URL:MAL 67.159.200.132

Geeks to Go was helping me with URL:MAL warnings I’ve been getting. They’ve concluded that this issue should be handled here by Avast.

Here’s the link to the thread.

http://www.geekstogo.com/forum/topic/345619-how-to-get-rid-of-urlmal/

Thanks!

https://forum.avast.com/index.php?topic=53253.0

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/23/2014
Scan Time: 10:54:42 AM
Logfile: MBAMlog.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.23.07
Rootkit Database: v2014.12.23.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Nakamoto

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 369028
Time Elapsed: 13 min, 47 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

FRST log

Addition log

Additional info on IP 67.159.200.132- listed at DNS-BH / malwaredomains.com malicious with a severity 2
5 alerts for a PUP detection here: http://urlquery.net/report.php?id=1419167148929
Server vulnerable: System Details:
Running on: Apache/2.2.15
Powered by: PHP/5.3.3
Outdated Web Server Apache Found: Apache/2.2.15 - IDS alerts for “ET MALWARE PUP Win32.SoftPulse Retrieving data”
What is gonna be found is probably this: http://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/SoftPulse/detailed-analysis.aspx

This all apart from the malware cleansing routine here which I am not intruding and leave alone, just want to report on these aspects to the IP mentioned just to set your mind a bit at ease towards the severity of malcode detected eventually.

polonus (volunteer website security analyst and website error-hunter)

After reading the topic over at Geeks to Go it seems evrything is tried.
And from the conclusion in last post it seem you need to open a support ticket…

Avast support https://support.avast.com

aswMBR file

Let’s see:

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B} AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
Take your pick about what av you want to use. Do not use multiple at the same time.
HKLM-x32\...\Run: [TrojanScanner] => C:\Program Files (x86)\Trojan Remover\Trjscan.exe [1791856 2014-12-08] (Simply Super Software)
It is not free and research shows that it far worse then e.g. MBAM.
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Spybot used to be good, but it isn't anymore for a long time.

Intuit sync manager? Are you using quickbooks?

HKU\S-1-5-21-3728143812-4245075021-3154152335-1000\...\Run: [KSS] => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe [202080 2014-06-15] (Kaspersky Lab ZAO)
Another security software that can cause conflicts/problems when running multiple.

And I see more problems.

Hi Eddy,

Are you saying that victim has two or more resident av solutions running at the same time, that is cause of a lot of false cross-detection :o Only one resident av solution should run on an operational system.
Just like two dogs on the porch before the house that start to fight amongst each other in stead of protecting their Boss from attacks.

polonus

Not just two av’s are running in real time, but some other security software as well.

I normally only use Avast. I downloaded the other stuff to try to fix the URL:MAL myself.

I turned off Windows Defender, uninstalled Spybot, Trojan Remover, and Kaspersky and rebooted my computer. We’ll see if I still get warnings.

I do use Quickbooks.

Still getting warnings.

Hi HiHelen,

Post the logs attached like described here: https://forum.avast.com/index.php?topic=53253.0
and wait for a qualified remover to arrive.

polonus

Uninstall Spybot - Search and Destroy, SUPERAntiSpyware, Trojan Remover 6.9.1.2932, Web Companion, Kaspersky Security Scan, and Wise Registry Cleaner 8.26.
Are you connected to the internet via router? Provide myself a fresh FRST scan log after uninstalling the aforementioned programs.

I uninstalled Spybot, Trojan Remover, Kasperky, SuperAntiSpyware, Web Companion, and Wise Registry Clean.

Here are the logs:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/24/2014
Scan Time: 8:02:37 AM
Logfile: MBAMlog.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.24.10
Rootkit Database: v2014.12.23.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Nakamoto

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 367602
Time Elapsed: 16 min, 2 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

FRST, Addition, aswMRB logs at attached.

I did not do FixMBR.

Are you using router to connect to the internet?


[*]Step #1 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
[*]Open Notepad.exe. Do not use any other text editor software;
[*]Copy and Paste the contents inside the code-box to your Notepad

Start
CreateRestorePoint:
Closeprocesses:
Emptytemp:
Ad-Aware Web Companion (x32 Version: 1.0.788.1475 - Lavasoft) Hidden
AlternateDataStreams: C:\Users\Nakamoto\Desktop\Hanahouoli Magazine.jpeg:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Nakamoto\Desktop\QEP Preschool Yearbook.jpeg:3or4kl4x13tuuug3Byamue2s4b
HKU\S-1-5-21-3728143812-4245075021-3154152335-1000\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Toolbar: HKU\S-1-5-21-3728143812-4245075021-3154152335-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Homepage: https://www.google.com/?trackid=sp-006
FF Keyword.URL: https://www.google.com/search/?trackid=sp-006
FF Extension: Bitdefender QuickScan - C:\Users\Nakamoto\AppData\Roaming\Mozilla\Firefox\Profiles\5g2iigem.default-1416507301759\Extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2014-11-20]
S2 SearchProtectionService; "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.WinService.exe" [X]
CMD: type "C:\QooBox\ComboFix-quarantined-files.txt"
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
End

[*]Click on File > Save as…
[list][*]Inside the File Name box type fixlist.txt
[*]From the Save as type drop down list, choose All Files
[*]Save the file to your Desktop;
[*]Re-run FRST.exe and click Fix;
[*]Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.[]After the completion, a log will be produced;
[
]Attach the log in your next reply.[/list]


[*]Required Log(s):
[*]FRST Fix Log

Regards,
Valinorum

Yes, I’m using a router to connect to the internet.

FRST fixlog attached.

I got a warning right after doing the fix (after the reboot):

URL: http://8941180.secure-services92329.com/c.php?aid=254&lid=10419

Infection: URL:MAL

Process: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Can you reset your router to factory setting?

Okay, hit the reset button on the router and unplugged/plugged it back in.