Malicious URL Blocked

Every half hour I get 2 pop ups in a row telling me that a malicious URL has been blocked. They mention the same proces every time: TpScrex.exe and since today I also each time get a notification about this exe-file telling me that it has been sandboxed.

I have read what I have found of suggestions for other with same problem, I found this list (se below), and have done most of it, except DrWeb cureIT, HostMan Tool, Disabling system restore.

I dont experience problems besides the pop up´s - well, the pc is a bit slow, but I dont know it that is because of the malware.

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use Comodo Cleaning Essentials (CCE), or MBAM, or SUPERantispyware to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Read this instructions and provide more info with the logs generated.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.

Here is log from MBAM:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.10.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Ole :: OLE-PC [administrator]

10-05-2012 15:55:36
mbam-log-2012-05-10 (15-55-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219902
Time elapsed: 10 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Hope you can help,
Thanks, Ole

aswMBR was not able to finish, everytime it reached the probably last part, the program went down. I have made a print screen of what was shown in the program window, if that can be of any help.

They mention the same proces every time: TpScrex.exe
upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners when you have the result, copy the url in the address bar and post it here for us to see

malware specialists are notified :wink:

Ok, I shall do that in a minute. Just wanted to tell you that the site it tries to open is
hXtp://couly.com/adask.php which is found on my pc (I tried to type it in start>search). I wanted to check the files location, and when I do this iGoogle shows up ???

Make that link non-clickable please. >> WOT gives comments leading to an assumption that the site has hosted malware in 2009.

See: http://urlquery.net/report.php?id=54239
It looks as if the link is suppose to be downloaded and ran as an executable.
VirusTotal gives nothing: https://www.virustotal.com/file/e2ddc2980fb29d5f93f2c19de2260b89a7ef1418bb3f3da81c98773998374305/analysis/1336774714/
Maybe a custom language?

How do I make the link non-clickable?

I wanted to check the suspicious file as you suggested, but the file was in
c:\programData\TpScrex\TpScrexm.exe. - and the file seems to have disappeared!
There is no folder anymore called "programData… ???
And if I make a search in Start>search the file does not show up either.
I have often looked at the file and checked it with Avast, but it always found it safe.

I dont know how that happened, I didnt delete the folder. And I am sure that superantispyware didnt remove it. Could aswMBR or OTL have removed it? (I though it was only diagnostic tools?)

Well, maybe the problem is maybe gone now…?

none clickable… change http to hxxp and www to wxw…or remove http/www from the link

no aswMBR/OTL will not remove anything…unless instructed to. that is what the malware remover will do, if anything is found in those logs

How do I make the link non-clickable?
Change http:// to hXtp://

I wanted to check the suspicious file as you suggested, but the file was in
c:\programData\TpScrex\TpScrexm.exe. - and the file seems to have disappeared!
There is no folder anymore called "programData… ???

Something might have changed. I advise you run a second OTL log and post it; to show the comparison between before and after.

Ok, but I dont know how to make changes to what I have written in former post. I understand that its not a good ide to have links on the site that contains malware…

No, I still get the same pop ups. And it still refer to the same file - that still doesnt exist… I didnt ask any of those programs to remove anything. Strange…
I have attached a screen shut of the pop up.

I will run OTL again, but its late now and have to get some sleep.
Thanks for your help today, I´ll be back tomorrow

…and I found out how to modify the link :wink:

Hi,

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now

[*]Copy and paste the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)

I have attached a second OTL as Donovan suggested (it didnt create/save any Extra.txt file this time…)

…and here is the TDSKiller log:

(It exceeded the allowed max length of text, so I have attatched it instead)

Hi,

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
 IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-1483525672-3986109873-3017391016-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BF EE BD B0 97 AF CC 01  [binary data]
IE - HKU\S-1-5-21-1483525672-3986109873-3017391016-1000\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - No CLSID value found
IE - HKU\S-1-5-21-1483525672-3986109873-3017391016-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1483525672-3986109873-3017391016-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

:Files
ipconfig /flushdns/ c

:Commands
[purity]
[resethosts]
[emptytemp]
[createrestorepoint]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Ok, followed your last instructions.
I tried to scan with OTL (after doing the runfix) without cheking LOP and Purity as you said, but when I hit the quick scan button they got marked automatically by themselves. If you want me to make another scan, just ask, but tell me how to avoid these boxes getting checked.

I still get the ‘malicious url blocked’ pop ups after doing the runfix in OTL.

Hi,

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

Note: It is important that it is saved directly to your desktop


IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here


Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.

Did the combofix. I disabled Avast, but after combofix rebooted and was doing its post-scan, avast started up, I hope it didnt interfere.

Hi,

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

[list]
[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

ESET Online Scanner
I’d like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

As a Vista/Win7 user you will need to right click your browser icon and select “Run as Administrator” in order to run this scan.

[]Do not use this instance of your browser for anything besides doing this scan
[
]When the scan is complete and the results saved, close that instance of your browser
[*]Open a new one the usual way and post the results in this topic.

[]Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
[
]Click the
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png
button.
[]For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)[list=1]
[*]Click on
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png
to download the ESET Smart Installer. Save it to your desktop.
[
]Double click on the
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png
icon on your desktop.

[*]Check
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png

[*]Click the Start button.
[]Accept any security warnings from your browser.
[
]Check
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png

[*]Make sure that the option “Remove found threats” is Unchecked
[*]Push the Start button.
[]ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
[
]When the scan completes, push
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png

[*]Push
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png
, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
[*]Push the Back button.
[*]Push Finish

http://www.eset.com/onlinescan/

In your next reply please attach the logs made by ComboFix, Malwarebytes and ESET online scanner. :slight_smile:

Here are the first two scans.
I run ESET tonight and send it tomorrow.

Ok…sounds good. :slight_smile: