/07/05 19:26:10 | 002,263,874 | -HS- | C] () -- C:\WINDOWS\System32\vhijbsnq.ini [2007/07/03 18:00:30 | 002,266,563 | -HS- | C] () -- C:\WINDOWS\System32\jmaghuuc.ini [2007/07/02 18:01:13 | 002,268,594 | -HS- | C] () -- C:\WINDOWS\System32\digabdkq.ini [2007/07/01 17:00:22 | 002,269,029 | -HS- | C] () -- C:\WINDOWS\System32\sfquuhhb.ini [2007/06/30 12:48:24 | 002,272,315 | -HS- | C] () -- C:\WINDOWS\System32\luxvsarf.ini [2007/06/28 22:04:03 | 002,093,379 | -HS- | C] () -- C:\WINDOWS\System32\ddnhxppk.ini [2007/06/27 19:00:25 | 002,094,445 | -HS- | C] () -- C:\WINDOWS\System32\ohfttjig.ini [2007/06/26 13:36:25 | 001,975,410 | -HS- | C] () -- C:\WINDOWS\System32\damqdxtm.ini [2007/06/25 13:36:25 | 001,903,077 | -HS- | C] () -- C:\WINDOWS\System32\pejdaxkf.ini [2007/06/23 14:17:53 | 001,905,814 | -HS- | C] () -- C:\WINDOWS\System32\qgbsepwq.ini [2007/06/23 13:11:52 | 001,908,026 | -HS- | C] () -- C:\WINDOWS\System32\hrchdvkw.ini [2007/06/22 12:45:38 | 001,846,711 | -HS- | C] () -- C:\WINDOWS\System32\cdatccrk.ini [2007/06/21 12:44:29 | 001,812,456 | -HS- | C] () -- C:\WINDOWS\System32\opwjgcfn.ini [2007/06/20 12:41:29 | 000,905,160 | -HS- | C] () -- C:\WINDOWS\System32\cktuyogd.ini [2007/06/18 18:49:06 | 000,000,405 | -HS- | C] () -- C:\WINDOWS\System32\iqjmpghs.ini [2007/06/16 12:08:53 | 000,000,765 | -HS- | C] () -- C:\WINDOWS\System32\qotptcua.ini [2007/06/14 14:41:01 | 000,000,645 | -HS- | C] () -- C:\WINDOWS\System32\nvmakyrh.ini [2010/08/13 09:40:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9 [2009/02/13 17:40:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft [2010/01/06 16:15:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\AVG9 [2007/08/02 14:24:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Grisoft:Files
ipconfig /flushdns /c:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Okey dokey…
???
That does not look to bad a further run to check out your MBR - What problems are you having at the moment ?
Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box.
Now copy/paste the entire content of the codebox below into the Notepad window:
MBR::
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Save the above as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
OK the problem seems to have gone away after the original combofix and OTL runs. I shall check MBR with combofix for good measure and post results 
Here goes…
Hmm it is still reporting a possible infection - but that can sometimes be a false positive. Are you having any further problems ?
Haven’t had any more pop-ups saying ‘malicious url blocked’. A false positive?!? I dont understand that. It could be referring to a different infection, ie one that isn’t causing any noticeable problems…
No it is just the way that Combofix reads the MBR - if you have a recovery partition it does report that
If you are happy I will remove my tools and tidy you up - then let it run for a day or so
Ah ok I see.
Yes I’m happy with that, haven’t had any trouble since last night so I will leave it for a few days and see what happens
I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean 
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems
Upgrading Java:
[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 22.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u22-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u22-windows-i586-p.exe and select “Run as an Administrator.”)
SPRING CLEAN
Download and run Puran Disc Defragmenter
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.
http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit
[*]Microsoft Windows Update
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe 
I shall indeed follow those steps. Thankyou so much for your help man. You’re a star!! ;D
I’ll be back if things go wrong after leaving it running for 24 hrs…
Ciao