Malicious URL Blocking/Detection Alerts

Viruses and worms
1

So I’ve run a number of different scans since the initial Alert/block.

First it was Malwarebytes Pro that started blocking an IP: 66.45.56.109
I was starting to get a bit concerned when the same block occurred the next day. Started cleaning up and removed a significant amount of malware with malwarebytes and adwcleaner/aswMBR and thought it was overwith.

Later did I install Avast Home edition 2014, thinking it wouldn’t hurt to run both programs since the ‘block’ had shown up more often.
However, now avast is blocking a URL: http://clickered.com/cen?ag

I’ve looked for any sort of toolbar or program in RevoUninstaller that looked suspicious and I came across a GigaClicks Crawler installation. I’ve no idea what its from or what it does. When promted to uninstall Avast kicked it and moved some process to a chest.

I stumbled upon this thread. Thinking I had a similar problem I followed the instructions for OTL off of this other thread.

And the OTL log is attached.

Any help to get rid of this would be very appreciated.

Much thanks.

2

Hello

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
IE - HKU\S-1-5-21-3516740335-3617436455-440623508-1000\..\SearchScopes\{BB1F5DE8-681C-4096-B90E-4F20ECFB7A97}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3310511&CUI=UN14654307485881244&UM=2
O4 - 
O4 - HKLM..\Run: []  File not found
O4 - HKU\.DEFAULT..\Run: [SearchProtect] \SearchProtect\bin\cltmng.exe File not found
O4 - HKU\S-1-5-18..\Run: [SearchProtect] \SearchProtect\bin\cltmng.exe File not found

:commands
[CREATERESTOREPOINT]
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

.

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…
[list]
[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;
uninstall-list;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

3

I’ve run OTL and Zoek as instructed and the logs are attached, however the problem is still coming up.

Avast pops up with this:

" Object: http://clickered.com/cen?ag=a61d164abf0a767c25d33ee1a63e7473-11-3&g=BMW

Infection: URL:Mal

Process: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "

or this url: http://clickered.com/cen?ag=c8841473129879da1cafddf323c7ad82-11-2&g=PIG

Thank you for the quick reply.

4

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.
.

----------- > Next

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

5

Alerts have still been coming in however Malwarebytes Pro has been blocking the original IP however its now under an avastsvc process.

Also I’ve run TDSSKiller, no suspicious or malicious objects detected.

I’ve also ran Farbar Recovery Scan Tool and the logs are attached.

6

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job;f
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job;f
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB1F5DE8-681C-4096-B90E-4F20ECFB7A97}];r
FFdefaults;
chrdefaults;
iedefaults;
emptyalltemp;
autoclean;
emptyclsid;
ipconfig /flushdns >> %temp%\log.txt;b

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

7

I’ve run Zoek as instructed, I had to run it twice as I forgot to disable antivirus.

Alerts are still popping up.

I dont know if it matters but I’ve been watching the Shields Activity from the Avast Statistics Monitoring, I’ve noticed the shields spike up when something accesses something along the lines of “AppData\Temp\scoped dir_4383_25439\CRZ_INSTAL\Locales\vi\messages.json”

Logs are attached and Thank you for your quick reply.

8

Hi Tisoran,

Argus is busy these days. I will assist you.

Re-run zoek as you did before but using this script:

autoclean;
C:\Windows\SysNative\tasks\Escolade;f
C:\Users\Admin1\AppData\Roaming\iPumper;fs

Post me fresh created zoek log.

NEXT…

Re-run FRST, check box for Addition.txt and press [Scan] button. Post me fresh created FRST.txt and Additional.txt reports.

9

Alright, Thank you magna.

I’ve re-run Zoek and as well as FRST, the logs are attached.

10

Posted logs looks good. Just one small fix…

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Task: {2CB7B523-420B-48AF-9A35-5EA176DDF1AD} - \Escolade No Task File

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

================================

How’s your computer running now?

11

I’ve run FRST with the fixlist.txt and the log is attached.

The system is running about as smooth as it did when I first formatted the drive however the Alerts from Avast are still coming in.

12

Can you please post me screenshot of that avast pop-up alert?

Also, re-run FRST and post me fresh FRST.txt log.

13

Also, re-run zoek tool with this script:

StandardSearch;

When zoek finished, post me fresh created zoek logs.

14

I’ve posted a screenshot of the alerts, There was an instance where Malwarebytes and Avast blocked one at the same time. Both have been included in the picture as well as what Avast was scanning while the alert hit.

Re-ran FRST and Zoek, fresh logs have been attached.

15

I don’t know if it applies but I’ve been experiencing nearly the exact same symptoms in this thread. With 2 different avast alerts back to back. The alerts range anywhere from 5-30 mins apart. I didn’t notice the muting on Chrome until recently, as well as I’ve caught the ‘spare’ chrome with a radio station on mute.

16

Hi,

I see nothing active in the logs.

1. We shall deploy ComboFix. This powerful tool has useful routine for malware search + it shall clean junk, temp and cache files.

Scan with Combofix:

[*] Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

2. Let’s reset Chrome settings to default:

[*] Close Google Chrome browser;
[*]Press the
http://fotkica.com/imgs2/55259_258721347_windows_key2.png
button and R.
[*]Copy/paste following txt:

%LOCALAPPDATA%\Google\Chrome\User Data\

[*] Click OK.
[*] Find Default folder and rename that folder in Default.old

Re-start Google Chrome.

17

I’ve run ComboFix aswell as renamed the Default folder to Default.old the logs are attached.

I’ll let you know if any alerts come in, so far just spikes in Avast’s Shields activity.

Edit: Single alerts at first, now its they’re back to back again.

18

Running ComboFix via CFScript:

Open notepad and copy/paste the text present inside the code box below:

ClearJavaCache::

Folder::
c:\users\Admin1\AppData\Local\lptmp1554647073

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

RegNull::
[HKEY_USERS\S-1-5-21-3516740335-3617436455-440623508-1000\Software\SecuROM\License information*]
"datasecu"=hex:1c,46,80,3f,ff,80,b1,4f,a1,c8,1a,04,2f,21,35,e5,34,32,de,90,08,
   bd,10,3b,c6,c1,72,b2,d4,cd,67,38,b9,15,cd,55,a3,bf,65,29,cf,6a,2e,62,fa,e2,\
"rkeysecu"=hex:36,9e,fa,1f,34,da,ec,97,21,4d,1e,a0,6a,88,6e,f0

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

19

I’ve Re-run ComboFix with the script as well as uninstalled Google Chrome via Revo-uninstaller.

20

Posted logs looks good. CF did his job. Any malware alerts?

edit:
You have been installed Webroot SecureAnywhere alongside avast. This isn’t good and this isn’t protection.
You may use only one AV per system. One of them you must uninstall. You choose witch one…

AV: avast! Antivirus Disabled/Updated {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AV: Webroot SecureAnywhere Disabled/Updated {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}