Need Help On Blocked Malicious URL

Hi. I downloaded avast a couple of days ago and ran it. Ever since installation I have been getting the following pop-up windows every several minutes:

MALICIOUS URL BLOCKED
Object: borekoso.com/get/fgr.html
Infection: URL:Mal
Action: Blocked
Process: C:\Windows\system32\svchost.exe

MALICIOUS URL BLOCKED
Object: borekoso.com/set/task.html
Infection: URL:Mal
Action: Blocked
Process: C:\Windows\system32\svchost.exe

MALICIOUS URL BLOCKED
Object: borekoso.com/get/fgr.html
Infection: URL:Mal
Action: Blocked
Process: C:\Program Files\Internet Explorer\iexplore.exe

Reading the forums I downloaded TFC and ran it and rebooted last night, but it didn’t stop these warnings. Can anyone help me? Thanks.

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs HERE in this topic and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )

Essexboy will look at the log`s when he arrives here later today

http://forum.avast.com/index.php?topic=72808.0

We need the logs (MBAM, OTS). Read the sticky threads here.

The site has been infected for almost one month, plain ridiculous.

# nslookup borekoso.com Server: 127.0.0.1 Address: 127.0.0.1#53

Non-authoritative answer:
Name: borekoso.com
Address: 46.161.11.196

gwhois 46.161.11.196

Process query: ‘46.161.11.196’
Query recognized as IPv4.
Querying whois.ripe.net:43 with whois.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘46.161.10.0 - 46.161.11.255’

inetnum: 46.161.10.0 - 46.161.11.255
netname: DRAGAN-NET
descr: net for Dragan S.R.L.
country: RO
admin-c: TD2121-RIPE
tech-c: TD2121-RIPE
status: ASSIGNED PA
mnt-by: MNT-PIN
mnt-routes: MNT-DRAGAN
mnt-routes: MNT-PIN
mnt-routes: ECATEL-MNT
mnt-domains: MNT-DRAGAN
mnt-lower: MNT-DRAGAN
mnt-lower: ECATEL-MNT
source: RIPE # Filtered

person: Tatiana Dicu
address: 140 Ferdinand Blvd., Bucharest, RO
mnt-by: MNT-DRAGAN
phone: +40745378190
abuse-mailbox: dragan.abuse@yahoo.ro
nic-hdl: TD2121-RIPE
source: RIPE # Filtered

% Information related to ‘46.161.10.0/23AS29073’

route: 46.161.10.0/23
descr: AS29073 temporary route object for 32 bit AS AS197425
origin: AS29073
mnt-by: ECATEL-MNT
source: RIPE # Filtered

Thank you guys. Here is the MBAM quick scan log:

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6203

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/29/2011 12:06:34 PM
mbam-log-2011-03-29 (12-06-34).txt

Scan type: Quick scan
Objects scanned: 186479
Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I will post the OTS information in the next reply.

figured out how to attach the log. see below.

figured out how to attach the log. see below.

figured it out. log below.

Please use Additional Options - Attach feature.

doktornotor, could you please explain how to run the attach feature for the ots scan? the mbam scan i already posted in one reply. thank you.

I figured out how to attach the OTS log.

There is also a EDIT option, so if you fail, you can try again…and again…and again…in the same post :wink:

well you did it, and Essexboy should be here in about 2 - 3 hours

Pondus, it took a bit, but I got there. :wink:

I’m looking forward to essexboy’s assistance, hopefully it isn’t bad news.

Yes and no - you have a Purity infection so if you see an apparent system32 folder going do not be afraid
C:\WINDOWS\s?stem32

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< HOSTS File > ([2004/04/10 12:30:34 | 000,003,233 | ---- | M] - 112 lines) -> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
YN -> Reset Hosts -> 
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3944651745-3248677297-1107779084-1006\] > -> HKEY_USERS\S-1-5-21-3944651745-3248677297-1107779084-1006\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-3944651745-3248677297-1107779084-1006\] > -> HKEY_USERS\S-1-5-21-3944651745-3248677297-1107779084-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Aida" -> ["C:\WINDOWS\SSTEM3~1\taskmgr.exe" -vt yazb]
YN -> "Hiexe" -> [C:\WINDOWS\SYSTEM32\Οracle\sсanregw.exe]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3944651745-3248677297-1107779084-1006\] > -> HKEY_USERS\S-1-5-21-3944651745-3248677297-1107779084-1006\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{A75C6120-9B36-11d4-A3F0-009027427750}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}" [HKLM] -> [Reg Error: Key error.]
< AppCertDlls [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
YN -> \\"coniTUTL" -> [C:\WINDOWS\system32\EVENaint.dll]
[Files/Folders - Modified Within 30 Days]
NY ->  Pdasejuhediqad.dat -> C:\WINDOWS\Pdasejuhediqad.dat
NY ->  Kdizacocuw.bin -> C:\WINDOWS\Kdizacocuw.bin
NY ->  lnjd024uh5mjq03i -> C:\Documents and Settings\Robert\Local Settings\Application Data\lnjd024uh5mjq03i
NY ->  lnjd024uh5mjq03i -> C:\Documents and Settings\All Users\Application Data\lnjd024uh5mjq03i
[Files - No Company Name]
NY ->  Pdasejuhediqad.dat -> C:\WINDOWS\Pdasejuhediqad.dat
NY ->  Kdizacocuw.bin -> C:\WINDOWS\Kdizacocuw.bin
NY ->  lnjd024uh5mjq03i -> C:\Documents and Settings\Robert\Local Settings\Application Data\lnjd024uh5mjq03i
NY ->  lnjd024uh5mjq03i -> C:\Documents and Settings\All Users\Application Data\lnjd024uh5mjq03i
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Purity]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

thanks so much essexboy. i had to come to my office for a bit, but i will follow your instructions as soon as i get home and report the results back here for you to look at.

by the way, what is a purity infection?

Purity is an adware nasty that places a unicode symbol in the folder name so that when you view it in windows explorer it looks legitimate

For example if you look for this folder on your computer C:\WINDOWS\s?stem32 you will actually see two
C:\WINDOWS\system32 folders ;D

i’m not really following, but i guess that’s not important. what i do know is that numerous full scans with eset, malwarebytes, superantispyware, microsoft security essentials, and avast, came up clean (why would that be?). other than that borekoso blocked url warning from avast, nothing seems amiss on my computer. congratulations and thank you essexboy for uncovering what my problem is. i am now home and will follow your last set of instructions.

Essexboy, I ran the fix in OTS. It did not complete and my desktop has not returned after about 10 minutes. The last thing it said after it hung up was “creating restore point, do not interrupt” or something like that. Please advise what I should do now. Thank you.

I meant before it hung up, not after.

OK if it hangs at that point then reboot, the desktop will disappear as OTS kills all processes so that files can be removed. It is normal to lose the desktop