URL Blocked

Hi, I´m receiving the message “Malicious URL blocked” (my translation from spanish, not sure if it´s exactly the phrase used in english…) a lot.

It started a few hours ago after visiting a site, the av said there was a problem and it should restart, and did that. I choose safe mode and ran a complete analisys, it found “Sinowal@mbr” in the MBR (or something like that…) but I don´t have any action to aply to it.

I got to http://forum.avast.com/index.php?PHPSESSID=rg2r86rmqrbeuaq5u7mj2e2io1&topic=53253.0 following some links in the forums, so I ran MBAM as recomended and it found 6 threats. After restarting it always find 1, even repeeting the process.

I got the results from OTS too, so it´s all that I´ve got till now. I let the reports here in case you can help me, if more info is needed I´ll post it asap.

/********************************** FIRS MBAM RUN ****************************************/

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Versión de la Base de Datos: 6282

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

06/04/2011 01:12:35 a.m.
mbam-log-2011-04-06 (01-12-35).txt

Tipos de Análisis: Análisis Rápido
Objetos examinados: 150985
Tiempo transcurrido: 3 minuto(s), 19 segundo(s)

Procesos en Memoria Infectados: 0
Módulos de Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Archivos Infectados: 6

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos de Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Archivos Infectados:
c:\Users\juan\AppData\Local\Temp\xsvhwwp2.exe (Heuristics.Shuriken) → Quarantined and deleted successfully.
c:\Users\juan\AppData\Local\Temp\FE20.tmp (Heuristics.Shuriken) → Quarantined and deleted successfully.
c:\Users\juan\AppData\Local\Temp\crs06eta.exe (Malware.Packer) → Quarantined and deleted successfully.
c:\Users\juan\AppData\Local\Temp\removewat.exe (HackTool.Wpakill) → Quarantined and deleted successfully.
c:\Windows\Temp\12C.tmp (Heuristics.Shuriken) → Quarantined and deleted successfully.
c:\Windows\System32\drivers\str.sys (Rootkit.Agent) → Delete on reboot.

/************************** SECOND MBAM RUN ***********************************/

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Versión de la Base de Datos: 6282

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

06/04/2011 01:21:28 a.m.
mbam-log-2011-04-06 (01-21-28).txt

Tipos de Análisis: Análisis Rápido
Objetos examinados: 150611
Tiempo transcurrido: 6 minuto(s), 32 segundo(s)

Procesos en Memoria Infectados: 0
Módulos de Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Archivos Infectados: 1

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos de Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Archivos Infectados:
c:\Windows\System32\drivers\str.sys (Rootkit.Agent) → Delete on reboot.

/********** END ***************************************/

Thanks in advance!

The OTS report attached, tell me if you need more info. I´ll help in anything I can (I´m the guy with the problem, so I have to)

Thanks again!

Reading a little more in the forum I found that rupertm1e6 has a similar problem: http://forum.avast.com/index.php?topic=75456.0 The message I recieve is the same, but regarding to the process C:\Users\juan\AppData\Temp\DATB2FD.tmp.exe

Hope that helps…

Ok, still on this. I saw some Podus recomendations about sinowal, so here is the info I got from aswMBR and TDSSKiller.

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-06 09:34:58

09:34:58.573 OS Version: Windows 6.1.7601 Service Pack 1
09:34:58.573 Number of processors: 2 586 0x170A
09:34:58.589 ComputerName: KEINIE UserName: juan
09:34:59.888 Initialize success
09:35:17.102 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
09:35:17.117 Disk 0 Vendor: ST9320325AS 0002SDM1 Size: 305245MB BusType: 11
09:35:19.192 Disk 0 MBR read successfully
09:35:19.208 Disk 0 MBR scan
09:35:21.236 Disk 0 scanning sectors +625139712
09:35:21.267 Disk 0 malicious Win32:MBRoot code @ sector 625139715 !
09:35:21.267 Disk 0 PE file @ sector 625139737 !
09:35:21.283 Disk 0 scanning C:\Windows\system32\drivers
09:35:27.211 Service scanning
09:35:28.412 Disk 0 trace - called modules:
09:35:28.474 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS PCIIDEX.SYS msahci.sys
09:35:28.474 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8616cac8]
09:35:28.490 3 CLASSPNP.SYS[8b20459e] → nt!IofCallDriver → [0x860aac10]
09:35:28.490 5 ACPI.sys[8b09c3d4] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x85caf908]
09:35:28.506 Scan finished successfully


TDSSKiller seems to detect the rootkit and clean it. After reboot I didn´t get a warning yet, and I had one every 5 minutes at least (when firefox was open) So it seems to be all, I´ll send the new reports just in case you see something extrange.

Sorry that I posted too early, I ended up solving this with the info already in the forum. Thanks for all the info Pondus, polonus, Essexboy.

Disk 0 malicious Win32:MBRoot code @ sector 625139715 !
I guess this was before you run TDSSKiller ?

run aswMBR again, click save log and post it

Hi Pondus. After I ran TDSSKiller I ran avast and it found Win32:Dropper-gen [Drp], and could send it to the vault successfully (it says so at least…) and recommended a complete analysis at start-up. It ran and didn’t find anything.

I attach the aswMBR output after running TDSSKiller. AFAIK the OTS doesn’t help in MBR cases, tell me if it’s output would help. The noisy messages stopped (“Malicious URL Blocked”) but I want to be sure there’s nothing left that could get my in trouble again.

Thanks.-

11:19:25.543 Disk 0 malicious Win32:MBRoot code @ sector 625139715 !
as i can see it is still there

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs HERE in this topic and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS as ANSI and not unicode

Essexboy will look at the logs when he arrive here in about 4 - 5 hours

Do a clean of your temporary files, if you do not have a program, CCleaner is free, you can at least start with that beings the other 5 infections operated out of a temp folder maybe a sign of it not being emptied recently.

Running CCleaner wouldn’t really help since he’s infected with Mebroot aka sinowal.

I agree, I’m not an expert (or I’d not need help) but I have “something” in my MBR… the problem is what is putting malware in my temp files, cleaning it is the easy part.

Thanks for yout advice Pondus! I followed the guide again, so I attach the reports here. I give a short version of the story also:

1 - after visiting a web-site, I got a message from avast and my computer restarted suddently (not sure if it was avast or the malware)
2 - when restarted, I got “Malicious URL Blocked” from time to time (irregular), when Firefox was open (no problem if closed)
3 - avast sugested a full scan so I did it, it found sinowal rootkit
4 - followed Essexboy’s guide, and MBAM found some malware and deleted it. When restarted some others was there (and so on)
5 - following an advice from Pondus for a similar case I ran TDSSKiller and it said it removed sinowal
6 - after restarting the “Malicious URL Blocked” stopped, but avast found some malware, send it to vault and suggest a startup scan. Did it without finding anything
7 - it seems that everything is working fine, but aswMBR still shows “Disk 0 malicious Win32:MBRoot code @ sector 625139715 !”
8 - ran MBAM again and it sees no problem, ran a complete avast scan and found no problem, the output of aswMBR and OTS are attached

Should I use something else? Oh, I had to say avast to run OTS normally becouse it detected OTS as potencially dangerous.

At the end of http://forum.avast.com/index.php?topic=70679.30 Essexboy says “Run OTS and hit the cleanup button to remove it and just delete aswMBR from the desktop”, would it work for me? I didn’t try the fix option in aswMBR…

Thanks to all!

I didn't try the fix option in aswMBR...
you did not...that may have killed it..

anyway just relax and wait for Essexboy now, he will tell you what to do next … :wink:

The malware is running as a service - so lets kill it for you

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Processes - Safe List]
YY -> datb2fd.tmp.exe -> C:\Users\juan\AppData\Local\Temp\DATB2FD.tmp.exe
[Win32 Services - Safe List]
YY -> (ptaepzql) ptaepzql [Auto | Stopped] -> C:\Users\juan\AppData\Local\Temp\DATB2FD.tmp
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> [AVG Safe Search]
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "AvgUninstallURL" -> C:\Windows\System32\cmd.exe [cmd.exe /c start http://www.avg.es/es.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYAWgBZAEYAOAAtAEMASwA3AFEARwAtADkAVQBCAFUAUgAtADcAUwBVAEwAUwAtADQANABLAFIAMgA"&"inst=NwA3AC0AMgA1ADEANwA1ADMANAA5ADEALQBGAEwAKwA5AC0AWABPADMANgArADEA"&"prod=90"&"ver=9.0.894]
[Files/Folders - Created Within 30 Days]
NY ->  DYSfv -> C:\Users\juan\AppData\Local\DYSfv
[Files/Folders - Modified Within 30 Days]
NY ->  str.sys -> C:\Windows\System32\drivers\str.sys
NY ->  bB -> C:\Windows\bB
[Files - No Company Name]
NY ->  str.sys -> C:\Windows\System32\drivers\str.sys
NY ->  bB -> C:\Windows\bB
NY ->  custmon32.dll -> C:\Windows\System32\custmon32.dll
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Thanks for your help essexboy, the message of aswMBR is still there, not sure if that’s important. Can’t say much of the rest, besides of the fact that I’d find all that curious if it were not related with the health of my notebook! :S

So I attach the logs and will wait your expert advice. I don’t see any apparent problem now, it all works fine or seems to work fine. Tell me if you need some extra tests.

Regards.-

The MBR is now clean however, there is a copy of the malware (inactive) on a higher portion of your disc. The only real way to clean that is to reformat. But, as stated it is inactive and will cause no problem

Give the computer a run for a day or so - and if there are no problems I will remove my tools and tidy you up ;D