Malicious URL Blocked Keeps Popping up

“Malicious URL Blocked” messages pop up CONSTANTLY. I’ve had to mute my sound, it happens so often! I’ve run scan as well as Malware Byte and nothing was found, I don’t think. Any suggestions and please keep in mind I’m not an IT professional, so please break it down for me so I can understand any instructions given :slight_smile:

OK could you post a screenshot of the Avast alert please

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

THEN

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

Attached are the logs and screen shot you requested.

OK lets get at it

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please attach the log at C:\TDSSKiller date time .

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
SRV - [2012/06/22 08:55:48 | 000,265,952 | ---- | M] () [Auto | Running] -- C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe -- (Updater Service for StartNow Toolbar)
IE - HKLM\..\URLSearchHook: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwa1.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD21}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=1157&systemid=1&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2260173
IE - HKU\S-1-5-21-2609315480-1600957461-530271639-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&AF=110807&tt=290312_bexdll&babsrc=SP_ss&mntrId=47f273ef000000000000001f3b604a1b
IE - HKU\S-1-5-21-2609315480-1600957461-530271639-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=1157&systemid=1&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-2609315480-1600957461-530271639-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2260173
IE - HKU\S-1-5-21-2609315480-1600957461-530271639-1000\..\SearchScopes\{B23E1746-93DC-4026-B082-03E9E2503657}: "URL" = http://swagbucks.com/?t=w&p=1&q={searchTerms}
IE - HKU\S-1-5-21-2609315480-1600957461-530271639-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 192.168.*.*;*.local;127.0.0.1:9421;<local>
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.3.3.2
FF - prefs.js..extensions.enabledItems: {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}:1.3.4
FF - prefs.js..keyword.URL: "http://dts.search-results.com/sr?src=ffb&appid=1157&systemid=1&sr=0&q="
FF - prefs.js..extensions.enabledAddons: %7B5911488E-9D1E-40ec-8CBB-06B231CC153F%7D:2.5.0
FF - prefs.js..extensions.enabledAddons: %7B77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F%7D:1.3.4
[2012/08/24 07:52:38 | 000,000,000 | ---D | M] (StartNow Toolbar) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\69hfu1cl.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
[2011/03/23 06:19:15 | 000,000,000 | ---D | M] (Calorie Count Toolbar) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\69hfu1cl.default\extensions\{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}
[2012/11/07 19:31:44 | 000,000,000 | ---D | M] (Swag Bucks Community Toolbar) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\69hfu1cl.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}
[2012/11/20 19:36:19 | 000,000,000 | ---D | M] (ShopToWin20) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\69hfu1cl.default\extensions\{a018b213-6b46-4791-9298-519020db5737}
[2011/05/12 17:47:54 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\69hfu1cl.default\extensions\engine@conduit.com
[2010/06/09 05:40:02 | 000,000,000 | ---D | M] (RetailMeNot) -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\69hfu1cl.default\extensions\enquiries@retailmenot.com
[2012/07/03 21:08:38 | 000,002,517 | ---- | M] () -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\69hfu1cl.default\searchplugins\Search_Results.xml
[2013/01/16 19:41:58 | 000,001,540 | ---- | M] () -- C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\69hfu1cl.default\searchplugins\swagbuckscom.xml
[2012/03/29 19:02:16 | 000,002,353 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
[2012/07/03 21:08:38 | 000,002,517 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\Search_Results.xml
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO)
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O2 - BHO: (StartNow Toolbar Helper) - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll ()
O2 - BHO: (Swag Bucks Toolbar) - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwa1.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (StartNow Toolbar) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files\StartNow Toolbar\Toolbar32.dll ()
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Swag Bucks Toolbar) - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwa1.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)
O3 - HKLM\..\Toolbar: (Webroot Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-2609315480-1600957461-530271639-1000\..\Toolbar\WebBrowser: (Swag Bucks Toolbar) - {8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94} - C:\Program Files\Swag_Bucks\tbSwa1.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-2609315480-1600957461-530271639-1000\..\Toolbar\WebBrowser: (Webroot Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [] File not found
O4 - HKU\S-1-5-21-2609315480-1600957461-530271639-1000..\Run: [DealRunner] C:\Program Files\DealRunner\DealRunner.exe (Jackpot Rewards)
O4 - HKU\S-1-5-21-2609315480-1600957461-530271639-1000..\Run: [Shop To Win] C:\Program Files\Shop To Win\ShopToWin.exe (Jackpot Rewards)
O4 - HKU\S-1-5-21-2609315480-1600957461-530271639-1000..\Run: [SmileboxTray] C:\Users\Owner\AppData\Roaming\Smilebox\SmileboxTray.exe (Smilebox, Inc.)
O4 - HKU\S-1-5-21-2609315480-1600957461-530271639-1000..\Run: [StartNow Search Protect] C:\Program Files\StartNow Toolbar\search_protect.exe ()

:Files
C:\Program Files\StartNow Toolbar
C:\Program Files\Shop To Win
C:\Program Files\DealRunner

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Here’s the 2nd log from OTL

Could you attach the TDSSKIller log please

Here is the TDSSKiller log

There should be a larger log at C:\TDSSKiller date time that will show me whether there are remnants I need to remove… Have the alerts stopped ?

No, the alerts have not stopped. Trying to find the other log…I don’t see “TDSSKiller date time” I see “TDSSKiller_Quarantine” but that’s it

OK I feel it may still be an MBR problem but lets try this next

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here is the ComboFix log (no pop ups have appeared while I composed this message–that’s encouraging!!) ;D

OK lets kill the remainder

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

https://dl.dropbox.com/u/73555776/AdwCleaner.GIF

Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that

Here is the log for AdwCleaner

How is the computer behaving now ?

Looks to be still popping up with alerts, albeit slightly less frequently (Yay progress!). Would a full system reformat be in order to just 100% kill it?

Could you post the alert please… I am interested in the destination and the triggering file

Here are 3 of several alerts

We have two options now … Either you can reinstall windows or I can run a separate AV analysis programme to try and locate the miscreant

If you wish to try and locate it

The zip file will not be able to be uploaded in a post so you will either need to use dropbox or an online file sharing site

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop ( it will be randomly named )

First we will run a virus scan
On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVPfront.gif

http://i1224.photobucket.com/albums/ee362/Essexboy3/avpsettings.gif

Do not close AVPTool or it will self uninstall, if it does uninstall - - then just rerun the setup file on your desktop

Now an analysis scan
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users[i]your name[/i]\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

http://i1224.photobucket.com/albums/ee362/Essexboy3/AVPAnalysis.gif