Hi, I hope someone can help.
I keep getting malicious url blocked popup
url: 64.111.211.158
the program being blocked is avastsvc.exe or iexplorer (even when it is not running)
the machine is xp sp3 and cant follow any link from any search result in web browser IE or safari, constantly gets redirected
i have run latest malwarebytes and superantispyware. and obviously avast. problem persists. i have also run ccleaner.
i have run hijack this but i do not know what is a problem and what is not, log attached, hopefully someone can help.
sorry, i was getting lunch. in answer to first question if i search with google and click on a result, i get redirected to all sorts of different sites including more google search results but usually to a totally unrelated web site.
i am running aswMBR now and will post results shortly.
also i should mention that “network diagnostics for xp” window keeps popping up usually after avast malicious url blocked popup.
nothing malcious as such click fixmbr or just fix option and try this out:
OK, another tool to check for other types of rootkit.
[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.
I have the same issue on a clients computer. I got rid of various Trojans and worms with Malware Bytes, but every 5 minutes Avast is blocking this IP address 64.111.211.158 Please tell me if you find a fix.
Why would I create a new thread for the EXACT same issue?..
Also, to Bitodd, I’m not getting redirects, just the Avast popups, try going to Internet Explorer > Tools > Internet Options > Connections Tab > LAN settings
Make sure the “Use a Proxy” box is not checked. If it is, it would explain the redirects, but Avast may still bug you for something underlying like a rootkit or keylogger, which is what I’m still trying to figure out.
@KairuKins each infection is different some are caused by TDL3 as bitodd has, others are caused by a hijacked Host file or an innocuous file/toolbar that is not as it seems
Each will require a different approach and a different fix
I can’t run tdsskiller, i double click and nothing happens. I read on another site that a rootkit can cause this and it said to rename the executable to something else like 123.com and then run. I renamed it and it completely disappeared from the desktop so i extracted it again and renamed it on C drive, i double click and nothing happens. again.
I am wondering if there is any boot disc that I may be able to use to try and fix it from outside the OS, linux style??
ok,before going to anything compex i will need to get some more information provided by ots.may be this can fix the problem.try this:
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
also copy paste the this into the paste and fix here panel and then hit run fix.
code:
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001] > →
YN → HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001: URLSearchHooks\“{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
< FireFox Extensions [User Folders] > →
YY → XUL Cache → C:\Users\bitodd\AppData\Roaming\iexplorer\Profiles\nr8zccsm.default\extensions{57427a7e-7448-4510-9ee0-34a6e752b42c}
YY → ShopToWin13 → C:\Users\bitodd\AppData\Roaming\iexplorer\Profiles\nr8zccsm.default\extensions{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001] > → HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Internet Explorer\Toolbar
YN → WebBrowser\“{30F9B915-B755-4826-820B-08FBA6BD249D}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
YN → WebBrowser\“{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
YN → WebBrowser\“{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
YN → WebBrowser\“{D4027C7F-154A-4066-A1AD-4243D8127440}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY → iscsied32.dll → C:\ProgramData\iscsied32.dll
NY → Free Offers from Freeze.com → C:\Program Files (x86)\Free Offers from Freeze.com
[Files/Folders - Modified Within 30 Days]
NY → 573779942 → C:\Windows\SysWow64\573779942
NY → iscsied32.dll → C:\ProgramData\iscsied32.dll
[Files - No Company Name]
NY → 573779942 → C:\Windows\SysWow64\573779942
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[/b]
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.
Edited to add custom scans
Please ensure that all logs are saved in the ANSI format
your desktop icons may dissapear or any other unusual behavior this is no malfunction do not panic after its finished restart and check whether the problem still persists.
problem is fixed. i downloaded kaspersky av (30day trial)
it picked up rootkit straight away. no more “malicious url blocked” popups and no more redirected URL’s in browser
after several restarts, it appears quite stable.
Just capturing/plagiarising essexboy’s scripts and images and not even acknowledging his work. But worse still not realising that Fixes are Unique, not good for a self proclaimed virus buster who asks us to trust him.
The problem was a TDL3 bootkit - TDSSKiller or AVP tool or Dr webb will cure that. Selecting the fix or fixmbr with aswMBR could render the system unbootable as aswMBR is not designed to repair these - just report