system
August 2, 2012, 4:04am
1
Hello all,
Everytime I search on google within mozilla firefox avast pops up with malicious url blocked, and when I attempt to click a link it fails to get to the page.
I’ve attached photos of both searching and what happens after clicking the links from the search.
The problems arised after I torrented a program called alcohol120 for mounting CD images on virutal drives, and torrenting a Batman game and trying to mount it using alcohol120.
I followed the guide at http://forum.avast.com/index.php?topic=53253.0 and here are the desired logs listed below
Malwarebytes’ Anti-Malware Log:
Protection Log:
2012/08/01 07:22:16 -0500 CHRISTIAN-PC x MESSAGE Starting protection
2012/08/01 07:22:21 -0500 CHRISTIAN-PC x MESSAGE Protection started successfully
2012/08/01 07:22:24 -0500 CHRISTIAN-PC x MESSAGE Starting IP protection
2012/08/01 07:22:26 -0500 CHRISTIAN-PC x MESSAGE IP Protection started successfully
2012/08/01 07:22:32 -0500 CHRISTIAN-PC x MESSAGE Starting database refresh
2012/08/01 07:22:32 -0500 CHRISTIAN-PC x MESSAGE Stopping IP protection
2012/08/01 07:22:32 -0500 CHRISTIAN-PC x MESSAGE IP Protection stopped
2012/08/01 07:22:35 -0500 CHRISTIAN-PC x MESSAGE Database refreshed successfully
2012/08/01 07:22:35 -0500 CHRISTIAN-PC x MESSAGE Starting IP protection
2012/08/01 07:22:37 -0500 CHRISTIAN-PC x MESSAGE IP Protection started successfully
2012/08/01 07:22:40 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 07:22:43 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 07:22:48 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 07:22:58 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 07:23:19 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 07:24:01 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 07:32:33 -0500 CHRISTIAN-PC x MESSAGE Executing scheduled update: Daily
2012/08/01 07:32:33 -0500 CHRISTIAN-PC x MESSAGE Database already up-to-date
2012/08/01 17:33:53 -0500 CHRISTIAN-PC x MESSAGE Starting protection
2012/08/01 17:34:08 -0500 CHRISTIAN-PC x MESSAGE Protection started successfully
2012/08/01 17:34:11 -0500 CHRISTIAN-PC x MESSAGE Starting IP protection
2012/08/01 17:34:43 -0500 CHRISTIAN-PC x MESSAGE IP Protection started successfully
2012/08/01 17:35:15 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 17:35:24 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 17:35:24 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 17:35:36 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 17:35:36 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 17:35:39 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 17:35:39 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 17:35:45 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 17:35:45 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 21:13:38 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 21:13:41 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 21:13:47 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 21:13:49 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 21:13:52 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 21:13:58 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 21:13:59 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 21:14:02 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 21:14:08 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 21:14:10 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 21:14:13 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 21:14:19 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:12 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:15 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:16 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:19 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:20 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:21 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:23 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:25 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:29 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:33 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:36 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:37 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:40 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:41 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:42 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:44 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:46 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:12:50 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:43:31 -0500 CHRISTIAN-PC x IP-BLOCK 46.17.97.109 (Type: outgoing)
2012/08/01 22:43:33 -0500 CHRISTIAN-PC x IP-BLOCK 46.17.97.109 (Type: outgoing)
2012/08/01 22:43:40 -0500 CHRISTIAN-PC x IP-BLOCK 46.17.97.109 (Type: outgoing)
2012/08/01 22:43:52 -0500 CHRISTIAN-PC x IP-BLOCK 46.17.97.109 (Type: outgoing)
2012/08/01 22:43:55 -0500 CHRISTIAN-PC x IP-BLOCK 46.17.97.109 (Type: outgoing)
2012/08/01 22:44:01 -0500 CHRISTIAN-PC x IP-BLOCK 46.17.97.109 (Type: outgoing)
2012/08/01 22:46:07 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:46:10 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:46:16 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:46:28 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:46:31 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
2012/08/01 22:46:37 -0500 CHRISTIAN-PC x IP-BLOCK 91.218.121.57 (Type: outgoing)
MBAM Log:
Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.01.04
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 7.0.5730.13
x :: CHRISTIAN-PC [administrator]
Protection: Enabled
01/08/2012 7:23:08 AM
mbam-log-2012-08-01 (07-23-08).txt
Scan type: Full scan (C:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 381426
Time elapsed: 2 hour(s), 29 minute(s), 10 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 1
C:\Documents and Settings\x\Application Data\evcmi.dll (Trojan.Midhos) -> Delete on reboot.
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|evcmi (Trojan.Midhos) -> Data: rundll32.exe "C:\Documents and Settings\x\Application Data\evcmi.dll",CreateEnumFormatEtc -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 2
C:\Documents and Settings\x\Application Data\evcmi.dll (Trojan.Midhos) -> Delete on reboot.
C:\Program Files\Alcohol Soft\Alcohol 120\Langs\AX_RU.dll (Malware.Packer.GenX) -> Quarantined and deleted successfully.
(end)
OTL Log: See Attached
aswMBR Log: See Attached
system
August 2, 2012, 4:13am
2
Here are the screenshots when I search on google in mozilla. (see attached)
system
August 2, 2012, 4:14am
3
Here is the screenshot after I click the link after searching. (see attached)
system
August 3, 2012, 2:50am
4
Bump, I would love to have a malware specialist help me out.
Thanks again!
Could you confirm that this is only in firefox
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL
IE - HKU\S-1-5-21-436374069-1292428093-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{25F8BB85-DAA8-11E1-8270-B8AC6F996F26}: C:\Documents and Settings\x\Local Settings\Application Data\{25F8BB85-DAA8-11E1-8270-B8AC6F996F26}\ [2012/07/30 19:39:18 | 000,000,000 | ---D | M]
O4 - HKLM..\Run: [onerel] C:\Documents and Settings\x\Application Data\onerel.dll ()
[2012/07/30 19:39:18 | 000,420,352 | ---- | M] () -- C:\Documents and Settings\x\Application Data\onerel.dll
[2012/04/12 23:06:06 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-IV4rR6ZDjMRSJOr
[2012/04/12 23:06:06 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-IV4rR6ZDjMRSJO
[2012/04/12 23:06:01 | 000,000,256 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\IV4rR6ZDjMRSJO
:Files
:Commands
[*]Then click the
Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the
Quick Scan button. Post the log it produces in your next reply.
system
August 4, 2012, 1:00am
6
Hello essexboy,
First thanks for the help!
The problem persists with both IE and Firefox.
I’ve tried to do exactly what you’ve said but OTL seems to freeze shortly after clicking Run Fix. (I had started it before I left for work and when I came back from work(~8 hours) my computer was frozen)
Anyways, whether the fix was successful or not I’ve attached the log to this post.
I also tried running the fix after returning home from work for a second time and I got the same thing, a freeze and not responding shortly after clicking run fix.
What do you recommend I do next?
Thanks again!
That is malwarebytes being totally annoying again
Re-run the OTL fix again please but use the following script in its place
:OTL
IE - HKU\S-1-5-21-436374069-1292428093-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{25F8BB85-DAA8-11E1-8270-B8AC6F996F26}: C:\Documents and Settings\x\Local Settings\Application Data\{25F8BB85-DAA8-11E1-8270-B8AC6F996F26}\ [2012/07/30 19:39:18 | 000,000,000 | ---D | M]
O4 - HKLM..\Run: [onerel] C:\Documents and Settings\x\Application Data\onerel.dll ()
[2012/07/30 19:39:18 | 000,420,352 | ---- | M] () -- C:\Documents and Settings\x\Application Data\onerel.dll
[2012/04/12 23:06:06 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-IV4rR6ZDjMRSJOr
[2012/04/12 23:06:06 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\-IV4rR6ZDjMRSJO
[2012/04/12 23:06:01 | 000,000,256 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\IV4rR6ZDjMRSJO
:Files
:Commands
system
August 4, 2012, 4:33pm
8
Hello again essexboy,
Thanks again for your help!
Using the new script OTL executed and rebooted without a problem!
The majority of the problems seem to be gone.
Avast no longer pops up when I search on either IE or Firefox, but every once in a while, I get this popup from Malwarebytes Anti-Malware. (See figure attached)
How do I rectify this issue?
I’ve also attached the OTL log after it ran successfully.
Unfortunately that is a problem with MBAM it blocks an entire IP adress rather than just the specific one
The one it is blocking there is a hosting site, Avast has no problem with it
Any further problems ?
system
August 4, 2012, 6:17pm
10
Yes, avast is still giving me the same notifications when I search.
I had just opened google and searched “test” and the notification from avast popped up, so the problem still persists.
What’s next?
EDIT: NOTE! This only happened AFTER I closed MBAM.
EDIT #2: Also, the problem only seems to persist within firefox now.
Could you run a fresh OTL scan please and ensure all users is selected… Can you confirm it is only Firefox
system
August 4, 2012, 8:26pm
12
Attached is the fresh full scan from OTL with all users selected.
Yes I can confirm the problem only exists in firefox.
Suggestions?
OK try this one and let me know if it stops
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL
FF - prefs.js..network.proxy.type: 1
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{25F8BB85-DAA8-11E1-8270-B8AC6F996F26}: C:\Documents and Settings\x\Local Settings\Application Data\{25F8BB85-DAA8-11E1-8270-B8AC6F996F26}\ [2012/07/30 19:39:18 | 000,000,000 | ---D | M]
:Files
:Commands
[*]Then click the
Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the
Quick Scan button. Post the log it produces in your next reply.
system
August 4, 2012, 9:39pm
14
Hello again essexboy,
With the latest script you’ve posted for me OTL is freezing again, like it was previously.
Can you provide me with another script or instructions with how to prevent it from freezing?
Thanks again!
system
August 5, 2012, 12:32am
16
I ran the script succesfully with that line removed, however the problem still persists within firefox.
The OTL quickscan after running the script is attached.
What’s next?
EDIT: This problem has been persistent since I had downloaded and installed alcohol120, can you find anything related to that?
I will remove the start entries for alcohol as that appears to have reset the FF extension that I had previously removed
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{25F8BB85-DAA8-11E1-8270-B8AC6F996F26}: C:\Documents and Settings\x\Local Settings\Application Data\{25F8BB85-DAA8-11E1-8270-B8AC6F996F26}\ [2012/07/30 19:39:18 | 000,000,000 | ---D | M]
O4 - HKU\S-1-5-21-436374069-1292428093-725345543-1003..\Run: [AlcoholAutomount] C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe (Alcohol Soft Development Team)
[2012/07/30 19:01:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Alcohol 120%
:Files
:Commands
[*]Then click the
Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the
Quick Scan button. Post the log it produces in your next reply.
system
August 5, 2012, 2:29pm
18
I had to removed [emptytemp] again in order to get it to run.
The problem still exists, I attempted to search test on firefox and avast popped up with malicious url right away.
I also got an error from Win32 generic hosts or something of the like right after reboot and my start bar has gone from blue to grey.
Attached is the quickscan from OTL.
Now I know why I never use firefox… If this does not reveal the culprit to me I will then ask you to do some investigation with Firefox in safemode
Download and Install Combofix
Download ComboFix from one of the following locations:Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications , usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
Notes:
Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
system
August 5, 2012, 3:05pm
20
Attached is the log from combofix.
Cheers!