Need help with grandson's laptop saying Avast blocked a malicious URL

I am in NC visiting with grandchildren. Nine year old’s laptop has repeated popups from Avast saying it has blocked a malicious URL. Ran Avast and Malwarebytes and came up clean. So came on forum and read instructions on posting a topic with log files.

I am doing it from a different laptop because I could not get it to post from the infected machine. I even posted a few minutes ago about what it did when I tried to post. Then it happened here too. So I am trying again.

Sure could use some help. Nine year old wants Papa to fix his machine before I leave in four days.

Thank you all for your help.

Don Smith

first post http://forum.avast.com/index.php?topic=106008.0

Malware removers are notified. It may take hours before one arrive so be patient

Could you confirm that it is firefox only

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
FF - prefs.js..extensions.enabledAddons: wbepaste@starfield:1.3
FF - prefs.js..extensions.enabledAddons: zoomext@starfield:1.4
FF - HKCU\Software\MozillaPlugins\@starfield.com/off: C:\Documents and Settings\Owner\Application Data\Mozilla\Plugins\npoff.dll ( Starfield Technologies, LLC.)
FF - HKCU\Software\MozillaPlugins\@starfield.com/wbe: C:\Documents and Settings\Owner\Application Data\Mozilla\Plugins\npwbe.dll (Starfield Technology, LLC)
[2012/01/16 17:34:58 | 000,000,000 | ---D | M] (WBE Paste) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\EXTENSIONS\{EC8030F7-C20A-464F-9B0E-13A3A9E97384}\WBEPASTE@STARFIELD
[2012/01/16 17:34:58 | 000,000,000 | ---D | M] (Workspace Email Zoom) -- C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MOZILLA\EXTENSIONS\{EC8030F7-C20A-464F-9B0E-13A3A9E97384}\ZOOMEXT@STARFIELD
O4 - HKU\S-1-5-21-1935655697-1606980848-725345543-1003..\Run: [Starfield Updater] C:\Program Files\Workspace\WorkspaceUpdate.exe ()
O15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)


:Files
C:\Program Files\Workspace
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

No, it is NOT just Firefox. It is IE, Chrome, and Firefox. I had that information in an earlier attempt to post and didn’t realize I left it out on the one that got loaded. All three browsers have the same issue, although I can’t really say that with 100% certainty. It is possible that the problem occurs on Firefox and then stays there as I turn off Firefox and go to the others. I do know that at least once today I had the pop up messages while NO browser was currently running as far as I know.

Should I still try this fix?

And THANK you so much for the help.

Yes continue with the fix please

Then run the following programme

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

I copied the fix you provided and pasted it into OTL, then clicked on Run Fix as you requested. Here’s what happened. As you said, I lost the desktop icons, and in the end, OTL was the only thing showing. It did not shut down, so after a reasonable period of time, I held down the power button to force a shutdown.

Upon rebooting, I have nothing in the task bar, no icons in the System Tray, no evidence that Avast is even running. Periodic indications of disk activity. If I do CTRL-ALT-DEL, hoping to see the task manager, I get an hour glass next to the cursor, but in a few seconds, it goes away, no task manager.

If I put the cursor in the task bar, it turns into an hour glass and stays that way. If I move it into the desktop, it goes back to a pointer.

I am unable to start any programs, thus cannot run RogueKiller.

Suggestions? Anything I can do in safe mode?

Thanks,

Don

Yes run Rogue killer from safe mode whilst I try to suss this out

I was finally able to run RogueKiller in safe mode. The three log files are attached.

Couple of other items of interest. I am now getting a Malicious URL Blocked message after bootup even before opening any browser. Also, the first two or three times I booted the machine, I waited til after the Malicious URL message and then opened Chrome. I entered forum.avast.com in the title bar and got the message that it could not connect because the DNS service was not available.

This time, after seeing the Malicious URL Blocked message, I clicked on More Details and it opened Chrome and went to Avast and got the message about how many viruses Avast had blocked (not just on my machine). At that point, I put forum.avast.com in the title bar and it went there just fine.

Hope these logs help.

Don

OK I now see the problem courtesy of RogueKiller

¤¤¤ Infection : Root.MBR ¤¤¤

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Ok, here are the TDSS logs. Couple of things. When I ran it, at the end, it said there were 26 infections found and listed them. But I could not navigate down through the list to see what option it had pre-selected for each infection. All of the ones I saw were SKIP. So, crossing my fingers and saying a little prayer, I clicked continue. When I did, it said CURE and finished, giving me the option of getting the report. It only displayed in a scrollable window, so I captured it and pasted it into a text file which is attached. I am not sitting at the Close and Reboot screen on TDSS. I think from the above that I am to close and let it reboot, so that is what I am going to do after I upload this file.

Yes reboot to cure the MBR then re-run TDSSKiller with the same parameters as before
When this appears select delete :

\Device\Harddisk0\DR0 ( TDSS File System )

Avast will detect the file movement and alert

Once done could you let me know what problems remain

Finished and re-ran TDSS. Log is attached. No more file system, still 26 risks, all seem to be unsigned files. I am no longer getting the popup messages. So may I assume that the REAL problem is gone, and the unsigned files, though risky, could just be the result of sloppy file preparation by various programmers? And may I assume that until something else happens, I should just leave them alone?

THANK you so much. I had told the 9 year old that I might have to take this home with me and work on it and let his other grandparents (who live a mile from me in Atlanta) bring it back up. He’ll be delighted that he doesn’t have to wait a week.

You are really good.

Thanks.

Don

The only reason the files are suspicious is that they are unsigned, but they are not a problem and can be safely ignored

Any further problems before I remove my tools and tidy up ?

All seems well. No more popups, and entering a question in title bar takes you to google like it should, no more warnings about a bad site.

THANK you so very much.

Hope you have a great day.

Don

OK lets clear my rubbish

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

FINAL POST

Just wanted you to know that the computer has run fine. Grandson is happy. I am a hero. I did share credit with you. :slight_smile:

I also ran Malwarebytes and it came up clean. I updated Java but it said it was already updated. There was a Java environment that needed updating so I did it.

On a different topic, just thought you would like to know that Avast blocked download of a malicious file attached to a spoofed email pretending to be from ebay on my home machine today. Great job.

Thanks for the help.

Don Smith

My pleasure … Enjoy ;D and you can have all the credit