Url:Mal pop-ups from seemly sound sources

Viruses and worms
1

Hi all,

Yesterday at one point every single website was being blocked by avast network shield, but after taking out my cat-5 cable and re-connecting it this might not happen again for a little bit, just to return later in a very random (seemly) fashion. Even the button saying “more details” on the pop-ups themselves was being blocked at times (see attached images). This has not occurred so much today, but pop-ups are still coming up and are worrying me now (at first I thought it was just a conflict between chrome and avast, and so I updated chrome to 19.0.1084.52 m). The culprit processes as highlighted by the pop-ups are svchost.exe, zune.exe and chrome.exe, mainly (google-updater.exe also threw up a pop-up yesterday as well I think), yet it appears that the connections that are being blocked are not problem websites at all, and don’t seem malicious (as shown by the fact that the avast site itself is blocked sometimes, for example). I have attached three screenshots of some pop-ups, and below is a Malwarebytes log.

Any help will be greatly appreciated.

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.27.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
User :: USER-LAPTOP [administrator]

Protection: Disabled

27/05/2012 11:37:59
mbam-log-2012-05-27 (11-37-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231307
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

2

attach (not copy and paste) OTL and aswMBR log
http://forum.avast.com/index.php?topic=53253.0

Malware remover will be notified when done…

3

Attached the logs. Didn’t have an extras.txt file generated by the OTL scan as explained in the tutorial, so I’ve just got the OTL.txt log and aswMBR log for you…

4

Hi,

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE - HKU\S-1-5-21-326096136-1704205804-531090515-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-326096136-1704205804-531090515-1002\..\SearchScopes,DefaultScope = {E0BC8645-5242-49F3-A1E6-B9C966A70D75}
IE - HKU\S-1-5-21-326096136-1704205804-531090515-1002\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100488&mntrId=b845716800000000000074e50b0e6c63
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
[4 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[2011/08/07 18:44:29 | 000,010,752 | ---- | C] () -- C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/07 10:34:17 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Babylon

:Files
ipconfig /flushdsn /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

5

I just ran the fix and it went fine, but I don’t fully understand the next step… by scan do you mean I should do another pass of aswMBR and post the log? And for the second run of OTL, as well as not checking LOP or purity, should I put the code into the custom scan box like I did for my first OTL run or not?

6

you do a new OTL scan…with no fix… to get a new OTL log so he can see if the fix worked as planned :wink:

7

Thanks Pondus/here’s the new OTL log.

FYI, I still got another pop-up when I first opened my browser to see this thread: URL:Mal detected on object platform.twitter.com/widgets.js. I just unplugged and the reconnected my ethernet cable and I can now see that page without any pop-ups.

8

Hi,

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

Please run a free online scan with the ESET Online Scanner
[i]Note: You will need to use Internet Explorer for this scan[/i]
[*]Tick the box next to YES, I accept the Terms of Use
[*]Click Start
[*]When asked, allow the ActiveX control to install
[*]Click Start
[*]Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
[*]Click Scan (This scan can take several hours, so please be patient)
[*]Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner[b]log.txt
[*]Copy and paste that log as a reply to this topic

In your next reply please attach the logs made by Malwarebytes and ESET online scanner. :slight_smile:

9

Here is what the ESET log file said:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

Attached is log file itself, the ESET “export to file” file as a .txt file: it found two infected files (details in Eset export to text file.txt) and the malwarebytes log.

10

Hi,

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:Files
C:\Users\User\Downloads\cnet2_WinDjView-1_0_3-Setup_exe.exe	
C:\Users\User\Downloads\coretemp_1236.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

In your next reply please post the new OTL log and let me know how your system is running. :slight_smile:

11

Hi, I’ve attached the third OTL log for you. My system is un-changed, got another pop-up when I opened the zune software after the reboot following the OTL fix (screenshot attached)…

*edited spelling mistake :slight_smile: )

12

Hi,

Ok…

Download the latest version of Kaspersky Virus Removal Tool
[*]Close all other applications and double-click and run the installer.
[*]When the Kaspersky Virus Removal Tool starts, to the right of Security Level click Recommended, and select Settings.
[*]In the window that opens (Autoscan), in the Scope tab place a checkmark to the left of Parse email formats.
[*] Click the Additional tab and click to place a checkmark to the left of Deep scan, and click OK.
[*] Select all the scanable items except for CD-ROM drives and click the Start scan button.

http://i47.tinypic.com/6zvqld.gif

[*]If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).[*]After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button[*]In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).[*]If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.[*]In the Scan window click the Reports button and select Save to file.[*]Name the report AVPT.txt, and save it to the Desktop.[*]Close AVPTool.[*]You will be prompted if you want to uninstall the program; click Yes.[*]You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.[*]Copy and paste the first part of the report (Detected) that you saved in your next reply.

13

Basically the Kaspersky scan got to about 73% and then when I came back to my laptop and clicked on it it froze and I had to close the program. Up to that point the program had found 6 vulnerabilities (I think that was the wording used), rather than malware (no red exclamation point). Anyway, I’m running the scan again and will get back to you later, but I was just going to ask in the meantime (if that’s ok): what you think is going on after reading the OTL logs which I’ve been uploading? Or is nothing decisive yet hence the extra scan by Kaspersky?

14

Hi,

Well the OTL logs look pretty good but since you are still experiencing the problems I am running the additional scans. :slight_smile:

15

Ok here we go… when I saved the automatic scan report (I was using the latest version of the scanner, version 11) it created a 160mb file that notepad and open office both couldn’t open without crashing!! anyway, below is the “detected threats” report which is far smaller and sounds like it gives you the information you need.

Status: Vulnerability   (events: 6)	
28/05/2012 18:10:23	Vulnerability	vulnerability http://www.securelist.com/en/advisories/48281	C:\Jack's Stuff\memsitckcopy\memsitck\Jack\Else\FirefoxPortable\App\Firefox\plugins\NPSWF32.dll	Low	
28/05/2012 18:13:23	Vulnerability	vulnerability http://www.securelist.com/en/advisories/48009	C:\Program Files\Java\jre6\bin\java.exe	Low	
28/05/2012 18:22:30	Vulnerability	vulnerability http://www.securelist.com/en/advisories/48009	C:\Program Files (x86)\Java\jre1.6.0_22\bin\java.exe	Low	
28/05/2012 18:22:38	Vulnerability	vulnerability http://www.securelist.com/en/advisories/48009	C:\Program Files (x86)\Java\jre6\bin\java.exe	Low	
28/05/2012 19:13:40	Vulnerability	vulnerability http://www.securelist.com/en/advisories/49086	C:\Windows\SysWOW64\Adobe\Shockwave 11\SwInit.exe	Low	
28/05/2012 19:24:29	Vulnerability	vulnerability http://www.securelist.com/en/advisories/48500	c:\Program Files (x86)\VideoLAN\VLC\vlc.exe	Low

EDIT: just a note… I never got an option to delete, disinfect or neutralise these files, but I assume that maybe because these are “vulnerabilities” and not actual cases of malware (?)

16

Hi,

Good job running that.

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

Note: It is important that it is saved directly to your desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.

17

Hi I’ve attached the combofix log. Looking at it it looks like I forgot to turn off windows defender, so if that’s a problem just tell me and I’ll run it again :slight_smile:

18

No you ran it just fine. If there were a problem I would just have you run it again. :slight_smile:

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Attach the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

19

Ok, combofix round two here we go :slight_smile:

Also, I was just thinking (after getting another couple of pop-ups following this last round of combo fix, one from avast.setup and one from svchost.exe both Url:Mal) would it be worth reinstalling avast? Or is the problem definitely not with avast? It’s just that, for example, the malwarebytes protection module is running now on my system and doesn’t pick up these supposed malicious url connections, just avast…

EDIT: came back to my computer and the avast screensaver scan just found OTL.exe to be a threat of type malware-gen, but I downloaded it from your link so am I safe to “do nothing” with it?

20

Hi,

Sorry been a bit busy today…sold house and looking for new one, but I will return as quickly as I can.

No you can leave OTL alone. Some of the tools that we use will pop up on scanners but they are False Positives. :slight_smile: