Malicious URL blocked

Hi there,

Running Windows XP Professional on a Dell D620. I am using Avast, did a boottime scan and found nothing, also ran a Malwarebytes full scan and found nothing. Reputable links are resulting in Avast blocking them, and the links are trying to redirect me to 64.111.211.158. This doesn’t happen 100% of the time, but enough to be annoying. Often, hitting the back button and clicking on the same link will not cause a malicious URL blockage, and I will be directed to the legitimate site. It’s still frustrating, though!

I’m tempted to follow the same procedures outlined in similar threads, but I’ll wait for professional advice!

Thanks for your help in advance!
Randy

Try a forum search for ISPrime as that is the IP address you posted, I believe I saw that in a recent topic.

OK this is the one and it was proving to be a bit of a pig to remove, until it was properly analysed by a malware removal specialist http://forum.avast.com/index.php?topic=80917.msg661773#msg661773.

So for the time being I would suggest you run OTS and post the log and when essexboy is back on the forums (won’t be for some time, 1:10am in the UK) hopefully he can analyse the log and create a fix, what was produced in the other topic is specifically for that user and shouldn’t be used.

Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.

Hi again,

Thanks for the quick reply. Attached is the OTS log from the scan per your instructions.

Thanks again
Randy

Unfortunately we will have to wait for some one familiar with this tool to analyse it.

i saw the log its famaliar to me and i can also enlist the fix hrere u go:

pls paste the this into the paste and fix here panel and then hit run fix.
code:
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001] > →
YN → HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001: URLSearchHooks\“{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
< FireFox Extensions [User Folders] > →
YY → XUL Cache → C:\Users\randy\AppData\Roaming\iexplorer\Profiles\nr8zccsm.default\extensions{57427a7e-7448-4510-9ee0-34a6e752b42c}
YY → ShopToWin13 → C:\Users\randy\AppData\Roaming\iexplorer\Profiles\nr8zccsm.default\extensions{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001] > → HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Internet Explorer\Toolbar
YN → WebBrowser\“{30F9B915-B755-4826-820B-08FBA6BD249D}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
YN → WebBrowser\“{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
YN → WebBrowser\“{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
YN → WebBrowser\“{D4027C7F-154A-4066-A1AD-4243D8127440}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY → iscsied32.dll → C:\ProgramData\iscsied32.dll
NY → Free Offers from Freeze.com → C:\Program Files (x86)\Free Offers from Freeze.com
[Files/Folders - Modified Within 30 Days]
NY → 573779942 → C:\Windows\SysWow64\573779942
NY → iscsied32.dll → C:\ProgramData\iscsied32.dll
[Files - No Company Name]
NY → 573779942 → C:\Windows\SysWow64\573779942
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

hope this helps u out…

Thanks for your input. I’d like the senior members to study the OTS log before I take any further action.

Randy

I have asked essexboy to check in when he can, he has probably only recently got back from work.

Hi I do not know where that fix came from but it bears no relation to the reality. On completion of this can you let me know if the symptoms persist

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> 
YN -> HKEY_USERS\.DEFAULT\: Main\\"XMLHTTP_UUID_Default" -> 77 22 92 11 D9 F5 CD 4C 9F D8 1F 0D 84 0E F2 0B  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
YN -> HKEY_USERS\S-1-5-18\: Main\\"XMLHTTP_UUID_Default" -> 77 22 92 11 D9 F5 CD 4C 9F D8 1F 0D 84 0E F2 0B  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> 
YN -> HKEY_USERS\S-1-5-19\: Main\\"XMLHTTP_UUID_Default" -> 77 22 92 11 D9 F5 CD 4C 9F D8 1F 0D 84 0E F2 0B  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> 
YN -> HKEY_USERS\S-1-5-20\: Main\\"XMLHTTP_UUID_Default" -> 77 22 92 11 D9 F5 CD 4C 9F D8 1F 0D 84 0E F2 0B  [binary data]
< FireFox Extensions [User Folders] > -> 
YY -> XUL Cache   -> C:\Documents and Settings\rwaldrep\Application Data\Mozilla\Firefox\Profiles\2bz2icop.default\extensions\{0bba7f5b-ef03-45ed-8774-29e3999c5adc}
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\WINDOWS\system32\muweb32.dll -> C:\WINDOWS\system32\muweb32.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\system32\psapi32.exe" -> [C:\WINDOWS\system32\psapi32.exe:*:Enabled:Windows Update Service]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\system32\psapi32.exe" -> [C:\WINDOWS\system32\psapi32.exe:*:Enabled:Windows Update Service]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \##169.254.74.168#usb -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##169.254.74.168#usb\Shell -> 
YN -> \##169.254.74.168#usb\Shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##169.254.74.168#usb\Shell\AutoRun -> 
YN -> \##169.254.74.168#usb\Shell\AutoRun\\"" -> [Auto&Play]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##169.254.74.168#usb\Shell\AutoRun\command -> 
YN -> \##169.254.74.168#usb\Shell\AutoRun\command\\"" -> [Y:\WDSetup.exe]
YN -> \{1455e04f-345d-11de-a8ce-0015c53b3344} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1455e04f-345d-11de-a8ce-0015c53b3344}\Shell\AutoRun\command -> 
YN -> \{1455e04f-345d-11de-a8ce-0015c53b3344}\Shell\AutoRun\command\\"" -> [E:\WDSetup.exe]
[Files/Folders - Created Within 30 Days]
NY ->  muweb32.dll -> C:\WINDOWS\System32\muweb32.dll
[Files/Folders - Modified Within 30 Days]
NY ->  muweb32.dll -> C:\WINDOWS\System32\muweb32.dll
NY ->  1114984448 -> C:\WINDOWS\System32\1114984448
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Smart man :wink:

Well given what com155 has done before he has probably copied one of your scripts, in the belief that the Fix works on all, but is in fact Unique to a specific system. Now you know why I asked for your assistance.

Very smart.

Hi DavidR & Pondus & essexboy & rwaldrep,

The user in this case outsmarted the pseudo-OP.
So you are welcome here, rwaldrep, welcome to these forums,

polonus

Hello again,

Thanks for the quick reply and info on how to proceed. I ran the fix as indicated and I’m attaching the text results here. So far everything looks fixed, but I’ll send another update if things turn sour.

As for the junior member’s contribution, well, I don’t mind others trying to help in a time of need, but I’ve seen others with the same problem where the fix was different. It’s kind of like going to the hospital to be cured–you kind of want a qualified physician to diagnose and do the operating.

Thanks again for making this so easy!
Randy

Hi rwaldep,

With essexboy you were in the best of hands. I hope you will return to these forums, stay safe and secure online,

polonus

Let me know when you are happy

I’m very happy. Thanks to all of you for you quick and professional guidance!

Randy

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[ClearAllRestorePoints]

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

SPRING CLEAN

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check

http://i1224.photobucket.com/albums/ee362/Essexboy3/Puran.gif

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

Great, I finished out with your clean up and the computer is once again shiny and happy. Keep up the excellent work and guidance. I really appreciate all you’ve done!

Thanks to everyone!
Randy

hey essexboy here is my ots log
http://www.mediafire.com/?jh08vdl69rp2l22
will the fix you stated in the beginning of the post work for me ? or what should I do in order to fix this url redirected issue ? Thanks for your time. Have a great day.

Each infection is unique - no two fixes will be the same. Let me know if this clears it

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2944627505-1220103275-307688639-1000\] > -> HKEY_USERS\S-1-5-21-2944627505-1220103275-307688639-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY ->  dF01603NeBnH01603 -> C:\ProgramData\dF01603NeBnH01603
[Files/Folders - Modified Within 30 Days]
NY ->  36953848 -> C:\ProgramData\36953848
[Files - No Company Name]
NY ->  36953848 -> C:\ProgramData\36953848
NY ->  Etibonoces.dat -> C:\Users\User\AppData\Local\Etibonoces.dat
NY ->  Ayihurihik.bin -> C:\Users\User\AppData\Local\Ayihurihik.bin
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Hey essexboy, I have a huge problem my laptop has been stuck on ots (not responding) when it was in the middle of creating a restore point, for 55 minutes. What should I do ?