URL:Mal Warnings

Hi, I keep receiving warnings for malicious urls being blocked and they don’t seem to stop.

It always happen when I use google to search something, and then occasionally for normal broswing.

I’ve run MalwareBytes scans, and they haven’t returned any results.

Here’s a screenshot of what happens:

http://imgur.com/FrUaU

It says the object’s are from rudolfdisney.com, crozybanner.com, imagemonsar.com and bunnyandisney.com

Can you post a screeenshot of the pop-up

This sometimes work

TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

http://i.imgur.com/FrUaU.png

That’s the pop up that appeared.

Here’s the direct link: http://i.imgur.com/FrUaU.png

The TFC thing didn’t work, nor did CCleaner.

Then Essexboy`s magic tools is next :wink:

Ok my go ;D

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Ok, that’s done. Here’s the file:

Malicious URL like this one belongs to Alureon family. Alureon is extremely ugly malware contains dropper, rootkit, MBR rootkit,… . Once are rootkits active in system is very hard to detect it, because they usually hide themselves.
You should run boot time scan with latest VPS update. But be careful, after you clean rootkit, you will probably have to use Windows recovery disc (install disc) to reconstruct original MBR and system registry.

Looks like you were lucky with a 64bit system the malware failed to take hold (hotfix) and only managed to add a proxy. On completion of this let me know if the alerts still occur

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> 
YN -> HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 1
YN -> HKEY_USERS\.DEFAULT\: "ProxyServer" -> http=127.0.0.1:59274
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
YN -> HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 1
YN -> HKEY_USERS\S-1-5-18\: "ProxyServer" -> http=127.0.0.1:59274
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-183297434-1813747179-3948722596-1001\] > -> HKEY_USERS\S-1-5-21-183297434-1813747179-3948722596-1001\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{21FA44EF-376D-4D53-9B0F-8A89D3229068}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Winlogon settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*Shell* -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YN -> C:\Windows\System32\config\systemprofile\AppData\Roaming\hotfix.exe -> 
< Winlogon settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*Shell* -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YN -> C:\Windows\System32\config\systemprofile\AppData\Roaming\hotfix.exe -> 
< Winlogon settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
[Empty Temp Folders]
[EmptyFlash]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Ok, here we go:

The problem is still happening, should I be worried just yet?

No not yet - I have a few more tricks up my sleeve

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[
]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

I changed the name to combofix log, so yeah:

I hope I can get this fixed soon >.>

OK it looks like the router

Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled “reset” located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).

Is that all? And it should be fixed?

Check it out and let me know - as that is the next logical area for it to be ;D

Ok, the MAL warnings got fixed but there’s one problem.

I just checked my notification centre but it came up that on the 7th of March the Alureon virus was detected. It hasn’t happened since and scans are turning up nothing (full Malwarebytes scan), but I don’t know whether it has infected or not.

If you had that then Avast would still be alerting on it

I had a play with that virus the other day and it was only possible to install it if I removed Avast

But we can check your MBR if you like

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

Looks like there shouldn’t be a need for that, I just did an avast! full system scan that came up with two infected files, which were subsequently moved to chest. If I do encounter any more problems, you wouldn’t mind answering my questions would you? You’re probably the most helpful virus specialist I know :stuck_out_tongue:

About the Alureon notification … I actually played with one the other day on my VM and Avast was killing it before I could install it ;D The dropper itself was not detected ( it is now) but as soon as it started upacking then it died, and I could find no residue on my system

But feel free to ask and if I know I will answer

Hi I’ve been getting the URL:Mal warnings as well
I tried the TFC thing and it didnt work
I have attached a picture of the popup

I tried the OTS thing and heres my file