PITA "Threat Detected" alarms

OK, third time’s a charm
Had a nice long description of what’s going on with my son’s PC, and was trying to upload all the ding-dang log files from MBAM, OTL, and ascMBR, and because of the problems that particular computer is having ( ie: wouldn’t show the verification doo-hickey thing below), I could not post the message to the forum at all. SO, I have now copied the logs to a disc, moved my butt over to my computer and am attaching the required files to this message… :confused:

Basically we have a legacy Dell PC that I did a little upgrading on so my son could use it for school ( ha!) etc. It runs Windows XP, I have Iobit Advanced System Care 5 ( without antivirus) and Avast Internet Security 7 running on it for defense purposes.

It recently started sending out “Threat Detected” alarms every time he’d go online, especially any links that contained google. His iGoogle home page wouldn’t load either in IE8 or Firefox 12. I could only get onto the Avast forum through the Avast IS UI, and almost every bleeping webpage throws up a “URL:MAL”.

I ran MBAM the first time it found Win32:Rloader-B, which I deleted. a few Win32: PUP files, which I also deleted, then I restored a few files that were quarantined but were related to an Age of Empires game he plays.
Ran MBAM again, came up clean. Log File attached.
Ran OTL: Log files attached.
Ran ascMBR: log file attached. Applied the “fix” then rebooted.

Still won’t load pages worth a damn… :-\

I’m sure it’s a simple fix, but I’ve spent way more time than a SAHM ought to working on this thing…lol ;D

Please, lmk what else I should post, do , etc before chucking the whole computer out into the field…

Thanks,
Elizabeth

first…there is a virus and worms section in the forum. :wink:

a few Win32: PUP files
PUP = not a virus / Possible Unwanted Program avast is just telling that you have a program that can be used for good or bad if abused

Essexboy is notified

OBS: there also seems to be some Norton files in there…was it not uninstalled before installing avast?

Acpi is locked which is a tad suspicious to me

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL SRV - File not found [Auto | Stopped] -- -- (IS360service) SRV - [2008/01/29 17:38:31 | 000,583,048 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe -- (LiveUpdate Notice Service) SRV - [2006/02/23 12:41:04 | 002,045,632 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate) SRV - [2006/02/23 12:41:04 | 000,100,032 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler) IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/ IE - HKU\S-1-5-21-343818398-2147119623-1801674531-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421; FF - prefs.js..browser.search.selectedEngine: "Web Search" FF - prefs.js..extensions.enabledItems: {fa3d1246-250b-4212-a2be-f1387ccca2e7}:1.0.27 FF - prefs.js..extensions.enabledItems: m3ffxtbr@mywebsearch.com:1.2 FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:2010.9.0.6 FF - prefs.js..keyword.URL: "http://search.alot.com/web?&src_id=11080&client_id=f424bbc99924580cccd4a808&camp_id=93&install_time=2009-11-21T01:11:16Z&tb_version=2.4.15000%28F%29&pr=auto&q=" [2012/04/21 19:55:01 | 000,000,000 | ---D | M] (ShopToWin8) -- C:\Documents and Settings\david102\Application Data\Mozilla\Firefox\Profiles\cxs5zc89.default\extensions\{fa3d1246-250b-4212-a2be-f1387ccca2e7} [2012/05/02 10:50:37 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\david102\Application Data\Mozilla\Firefox\Profiles\cxs5zc89.default\extensions\trash [2012/04/24 10:41:20 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\mozilla firefox\plugins\NPcol400.dll [2012/02/22 18:58:26 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll [2012/02/22 18:58:28 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll O2 - BHO: (no name) - {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - No CLSID value found. O3 - HKLM\..\Toolbar: (Coupons.com CouponBar) - {8660E5B3-6C41-44DE-8503-98D99BBECD41} - C:\Program Files\Coupons.com CouponBar\tbcore3.dll () O3 - HKLM\..\Toolbar: (no name) - {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - No CLSID value found. O3 - HKU\S-1-5-21-343818398-2147119623-1801674531-1006\..\Toolbar\WebBrowser: (Coupons.com CouponBar) - {8660E5B3-6C41-44DE-8503-98D99BBECD41} - C:\Program Files\Coupons.com CouponBar\tbcore3.dll () O4 - HKLM..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe (Symantec Corporation)

:Files
ipconfig /flushdns /c
C:\Program Files\Symantec

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[
]Allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

To Pondus: Sorry about posting to the wrong thread. Please, move the thread if you need to… been kinda bug-eyed trying to fix this thing. Guess I was just giddy I had saved the log files to a disc and was able to move to another computer to upload them for your perusal… :slight_smile: And, yes, I unistalled Norton prior to installing Avast but had noticed the residual files, as well. Wasn’t really sure what to do with them.

To Essexboy: Stepped away for a bit to enjoy life outside of fixing the computer, but am now running the OTL fix you prescribed above. I am using the free version of MBAM, and it did not give me an option to disable it. LMK if there is a way to disable the free version if needed, and I can re-run the OTL fix.

Thanks, y’all, for your help!

Elizabeth

Attaching the OTL and Extras files that were produced after the OTL fix and scan.
Also attaching the combofix file.

Rebooted, opened FF browser, typed “why me” into the search field and got another “Ding-Ding! Threat has been detected!” pop up.

Elizabeth

Could you check IE and see if you get the same alert please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKU\S-1-5-21-343818398-2147119623-1801674531-1006\..\Toolbar\WebBrowser: (no name) - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No CLSID value found. [2012/02/11 12:30:15 | 000,001,673 | ---- | M] () -- C:\Documents and Settings\david102\Application Data\Mozilla\Firefox\Profiles\cxs5zc89.default\searchplugins\web-search.xml

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1
Download Mirror #2

[*]Ensure all Firefox windows are closed.
[*]To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
[*]When prompted to run the scan, click Yes.
[*]GooredFix will check for infections, and then a log will appear.

Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Yes, same thing is still happening in IE

Attached are files requested. I had to rename the OTL for some reason, so I just added the date.

Thanks, again! I don’t know what you are doing, but I’m sure you do! LOL! ;D
Elizabeth

Hmm I need to widen the search somewhat I feel. Also could you take a screenshot of the alert as it will give me more information

A question, do you use a router and are any other computers that use the router experience the same problem ?

[*]Run OTL. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Can’t do the screen shot but :
MALICIOUS URL BLOCKED
avast Network Shield has blocked a harmful site

Object: hXXp://www.google-analytics.com/ga.js
Infection: URL:Mal
Process: C:\Program Files\Mozilla Firefox\firefox.exe

Where “XX” would be “tt”

NOTE: This same message has popped up 9 (nine) times while searching this Avast forum alone :slight_smile:

Will run the OTL and post in a few minutes.

We have three computers accessing the internet via a router, and none of them have this problem except this one.

<3
Elizabeth

Last OTL did not produce an Extras.txt file, but I am attaching the OTL requested.

E

OK lets now fix that

Using Windows explorer go to
C:\Windows\System32\drivers\etc
Double click the Host file and select notepad to open the file with

Add the following lines by using copy/paste :

127.0.0.1 www.google-analytics.com
127.0.0.1 google-analytics.com
127.0.0.1 ssl.google-analytics.com
.

Save the Host file
When you save it, it will try to rename it to Host.txt
In the drop down box at the bottom select All files
Allow it to overwrite

http://dl.dropbox.com/u/73555776/Save%20Host.jpg

Reboot and then see if the alerts have ceased

No. :frowning: I’m still getting the same “Malicious URL Blocked” messages even while browsing this forum.
Thank you for trying! I know you are very busy, and I appreciate your taking the time to troubleshoot!

LMK what else I should try.

Elizabeth

Could you run a fresh OTL quick scan please so that I can ensure that it has taken

Here you go!
Sorry for the delay!

Elizabeth

Is the destination still google-analytics ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O4 - HKU\S-1-5-21-343818398-2147119623-1801674531-1006..\Run: [Akamai NetSession Interface] C:\Documents and Settings\david102\Local Settings\Application Data\Akamai\netsession_win.exe (Akamai Technologies, Inc) O4 - HKU\S-1-5-21-343818398-2147119623-1801674531-1006..\Run: [Hot Wheels® Turbo Driver™ Watcher] Hot Wheels® Turbo Driver™ Watcher File not found

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

OTL.txt attached.

Yes, it is still google analytics.

NOTE: Avast ran and encountered WIN32:Rloader-B again, and I deleted it, again. It also detected a Win32:Simda-FX[Trj] which, not knowing what that is I moved to the chest. Thought I’d let you know since this is new, and I’m not sure entirely from where it came.

Thanks again,
~E

Obviously they have more addresses than I have found so far

There is an opt out addon here for all browsers… According to the blurb it disables it https://tools.google.com/dlpage/gaoptout
There is also an adsense opt out as well http://www.google.com/ads/preferences/

All taken from this page http://www.howtogeek.com/howto/18936/keep-google-from-tracking-your-every-move-online/

If you could try those and let me know the result

Un-bleeping- believable…
Had to manually type in the address… Installed, restarted FF, STILL getting the alarm.

Not all url mal alarms start with google analytics, btw. Some just start out hXXp://www.google.com/search?q…
So my question is :would uninstalling anything else work?

Do you use a router ? Are any other computer affected ?

Yes, we use a router, but no, of the three computers, this is the only one with alarms being sent out. I just don’t get it…