Malicious URL Blocked popup keeps occurring.

Avast Malicious URL Blocked popup keeps occurring. Additional details:

  • The URL varies
  • The process is always explorer.exe
  • The popups occur if there is no browser open
  • The popups occur more frequently when a browser is open (either Firefox, IE, or Chrome)
  • The popups do not occur when the system is off the network

I followed all the steps in the guide as listed in forum: http://forum.avast.com/index.php?topic=53253.0 and nothing has improved. Still receiving popups. Additional info:

  • aswMBR.exe would not run. I tried several approaches
  • Not part of the guide but TDSKiller would not run either

Please help. Thanks,

I’m on it… 8)

@cmanduran
Hello and Wellcome to avast!

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.


>> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

!!! DO NOT RUN ComboFix! First we will need to run RKill tool.

>> We need to use the RKill Tool by Grinler

Rkill.com <— Download site
[*] Please Download Rkill.com. Save it to your Desktop.
[*] Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.

[*] NOTE: If you are unable to connect to the site to download rkill, then you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.

[*] Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.
[*] Please be patient while the program looks for various malware programs and ends them.
[*] When it has finished, the black window will automatically close and you can continue with the next step.
NOTE: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the rogue program, when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue program. So, please try running Rkill until the malware is no longer running.

>> You will then be able to proceed with the rest of the steps for running Combofix.

If you continue having problems running rkill.com, you can download:
iExplore.exe or eXplorer.exe
which are renamed copies of rkill.com, and try them instead.

Then run Combofix…

>> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

I ran the items that you requested. The problem appeared to have gone away but it is back. Sill getting the “Malicious URL Blocked” popup. I have attached two log files.

Hm, Ok.

Step#1

Please delete your current ComboFix copy, download a new fresh one:
Combofix

avast antivirus must be disabled.

Open notepad and copy/paste the text present inside the code box below:



KillAll::

ClearJavaCache::


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )


Step#2

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



/md5start
services.exe
/md5stop 


[*]Then click the Run Scan button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.


Step#3

Please download aswMBR and save it to your desktop.

Double click aswMBR.exe to start the tool. Select Yes if prompted to download the Avast database.

[*]Click Scan
[*]Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
Note: do NOT attempt any Fix yet.

I executed the steps you requested. I ran into several issues:

  • Ran all items below with no network so updates to programs would not occur. When connected to the network, the system would run so slow that it would become unusable.
  • All file transfers were performed with a USB stick.

Step#1

  • Ran Combofix using the “drag/drop” method.
  • Program stopped running at Stage 4 (waited 8 hours, no disk activity)
  • Decided to re-run Combofix using the “drag/drop” method.
  • The system crashed (not sure at what stage) and then attempted to reboot.
  • The system would not boot. The Master Boot record was corrupted.
  • I fixed the MBR - I activated the proper boot drive.
  • Booted the system in Safe Mode. Decided to move on to Step#2. Could not provide a Combofix log file.

Step#2

  • In Safe Mode, ran OTL.exe. Attached log OTL2.txt
  • Re-booted to normal Windows.
  • Ran OTL.exe. Attached log OTL3.txt

Step#3

  • Ran aswMBR.exe. The system crashed.
  • Rebooted in Safe Mode. Ran aswMBR.exe. Attached aswMBR1.log
  • Rebooted in normal mode: Ran aswMBR.exe. Attached aswMBR2.log

Hm, tricky…
We will try to solve all problems.

aswMBR shows rootkit. I’d like to see a log from this tool…

Step#1.1

I see that you have TDSSKiller original and one renamed. Please delete current and download fresh one.

Download fresh TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.


Step#1.2

Let’s then do adittional check MBR.

Please download MBRCheck.exe to your desktop.

[*] Be sure to disable your security programs
[*] Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
[*] A small window should open on your desktop
[*] if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
[*] If nothing unusual is found just press Enter
[*] A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.


Step#1.3

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:commands
[CREATERESTOREPOINT]

:OTL
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll File not found
@Alternate Data Stream - 177 bytes -> C:\ProgramData\TEMP:4D066AD2
@Alternate Data Stream - 150 bytes -> C:\ProgramData\TEMP:8EBDAD11
@Alternate Data Stream - 132 bytes -> C:\ProgramData\TEMP:21F28B00
@Alternate Data Stream - 130 bytes -> C:\ProgramData\TEMP:3DA64F2C
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:A60E1551
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:57B4E612
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:981884E7
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:5EC637CB
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:680086AB
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:A757EE0B
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:8356AE8B
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:6D6D6E2B
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:72E546C1
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:DE73B0FE
@Alternate Data Stream - 111 bytes -> C:\ProgramData\TEMP:CC174F28
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:5B85C37B
@Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:9AB56A06
@Alternate Data Stream - 106 bytes -> C:\ProgramData\TEMP:D09AEE3D
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:8A44841A

:files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c

:commands
[purity]
[emptytemp]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.


Now let’s try to fix the internet conections:

Step#2.1

Download Complete Internet Repair tool.
www.datum-forensics.com/down/comintrep.exe

-Extract the program in a separate folder on the Desktop.

     Double-clicking start [b]comintrep[/b] and click Extract.
     The program will create a new folder called Complete Internet Repair.


Close all running applications.
 In the created folder, double-click on [b]CIntRep[/b]  run program.
 Check boxes to [b]Repair /Windows Automatic update[/b] options and then click[b] Go[/b]!

 Wait for the program to finish the repair and then will ask for reboot.
     If no reboot, restart it.

 Restart the program by double-clicking on [b]CIntRep[/b].
 Click on File> Logging> Logging Open Directory.

 With an arrow okaci CIntRep.txt using the attach file option.
 If there are several logs, attach them too in the message.

Step#2.2

Download Windows Repair (all in one) from this site

Install the programme then run

https://dl.dropbox.com/u/73555776/waio%20start.JPG

Go to step 3 and allow it to run SFC

https://dl.dropbox.com/u/73555776/waio%20step3.JPG

On the start repairs tab click start

https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG

Select the following items and tick restart system when finished

https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG

I ran all the steps you requested and attached the associated files. The problem appears to have been corrected. It would be good to know what process or files where causing the problem. Also, how the system was infected. Thanks for your help!

We will do now addition and deeper check with TDSSKiller…

Re-run TDSSKiller then click on Change parameters.

[*] Put a checkmark beside loaded modules.
[*] A reboot will be needed to apply the changes. Do it.
TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.

[*] Then click on Change parameters in TDSSKiller.
[*] Check all boxes then click OK.

[*] Click the Start Scan button.

  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.

[*] Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”.

[*] Please attache the contents of that file here.


Please follow this guide for running RogueKiller

http://forum.avast.com/index.php?topic=53253.0

Attach here RK report.txt logs…


Please, delete current copy of Combofix, we will use new fresh one.

Download fresh Combofix.exe, disable antivirus and re-run Combofix. Attach here fresh Combofix.txt