Malicious URl blocked

I seem to be having the same problem as a few others here.

http://forum.avast.com/index.php?topic=80917.0

http://forum.avast.com/index.php?topic=80988.0

Currently running aswMBR and Malwarebytes, will post results when done. I also ran TDSSKiller.exe but nothing showed up.

Yesterday is when the problem started and i ran a few full system scans and boot time scans and removed 970 files. Then i updated to FF5 and everything was fine except no google tool bar with FF5 so i ran the compatibility thing to get the tool bar back and the problem returned. Removed the toolbar but the problem has remained.

All help is welcome
Chris

Wanted to add that the IP being blocked is the same as in one of the other links listed 64.111.211.158

Malwarebytes’ Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7020

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/4/2011 3:36:39 PM
mbam-log-2011-07-04 (15-36-39).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 406400
Time elapsed: 57 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{0F9E81F1-8C60-4D6E-B526-C65FBFD9CBAb} (Trojan.Tracur.Gen) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{0F9E81F1-8C60-4D6E-B526-C65FBFD9CBAB} (Trojan.Tracur.Gen) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT.fsharproj (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG32 (Trojan.Tracur) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dot3svc32 (Trojan.Tracur) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry32 (Trojan.Tracur) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator32 (Trojan.Tracur) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess32 (Trojan.Tracur) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV32 (Trojan.Tracur) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv32 (Backdoor.Agent) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\api-ms-win-core-misc-l1-1-032.dll (Trojan.Tracur.Gen) → Quarantined and deleted successfully.
c:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-032.dll (Trojan.Tracur.Gen) → Quarantined and deleted successfully.

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-07-04 14:08:48

14:08:48.276 OS Version: Windows x64 6.1.7600
14:08:48.276 Number of processors: 4 586 0x502
14:08:48.277 ComputerName: CHRIS-PC UserName: Chris
14:08:49.616 Initialize success
14:08:49.915 AVAST engine defs: 11070400
14:08:55.954 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\00000058
14:08:55.956 Disk 0 Vendor: Hitachi_ STDO Size: 610480MB BusType: 3
14:08:57.970 Disk 0 MBR read successfully
14:08:57.971 Disk 0 MBR scan
14:08:57.974 Disk 0 unknown MBR code
14:08:57.977 Service scanning
14:08:59.199 Disk 0 trace - called modules:
14:08:59.211 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
14:08:59.213 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8005e5c060]
14:08:59.216 3 CLASSPNP.SYS[fffff880018f743f] → nt!IofCallDriver → [0xfffffa80059e9e40]
14:08:59.219 5 ACPI.sys[fffff88000e45781] → nt!IofCallDriver → \Device\00000058[0xfffffa80058e84a0]
14:09:00.090 AVAST engine scan C:\Windows
14:26:10.848 AVAST engine scan C:\Users\Chris
15:30:47.006 AVAST engine scan C:\ProgramData
15:47:44.141 Scan finished successfully
15:48:54.628 Disk 0 MBR has been saved successfully to “C:\Users\Chris\Downloads\MBR.dat”
15:48:54.632 The log file has been saved successfully to “C:\Users\Chris\Downloads\aswMBR.txt”

What next? A quick test show the problem is gone but i haven’t rebooted yet. Going to do that now.

Hi chris_s,

It is outbound traffic that is potentially malicious, look here and at the end of that report:
http://www.threatexpert.com/report.aspx?md5=dcbd2b1ff45ed36c7fb9459a6b3e4fa7
&
http://www.threatexpert.com/report.aspx?md5=269dbdc6fddb6d48d9b1f10742ca77b1
Nameserver involved: http://www.dailychanges.com/ruqocyril.com/
suspicious: http://www.urlvoid.com/scan/ruqocyril.com

Unable to properly scan site. Site returning error (40x): HTTP/1.1 404 OK

polonus

Problem returned after reboot. Not sure what i should do. Im pretty much a n00b when it comes to things like this.

There are probably still some malware files on the system

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in


%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

Thank you, doing this now

Mediafire link http://www.mediafire.com/?1a1q87413sghwav

malwarebytes is now blocking what ever is happening

Let me know if they continue after this

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\] > -> 
YN -> HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\: URLSearchHooks\\"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< FireFox Extensions [User Folders] > -> 
YY -> XUL Cache   -> C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{57427a7e-7448-4510-9ee0-34a6e752b42c}
YY -> ShopToWin13   -> C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\] > -> HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{30F9B915-B755-4826-820B-08FBA6BD249D}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY ->  iscsied32.dll -> C:\ProgramData\iscsied32.dll
NY ->  Free Offers from Freeze.com -> C:\Program Files (x86)\Free Offers from Freeze.com
[Files/Folders - Modified Within 30 Days]
NY ->  573779942 -> C:\Windows\SysWow64\573779942
NY ->  iscsied32.dll -> C:\ProgramData\iscsied32.dll
[Files - No Company Name]
NY ->  573779942 -> C:\Windows\SysWow64\573779942
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Ran the fix but it appears to have gotten stuck a few times. No log was given to me after the scan just a message saying that the system needs to restart so i clicked yes but nothing happened. No restart and OTS is just sitting there.

Restarted the system myself and all seems fine. Wish i could have provided the report you wanted but it was never shown. If it was saved in OTS somewhere and you can tell me how to access it i will post it ASAP.

Thank you so much!
Chris

Spoke too soon, its back. What next?

Ran fix again and the same thing happened, no report just prompt to restart but no restart.

Bump for the early morning crowd ;D Dont know what to do right now. Seeing new threads started about the same thing

OK that tells me that there is a protector hiding on the system - so bigger hammer

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[
]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

combofix report http://www.mediafire.com/?j077glo5a291rfd

Looks like its all cleared up now but ill wait to see what you think of this last report.

-------\Service_RpcSs32 -------\Service_wmiApSrv32
There we go two dead hidden drivers ;D

Firefox was also compromised and cleared

Could you now run a fresh Malwarebytes scan please as some orphans may have been revealed.

Any further problems