URL: MAL False Positive or Infection? [SOLVED]

system · January 7, 2015, 3:28pm

I’ve been getting URL: MAL blocks from !Avast, this time while trying to save a word document. I will be uploading logs as soon as they’re ready. These look the same as yesterdays logs but this time are from a different source. If and when you figure this out please tell me what it is so I can take the correct action to keep my files secure and safe.

Fox.

1/7/2015 7:19:00 PM 91.74.184.33/videoplayer/TP03457503.cab?ich_u_r_i=3aec6791491b96846e9fc6cb7134c774&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663212408&ich_t_y_p_e=1&ich_d_i_s_k_i_d=10&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:19:00 PM 91.74.184.33/videoplayer/TP04033921.cab?ich_u_r_i=d7c66776935cf6f410ffad58a182cd26&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663212408&ich_t_y_p_e=1&ich_d_i_s_k_i_d=9&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:19:00 PM 91.74.184.33/videoplayer/TP03457510.cab?ich_u_r_i=754d7fcf4cf4e37a6bd8940ca7f8802f&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663212408&ich_t_y_p_e=1&ich_d_i_s_k_i_d=5&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:19:00 PM 91.74.184.33/videoplayer/TP03457496.cab?ich_u_r_i=a0481c37d271d784bc63041ea7af7f58&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663212408&ich_t_y_p_e=1&ich_d_i_s_k_i_d=4&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:19:00 PM 91.74.184.33/videoplayer/TP04033917.cab?ich_u_r_i=5c6256a70cd0e585784a4d8507aafc4d&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663212408&ich_t_y_p_e=1&ich_d_i_s_k_i_d=3&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:19:00 PM 91.74.184.33/videoplayer/TP04033929.cab?ich_u_r_i=89077646c2cf025643b4f06927cd7c71&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663212408&ich_t_y_p_e=1&ich_d_i_s_k_i_d=8&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:19:00 PM 91.74.184.33/videoplayer/TP04033937.cab?ich_u_r_i=e017b41f6a24810919cce6f183923394&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663212408&ich_t_y_p_e=1&ich_d_i_s_k_i_d=5&ich_u_n_i_t=1 [L] URL:Mal (0)

Virus Total’s Take on this: https://www.virustotal.com/en/url/7d4b99e868e2bf436bd1492fe4224dc73ed9a128b55ab18582dcec13c129acd0/analysis/1420644607/

system · January 7, 2015, 3:44pm

Here are the two Farbar scan documents.

system · January 7, 2015, 3:49pm

Currently when I try to download aswMBR I get redirected to this link and get a detection from the websheild. I need to know now, is this computer compromised or is this normal? http[://]91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663502407&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1

Here is the log file saying what it’s detecting.

1/7/2015 7:46:31 PM 91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663482461&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:46:31 PM 91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663482461&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:46:31 PM 91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663482461&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:46:33 PM 91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663482461&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:46:41 PM 91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663482461&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:46:41 PM 91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663482461&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:46:41 PM 91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663482461&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:46:46 PM 91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663482461&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:47:18 PM 91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663492468&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:47:18 PM 91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663492468&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:48:06 PM 91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663502407&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:48:06 PM 91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663502407&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:48:07 PM 91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663502407&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1 [L] URL:Mal (0)
1/7/2015 7:48:12 PM 91.74.184.36/videoplayer/aswmbr.exe?ich_u_r_i=7b87a1c4c51c349b2df178fe4dad5801&ich_s_t_a_r_t=0&ich_e_n_d=0&ich_k_e_y=1545018907751663502407&ich_t_y_p_e=7157&ich_d_i_s_k_i_d=2&ich_u_n_i_t=1 [L] URL:Mal (0)

system · January 7, 2015, 4:12pm

Here is the aswMBR document.

system · January 7, 2015, 4:19pm

Here is the MBAM scan log.

Eddy · January 7, 2015, 4:21pm

Please stop posting log files (or parts of it) as you did in the original post.
Attach such things.

system · January 7, 2015, 4:22pm

Alright, will do Eddy.

system · January 7, 2015, 5:43pm

So is there any idea of what it is yet? I need to know if I have to change passwords and such, I also need to know if it’s safe to use this machine.

Fox.

essexboy · January 7, 2015, 6:20pm

Try this, it will reset dns and winsock

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · January 7, 2015, 6:39pm

Here you go Essex, thank you for your help once again. A friend of mine suggested re-installing !Avast in case something got corrupted, is the computer secure so I can do this?

Fox.

essexboy · January 7, 2015, 6:48pm

I can see no apparent malware … Are you still getting the alerts ? If so could you attach a screenshot

system · January 7, 2015, 6:57pm

So far I haven’t seen any yet. If there are any I’ll come back. Thanks for the help so far.

system · January 7, 2015, 7:48pm

Here’s a screenshot for the aswMBR download one. I should mention, this is with vanilla !Avast.

essexboy · January 7, 2015, 7:55pm

Does this only happen in chrome

system · January 7, 2015, 7:55pm

Let me check

system · January 7, 2015, 8:02pm

Nope, still happens on IE.

essexboy · January 7, 2015, 8:04pm

OK this has the looks of something new. Does this happen with all sites ?

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

system · January 7, 2015, 8:15pm

I’m attaching the log files… but then this came up as well. I should add, this doesn’t happen to all sites or even all download sites, it’s only happened with aswMBR, Microsoft Word and !Avast itself attempting to update.

essexboy · January 7, 2015, 8:20pm

Now running from svchost

Don’t bother with adwcleaner just yet

Download AVZ tool from here to your desktop
Unzip all files to a folder on your desktop
Open the folder and double click the AVZ icon
https://dl.dropboxusercontent.com/u/73555776/avz.JPG

When the tool opens select “File” > “Standards scripts”

https://dl.dropboxusercontent.com/u/73555776/avz1.jpg

Place a tick in :
5. To update the programme
3. Advanced System Analysis with malware removal mode enabled

Then press “Execute selected scripts”

https://dl.dropboxusercontent.com/u/73555776/avz2.JPG

There will be several warnings, OK them all and the system will reboot on completion of the analysis

After the reboot look in the folder AVZ4 on your desktop
Open the LOG folder
Upload KL_syscure.zip to a file sharing site for me to collect

https://dl.dropboxusercontent.com/u/73555776/vz3.JPG

system · January 7, 2015, 8:21pm

Edit: Found a way around this. Will do as you’ve asked.

URL: MAL False Positive or Infection? [SOLVED]

Announcements