'malicious url' issue has evolved

Hi. A few days ago I started getting almost non-stop ‘malicious url blocked’ messages from Avast even before connecting to the internet. The blocked messages repeatedly referenced a svchost.exe process and an extension of one of the following three urls:

http://vjlvchretllifcsgynuq.com
http://xlotxdxtorwfmvuzfuvtspel.com
http://mbbcmyjwgypdcujuuvrlt.com

I followed the scanning process in the post,[i] http://forum.avast.com/index.php?topic=53253.0[/i], and saved all the scans. However, because of a delay in submitting this post, I decided to rerun the scans. After the second scanning the ‘malicious url blocked’ message stopped popping up and everything appeared be fine.

But now I’m having other issues:

-system has really slowed down - opening a browser or starting a program is taking over a minute sometimes two!
-the security centre and firewall stopped and unable to restart them
-Windows Defender was deleted
-two new users - LocalService and NetworkService - have appeared in C:\Documents and Settings
-various settings and preferences have been altered … etc, just to name a few.

I am attaching scans and screen prints. This post has first set of scans. Will also post most recent set (intermediate scans available upon request). Any help would be much appreciated, Thank you!

Most recent scans

additional scans. Thanks!

malware removers are notified, check back later today

@furball
Hello and welcome to avast! :wink:

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.


Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

======== Next =========

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



process;
srinfo;
systemscpecs;
installedprogs;
DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b
C:\Windows\system32\services.exe;i
C:\Windows\SysNative\services.exe;i
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;



[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

Thank you for your help.

I completed the first part of your request and I’ve attached the Combofix log.

Please note that Combofix deleted my internet connection (my ISP is WIND). I am using a different computer at the moment to post this reply.

In order to continue with the clean-up do I re-install my ISP WIND on the infected computer (as prompted by the set-up wizard that has popped-up) or do I download zoek.exe using this computer and transfer the file to the infected unit to execute?

Hi furball,
Please stop for now with running Zoek.exe, we need to try to fix this FP with WIND.

I need to see the following:

  1. Additional Combofix log report:

Please attach here:
C:\QooBox[b]ComboFix-quarantined-files.txt[/b]

  1. I need to examine the contents of this folder:

Please zip-it/rar-it C:[b]QooBox[/b] folder and upload folder to:

http://www.wikisend.com/

Please attach here download link.

Hi …

I’ve attached two logs that were in the folder.

Is there a different site I can use to upload the zip file? I have tried twice to upload; both times it’s taken over an hour and a half and I get a timed-out message. Currently attempting upload #3 and site says 103 minutes left to go :frowning:

If not, I’ll keep trying.

Hi … upload #3 failed as well. After uploading for 1.5 hrs and reaching 99% complete, the following message displayed:

[i]The website cannot display the page: HTTP 500

Most likely causes:
•The website is under maintenance.
•The website has a programming error.

What you can try:
Refresh the page.
Go back to the previous page.

More information: This error (HTTP 500 Internal Server Error) means that the website you are visiting had a server problem which prevented the webpage from displaying. For more information about HTTP errors, see Help.[/i]

Please advise. Thanks!

Hi furball,

I was expected that this folder will be a a little bit large lol, but wasn’t thought it would be that large.
I think I have the proper fix for that FP. If not will se to fix this thru system restore. :wink:


Step#1

  1. Temporarily disable your AntiVirus program.
    If you are unsure how to do this please read this or this Instruction.

  2. Open notepad and copy/paste the text present inside the code box below:



DeQuarantine::
C:\Qoobox\Quarantine\C\Program Files\WIND
Quit::


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )


Step#2

[*]Click on the Start
http://dl.dropbox.com/u/16537616/Canned%20Speeches/Start%20Orb.jpg
button and in the search box, type Notepad and click on it
[*]Copy (Ctrl+C) all of the text in the following box and paste (Ctrl+V) it into Notepad


reg import "C:\Qoobox\Quarantine\Registry_backups\AddRemove-{B2B30EC0-FB6A-43BB-9B38-0C3B32D75B40}_is1.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\AddRemove-WIND.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CmUsbSound.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Mobile Partner.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\Service_WIND.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\Legacy_WIND._RunOuc.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\Service_9.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\Service_8.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\Service_7.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\Service_6.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\Service_5.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\Service_4.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\Service_3.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\Service_2.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\Service_11.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\Service_10.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\Service_1.reg.dat"
reg import "C:\Qoobox\Quarantine\Registry_backups\Service_0.reg.dat"
pause

[*]Go to File > Save As… and save it to your Desktop named fix.bat. Make sure you change the Save as type to All Files (.)

Double-click on fix.bat to run it.

After 5 minutes, reboot your system.





*********************************


[b]Step#3[/b]



Download the [url=http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe]ESET services repair tool,[/url] extract the file to your desktop.

[*]Double-click [b]ServicesRepair.exe.[/b]
[*]If security notifications appear, click [b]Continue[/b] or [b]Run[/b] and then click [b]Yes[/b] when asked if you want to proceed.
[*]Once the tool has finished, you will be prompted to restart your computer. Click [b]Yes[/b] to restart.
[*]A log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply.





*********************************


[b]Step#4[/b]


Re-run [b]FSS.exe[/b] tool and attach here fresh FSS.txt logreport.




*********************************


[b]Step#5[/b]



Please download [b]dds+.exe[/b] and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/dds+.exe 


[*]  Double-click dds+.exe;
[*]  Expand (click on [b]+[/b] ) the [b][i]"options for dds.txt"[/i][/b] option;
[*]  Remove checkmark (
http://www.mcshield.net/personal/magna86/Images/checkmark.png
) for options [i][b]"check MBR"[/b][/i];
[*]  Check (
http://www.mcshield.net/personal/magna86/Images/checkmark.png
) [b][i]"disable whitelist"[/i][/b] options;
[*]  Click Start button;
[*]  When finished, it will produce a DDS.txt log and an Attach.txt log and also save them to your desktop.
[*]  Please attach [b]DDS.txt[/b] and [b]Attach.txt[/b] log in your next reply.





*********************************


[b]Step#6[/b]






Please download [url=http://home.kpn.nl/stefsmeenk/zoek.exe/][b]zoek.exe[/b][/url] and save it to your desktop.


[*] Close any open browsers.

[*]  Temporarily disable your [b]AntiVirus[/b] program. ([i]If necessary[/i])
 If you are unsure how to do this please read [url=http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html][b][i]this[/i][/b][/url] or [url=http://www.bleepingcomputer.com/forums/topic114351.html][i][b]this[/b][/i][/url] Instruction.



[*] Double click on [b]zoek.exe[/b] to run the tool .
[i]Please wait while the tool does not start...[/i]


[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:


WIND;z
WIND;a
srinfo;




[*] Click on 
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
 button
[i]Please wait until a logreport will open (this can be after reboot)[/i]

[*] Save notepad to your Desktop and attach here [b]zoek-results.log[/b]

[i][b]Note:[/b] It will also create a log in the [b]C:\ [/b]directory named "[b]zoek-results.log[/b]"[/i]

Hi … hope you had a good weekend. Here are some of the logs from your last request:

… and here is one more log.

The zoek-results.log is too large to attach here (9.4MB or 0.95MB zipped) and I am having no luck using wikisend … every attempt to upload has failed. Is there a different site I can use to upload the file?

Thanks again!

Ok, ignore zoek log for now.

Please download Windows Repair (all in one) from here:
http://www.tweaking.com/content/page/windows_repair_all_in_one.html

[*] Install the program then run.

[*] Go to Step 2 and allow it to run Disk check
[*] Once that is done then go to Step 3 and allow it to run SFC
[*] Go to Step4 and create registry backup and system restore point.

[*] On the Start Repairs tab => Click the Start

  • Click on the Select all button and then click on Start
  • Don’t use the computer while each scan is in progress!!!

[*] Restart may be needed to finish the repair procedure.

============= Next ==============

Download MiniToolBox by Farbar from here:
http://www.bleepingcomputer.com/download/minitoolbox/

Run the tool, check all boxes and click on button GO.

Once the application finish scan/fixes, its report will pop-up in Notepad. Please attach minitoolbox report here.

============= Next ==============

Delete old zoek.exe and download fresh copy. Re-run zoek.exe using just this script:

srinfo;

Attach ( or copy-paste ) here fresh created zoek log


Is your internet ( WINS ) running good now?

LOL … I didn’t realize my internet connection was repaired! I’ve been using a different computer the last few days to avoid screwing things up during the scanning/repair process. Should I connect or wait until all repairs are done?

Should I connect or wait until all repairs are done?

I see no reason why not.

  • Windows Repair is tool that basically uses various methods for system recovery. If your internet connection is working properly, you may skip Windows Repair step and move on to MiniToolBox. Attach here his logreport.

  • And finally we need again to check your system. Try to run this script with fresh zoek.exe:

process;
srinfo;
systemscpecs;
installedprogs;
DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b
C:\Windows\system32\services.exe;i
C:\Windows\SysNative\services.exe;i
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;

Attach here fresh created zoek log.

Good morning … Internet works, computer’s a bit sluggish like before but it’s not hanging, stalling or crashing. :slight_smile:

I was half-way through the Windows Repair steps when I read your last message so I continued and ran the repair function. Logs are attached.

Have a great day!

Hi furbal,

  1. Start > Control Panel > Add or Remove Programs:
    You need to uninstall:

Search Settings

===== Then … =====

Run Zoek with this script:

emptyclsid;
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run-];r
"SearchSettings"=-;r
C:\Program Files\Search Settings;fs
C:\Documents and Settings\FURBALL\Application Data\Mozilla\Firefox\Profiles\dm1vnv92.default\extensions\staged(2);f
FFdefaults;
chrdefaults;
ipconfig /flushdns >> %temp%\log.txt;b
resethosts;
emptyalltemp;

Attach here fresh zoek log and tell me how is your computer running now?

Hi … I’ve attached the latest zoek log.

THANK YOU SOOOOOOO MUCH for all your help! Computer is running well. Everything appears to be working as it was prior to the infection. Unfortunately, that means the issue of the slow reaction time (i.e. the delay before any action is executed, browser taking too long to open, etc) is not due to the infection. :frowning: ???

Hi,

If you’re still having a problem, it is not malware-related.
I will remove used tools now.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.


I recommended to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Keep safe :wink:

THANKS again for all your help!