Malicious URL blocked

Hello!

I was wondering if anyone could please help me to solve this problem. I’ve seen a lot of threads similar to mine, but none seem to address the issue I’m currently experiencing.

Whenever I use Chrome, perhaps an hour or so after I’ve been using it, Avast! keeps giving me the message “Malicious URL blocked” each time I load a page or change tabs (no matter what the site, be it Gmail, Facebook, Comedy Central, a new google search, whatever.) The “Object” is always the website that I am visiting.

Since that all begun about last week, I have tried several solutions. Avast! picks up nothing each time, Malwarebytes Anti-Malware picked up a few things initially which I got rid of but then I continued experiencing the same pop-up from Avast. Then I ran scans with AdwCleaner, RogueKiller, and finally TDSSKiller but to no avail. The latter only ends up finding 3 objects, all of which are medium-risk and do not have a “Cure” option. Everything seemed to be going fine but then the Avast! “Malicious URL blocked” pop-ups continued.

Other things I’ve tried: System Restore to 30 days ago, uninstalled all Google software on my laptop and deleted all Google-related files, uninstalled Google extensions and then reinstalled “trusted” ones that might help with security (AdBlock Plus [with Malware blocker on], avast! Online Security, Disconnect, Flag for Chrome, and HTTPS Everywhere)

Finally, I’ve just finished running a complete scan with SUPERAntiSpyware and it only found Tracking Cookies. I guess I’ll delete those too, but I don’t think it’s going to solve any of my problems.

follow instructions here …scroll down to OTL and attach diagnostic log http://forum.avast.com/index.php?topic=53253.0

Here you go. Is this all you need for now?

Oops and here’s this as well

Could you confirm that this is in Chrome only and does not appear in IE or Firefox
Also could you attach a screenshot of the Avast alert

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O2 - BHO: (Codec-C Class) - {09526FA6-040C-4552-809C-F05F25861335} - C:\ProgramData\Codec-C\bhoclass.dll File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKU\S-1-5-21-2391621697-4015267187-2753864887-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O20:64bit: - Winlogon\Notify\GoToAssist: DllName - (C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll) - File not found

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I will run the fix with OTL and keep try and catch my computer the next time it starts flashing the warning. I don’t have Firefox and while I have IE, I never use it but I will also start using it to see if the same issue arises with IE. It might take me a while to get back to you with the screenshot because as I said, it starts happening repeatedly only an hour (or maybe more… haven’t timed it) after I’ve been running Chrome.

Thanks so much for your help and I’ll try to get back to you as soon as possible.

Time is not a problem, I am here every day :slight_smile:

Haha great! Thanks for your patience. Well here is the log for the OTL scan I just did. Also, I do remember now that I think about it that the malicious URL that Chrome blocked each time was always preceded by toolbarqueries.google.com or maybe it was toolbarqueries-google.com (and then facebook.com or gmail.com, etc.). But yeah, like I said I’ll keep trying to catch the warning

Any joy on trying IE ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_8_800_94.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.25.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.25.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Megan\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Megan\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll (Amazon.com, Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2013/09/01 14:33:20 | 000,000,000 | ---D | M]
[2012/09/18 22:35:42 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Megan\AppData\Roaming\Mozilla\Firefox\extensions
[2012/09/18 22:35:48 | 000,000,000 | ---D | M] (uTorrentControl_v2) -- C:\Users\Megan\AppData\Roaming\Mozilla\Firefox\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Despite using Chrome all day, I haven’t encountered the Malicious URL blocked pop-ups anymore… I hope this means everything is resolved, but I don’t want to make any assumptions just yet since that’s what I kept thinking all week only to see the pop-ups again later. And I haven’t gotten around to using IE much yet, but I’ll try again today.

Did you want me to still try the fix you just posted today around 12:45? I noticed it mentions Mozilla a lot even though I don’t have Mozilla and never have on this computer.

The fix is to tidy up the Firefox entries present on your system is all. The culprit was either in the temporary files or Java cache which OTL cleared on the first run

Ok I’m running the fix now.

Unfortunately, immediately when I opened Chrome today (I seriously don’t understand the timing of these Malicious URL blocked pop-ups) the pop-ups began again. Here are screenshots of the pop-ups in Chrome. I still haven’t had time to check with IE.

I’ll run the OTL fix you last posted now.

here’s another screenshot of the “infection details” that the pop-up was covering in the previous screenshot

and here’s another example of the pop-up appearing even on this site.

I’m not sure if this is the OTL log, but I got this after I ran that last fix

That is running from the google addons/extensions we can block it by doing the following

Go to C:\Windows\System32\Drivers\etc
Locate the file called Host
Right click and select Open with …
Select Notepad
Add the two lines below to the bottom of the file

127.0.0.1 toolbarqueries.google.com
127.0.0.1 alt1.toolbarqueries.google.com

So that it looks like this

# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host

localhost name resolution is handled within DNS itself.

127.0.0.1 localhost

::1 localhost

127.0.0.1 toolbarqueries.google.com
127.0.0.1 alt1.toolbarqueries.google.com

Select File > Save as …
Select all files in the drop down at the bottom and save as Host with no extension

Then try Chrome again

Sorry this is probably a really stupid question, but how can I get the file to save with the text you just gave me if I’m getting a window that says “You don’t have permission to save in this location. Contact the administrator to obtain permission” … Not really sure what to do since I’m the only user.

Try this small Host editor http://sourceforge.net/projects/hosty/ instructions are on this page as well

Ok I was able to modify that host file and the same problem is still occurring.

Lets look deeper

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now