Malicious URL Blocked

Viruses and worms
1

Hello

I am currently receiving a Malicious URL Blocked popup every time i use a search engine on any browser, I first used Malwarebytes’ Anti-Malware that found some problems and removed them however the malicious URL popup is still persisting and Malwarebytes is not showing any problems:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.23.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Jake :: JAKE-PC [administrator]

23/07/2012 16:38:43
mbam-log-2012-07-23 (16-38-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 191706
Time elapsed: 4 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

I have attached the OTL and aswMBR logs so hopefully you can help me, thank you for your time.

2

welcome to the forum. a malware expert will look through those logs and give you instructions from there.

3

Hi let me know if this cures it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{CECC26FD-D449-11E1-8270-B8AC6F996F26}: C:\Users\Jake\AppData\Local\{CECC26FD-D449-11E1-8270-B8AC6F996F26}\ [2012/07/22 23:08:56 | 000,000,000 | ---D | M] O4 - HKU\S-1-5-21-65507303-4055571390-187693504-1000..\Run: [uplol] C:\Users\Jake\AppData\Roaming\uplol.dll (Analog Devices, Inc.) [2012/07/22 23:08:53 | 000,443,392 | ---- | C] (Analog Devices, Inc.) -- C:\Users\Jake\AppData\Roaming\uplol.dll

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

4

I did what you said, here is the log. Still getting the same problem unfortunately.

5

OK next phase

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

6

It says no threat found here is the report.

7

OK MBR is clear

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

8

Combofix did delete some files but unfortunately I am still getting the malicious URL blocked popup.

9

Do other computers that use the router experience the same problems ?

Reset/Renew TCP/IP connection

[*] Open an elevated command prompt. To do that:
[*] Click the Start Orb
[*] In the Start Search box type cmd.exe. A program named cmd.exe will be listed at the top of the menu list under Programs
[*] Right click on cmd.exe and click Run as Administrator. A black command window will open up.
[*] At the blinking cursor type the following commands, pressing the Enter key after each command typed:
[*] ipconfig /release
Back at the blinking cursor tpye the following command, and press the Enter key.[*] ipconfig /renew

[*] Back at the blinking cursor type Exit and press the Enter key. This will close the command window.
[*] Reboot the computer

10

The other computers in the house are working fine. I did what you said and unfortunately the popups are still happening.

11

OK lets now look at the net connections

Please download MiniToolBox, save it to your desktop and run it.

https://dl.dropbox.com/u/73555776/minitoolbox.JPG

Checkmark the following checkboxes:

[]Flush DNS
[]Report IE Proxy Settings
[]Reset IE Proxy Settings
[]Report FF Proxy Settings
[]Reset FF Proxy Settings
[]List content of Hosts
[]List IP configuration
[]List Winsock Entries
[]List last 10 Event Viewer log
[]List Installed Programs
[]List Devices
[]List Users, Partitions and Memory size.
[*]List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using “Reset FF Proxy Settings” option Firefox should be closed.

12

Ran the tool here is the result.

13

Hmm that looks OK

OK lets see what is actually starting with the computer

Please RIGHT-CLICK HERE and Save As (in IE it’s “Save Target As”, in FF it’s “Save Link As”) to download Silent Runners.
[*]Save it to the desktop.
[*]Run Silent Runner’s by doubleclicking the “Silent Runners” icon on your desktop.
[*]You will receive a prompt:
Do you want to skip supplementary searches?
click NO
[*]If you receive an error just click OK and double-click it to run it again - sometimes it won’t run as it’s supposed to the first time but will in subsequent runs.
[*]You will see a text file appear on the desktop - it’s not done, let it run (it won’t appear to be doing anything!)
[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
NOTE If you receive any warning message about scripts, please choose to allow the script to run.