Maliciouss URL Blocked keeps popping up every few minutes!

Hello,

I keep getting messages that says malicious url blocked and continues to pop up every few minutes and while it is up, it will repeadly says “threat has been detected” with a dinging sound. It is making using using my computer very difficult >:( Is anyone able to help?

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

There may be some delay due to differing time zones and availability of the volunteer malware removal specialists.

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.11.15

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
User :: USER-PC [administrator]

Protection: Disabled

1/11/2013 8:10:13 PM
mbam-log-2013-01-11 (20-10-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207700
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → 3740 → Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Windows\svchost.exe (Trojan.Agent) → Delete on reboot.
C:\Users\User\AppData\Local\Temp\services.exe.mui (Heuristics.Reserved.Word.Exploit) → Quarantined and deleted successfully.

(end)

OK it is now almost 2am in the UK and many of the volunteer malware removal specialists are in this and European time zone and only a few in the USA. So it is likely to be later today when they will be able to look at it.

Please help, as my computer continues to pop up with malicious url block. Thank you.

Sorry this one looks like it dropped out of the list.

A malware removal specialist has been informed of your topic.

Hi lets get at it

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please attach its contents on your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

20:41:31.0178 4612 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
20:41:31.0911 4612 ============================================================
20:41:31.0911 4612 Current date / time: 2013/01/14 20:41:31.0911
20:41:31.0911 4612 SystemInfo:
20:41:31.0911 4612
20:41:31.0911 4612 OS Version: 6.1.7601 ServicePack: 1.0
20:41:31.0911 4612 Product type: Workstation
20:41:31.0911 4612 ComputerName: USER-PC
20:41:31.0911 4612 UserName: User
20:41:31.0911 4612 Windows directory: C:\Windows
20:41:31.0911 4612 System windows directory: C:\Windows
20:41:31.0911 4612 Running under WOW64
20:41:31.0911 4612 Processor architecture: Intel x64
20:41:31.0911 4612 Number of processors: 4
20:41:31.0911 4612 Page size: 0x1000
20:41:31.0911 4612 Boot type: Normal boot
20:41:31.0911 4612 ============================================================
20:41:31.0911 4612 BG loaded
20:41:32.0176 4612 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘K0’, Flags 0x00000040
20:41:32.0192 4612 ============================================================
20:41:32.0192 4612 \Device\Harddisk0\DR0:
20:41:32.0192 4612 MBR partitions:
20:41:32.0192 4612 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
20:41:32.0192 4612 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x1D192800
20:41:32.0192 4612 ============================================================
20:41:32.0208 4612 C: ↔ \Device\Harddisk0\DR0\Partition2
20:41:32.0208 4612 ============================================================
20:41:32.0208 4612 Initialize success
20:41:32.0208 4612 ============================================================

Currently the popups aren’t coming up; however, avast is disabled… should i enable avast again?

Yes you should, unless essexboy’s instructions state that you should disable it for a particular scan duration; when that scan is over you should restart avast.

Hi I will need to see the large log located at C:\TDSSKiller date time to ensure that all has gone

Not sure my problem is related but I get the “threat has been detected” when I go to web sites that I know are ok. Hulu for one. I can then go and will find that I can not go to google search site at all with firefox ( the browser I most use) chrome or Internet explorer none will go to google. This has been recurring every week or so just after avast has updated its definitions. The only thing I know to do to fix the problem is go back to a restore point of windows XP Home when things were ok. About a week will go by and it starts all over again. If this is malware or a Trojan horse or what ever I thought avast took care od them. After all the damn app updates its definitions about twice a day after I have booted up more than any virus protection software I have ever tried. I am running the free trail version and was thinking of buying it when the trial period is up in a few months but if it works like it has been forget that.
Has anybody else had the same symptoms with it saying a threat has been detected at a reputable site and the not being able to get to google search?

You may have a dormant infection within the browser or host file… Create a topic and I will have a look

Is this what you are looking for?

No there should be a larger one which shows all the drivers

I just ran this one.

OK re-run TDSSKiller with the same parameters
When this element appears select delete

\Device\Harddisk0\DR0 ( TDSS File System )

Avast will alert

Once done could you let me know of any remaining problems

That appears to have done it. Thanks

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: