Help - Search - Members
Full Version: Malicious URL alert appearing every minute
Kaspersky Lab Forum > English User Forum > Virus-related issues
mowzza
Hi,

I recently installed a trial version of Kaspersky Internet Security 2010, after getting pop-ups from IE. I previously had Norten Internet Security running, but it wasn't detecting any viruses or spyware and the subscription was about to expire so i uninstalled and am now trying Kaspersky.
Anyway KIS has detected 12 viruses and 31 trojans ai.gif and is still running a full scan. The problem i am experiencing is that i keep getting an alert from Kaspersky saying that it has denied a malicious url (i'll attatch a screenshot). This alert is displayed every minute and goes away. My question is how do i effectively prevent this from happening without keeping any malware/spyware present??

Your help would be much appreciated.
dawgg
If Kaspersky is still running a scan, let it complete and disinfect/delete malicious files.

If the popups or malicious URL alerts continue after Kaspersky has finished the scan and removed all detected threats, do the following:
1. Open Kaspersky, click Quarantine (top-right) and select All in the dropdown list.
Click Save on the top-right and attach that .txt file you saved to your next post.

2. Attach an AVZ log of your computer to your next post. Instructions shown here.

3. Attach a link to your PC's GSI parser to your next post. Instructions shown at the bottom of this post.

--------------------------------------------

If I misinterpreted your question and you really wanted to ask how to stop the malicious URL popup (in your screenshot) and still block the malicious URL... click the downward arrow at the top-right of the popup and click "do not display message" or something along those lines I think it said.
Personally, I do not think you should do this, as it will not be as obvious to you if something on your computer is trying to connect to a malicious URL.
mowzza
QUOTE(dawgg @ 12.02.2010 15:42) *
If Kaspersky is still running a scan, let it complete and disinfect/delete malicious files.

If the popups or malicious URL alerts continue after Kaspersky has finished the scan and removed all detected threats, do the following:
1. Open Kaspersky, click Quarantine (top-right) and select All in the dropdown list.
Click Save on the top-right and attach that .txt file you saved to your next post.

2. Attach an AVZ log of your computer to your next post. Instructions shown here.

3. Attach a link to your PC's GSI parser to your next post. Instructions shown at the bottom of this post.

--------------------------------------------

If I misinterpreted your question and you really wanted to ask how to stop the malicious URL popup (in your screenshot) and still block the malicious URL... click the downward arrow at the top-right of the popup and click "do not display message" or something along those lines I think it said.
Personally, I do not think you should do this, as it will not be as obvious to you if something on your computer is trying to connect to a malicious URL.



Hi,

Thanks for your help. I let the scan finish, and i then restarted my pc. Unfortunately the alert still keeps popping up and i'd prefer to remove the source of the problem then turn a blind eye.. so heres the link to the GSI: http://www.getsysteminfo.com/read.php?file...946a03&ms=0

And i've attached the other 2 files.
Thanks again for your help
dawgg
Submit the following files to Kaspersky's viruslab -
C:\Users\Mo\AppData\Roaming\sdra64.exe
C:\Users\Mo\AppData\Local\omuvajiyuhax.dll
C:\Users\Mo\AppData\Local\Temp\plugtmp-7\plugin-ADSAdClient31.dll

Post back what they say.

Clear your Temp folders (C:\Users\Mo\AppData\Local\Temp\)

Download and run TDSSKiller.
Post a screenshot of what it shows - do not click Y to delete anything if it asks.
mowzza
QUOTE(dawgg @ 12.02.2010 17:45) *
Submit the following files to Kaspersky's viruslab -
C:\Users\Mo\AppData\Roaming\sdra64.exe
C:\Users\Mo\AppData\Local\omuvajiyuhax.dll
C:\Users\Mo\AppData\Local\Temp\plugtmp-7\plugin-ADSAdClient31.dll

Post back what they say.

Clear your Temp folders (C:\Users\Mo\AppData\Local\Temp\)

Download and run TDSSKiller.
Post a screenshot of what it shows - do not click Y to delete anything if it asks.



Hi thanks again for your help.

I sent the 2 of the files to kaspersky's viruslab however the 'sdra64.exe' file wasn't uploading. I would get the following message when trying to upload it:

The following errors were detected:

* Upload a file

One or several fields were left empty. Check the entered data and try again.


The file size is 120kb, so i'm not too sure why it wasn't letting me upload it?

Anyway I received an automated e-mail from them saying:

This message has been generated by the automated submission tracking system. If we already detect these files, the message below tells you how we identify this threat. Your submission will be passed to a virus analyst.

omuvajiyuhax.dll,
plugin-adsadclient31.dll

These files are being processed.

Best regards, Kaspersky Lab


I cleared my temp folder (there was 1.22gb worth of files) however 6 files remained and could not be deleted, they are:
~DFE8D5.tmp
~DFE8DD.tmp
~DFE86B.tmp
~DFE90A.tmp
~DFE872.tmp
~DFE903.tmp

Im not sure if this has any significance.

I ran the tdsskiller and have posted a screenshot of what it showed.
I have noticed that although the alerts are still appearing the 'PID' has changed from 'PID: 3312' to 'PID: 528'. Again i'm not sure if this has any significance.

Thanks again for your help.

Regards
dawgg
Try to compress C:\Users\Mo\AppData\Roaming\sdra64.exe into a zip or rar archive and send it.
If it does not work, private message it to me.

Delete the temp files in SafeMode.
mowzza
QUOTE(dawgg @ 13.02.2010 13:35) *
Try to compress C:\Users\Mo\AppData\Roaming\sdra64.exe into a zip or rar archive and send it.
If it does not work, private message it to me.

Delete the temp files in SafeMode.



Hi,

I compressed the file and sent it off with success. here's the e-mail i got back:

Hello,


sdra64.exe - Trojan-Ransom.Win32.Digitala.ih

New malicious software was found in this file. The next antivirus database update will include detection for this malware. Thank you for your help.

Regards, Vitaly Yakutenko
Virus analyst, Kaspersky Lab.


With respect to the temp files, i successfully deleted them in safe mode.

now assuming the next update will detect the sdra64.exe file.. should this solve the problem with the alerts that i keep getting?

Thanks again for your help.
dawgg
Have you got a reply regarding omuvajiyuhax.dll and plugin-adsadclient31.dll?

Update your bases and scan C:\Users\Mo\AppData\ for viruses.
Right-click the folder and click Scan.
Let Kaspersky remove whatever is there. If you need to restart to remove the threat, do it.

Then run the following script in AVZ. Instructions shown here.
Note, your system will restart after running the script.
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\Users\Mo\AppData\Local\Temp\plugtmp-7\plugin-ADSAdClient31.dll','');
QuarantineFile('C:\Users\Mo\AppData\Roaming\sdra64.exe','');
QuarantineFile('C:\Users\Mo\AppData\Local\omuvajiyuhax.dll','');
QuarantineFile('C:\Users\Mo\AppData\Local\Temp\Ptw.exe','');
DeleteFile('C:\Users\Mo\AppData\Local\Temp\Ptw.exe');
DeleteFileMask('C:\Users\Mo\AppData\Local\Temp\plugtmp-7\','*.*',true);
RegKeyParamDel('HKEY_USERS','S-1-5-21-1956881657-2582393608-3223477302-1000\Software\Microsoft\Windows\CurrentVersion\Run','F5JMWNZTHI');
DeleteFile('C:\Users\Mo\AppData\Local\omuvajiyuhax.dll');
RegKeyParamDel('HKEY_USERS','S-1-5-21-1956881657-2582393608-3223477302-1000\Software\Microsoft\Windows\CurrentVersion\Run','Umuquxis');
DeleteFile('C:\Users\Mo\AppData\Roaming\sdra64.exe');
RegKeyParamDel('HKEY_USERS','S-1-5-21-1956881657-2582393608-3223477302-1000\Software\Microsoft\Windows\CurrentVersion\Run','userinit');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.


---------------------------

After run script, attach a Combofix log, please review and follow these instructions carefully.

Before downloading and Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.

Download Combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

-------------------------------------------------

Are you still getting the popups after doing as shown above?
mowzza
QUOTE(dawgg @ 14.02.2010 11:37) *
Have you got a reply regarding omuvajiyuhax.dll and plugin-adsadclient31.dll?

Update your bases and scan C:\Users\Mo\AppData\ for viruses.
Right-click the folder and click Scan.
Let Kaspersky remove whatever is there. If you need to restart to remove the threat, do it.

Then run the following script in AVZ. Instructions shown here.
Note, your system will restart after running the script.
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\Users\Mo\AppData\Local\Temp\plugtmp-7\plugin-ADSAdClient31.dll','');
QuarantineFile('C:\Users\Mo\AppData\Roaming\sdra64.exe','');
QuarantineFile('C:\Users\Mo\AppData\Local\omuvajiyuhax.dll','');
QuarantineFile('C:\Users\Mo\AppData\Local\Temp\Ptw.exe','');
DeleteFile('C:\Users\Mo\AppData\Local\Temp\Ptw.exe');
DeleteFileMask('C:\Users\Mo\AppData\Local\Temp\plugtmp-7\','*.*',true);
RegKeyParamDel('HKEY_USERS','S-1-5-21-1956881657-2582393608-3223477302-1000\Software\Microsoft\Windows\CurrentVersion\Run','F5JMWNZTHI');
DeleteFile('C:\Users\Mo\AppData\Local\omuvajiyuhax.dll');
RegKeyParamDel('HKEY_USERS','S-1-5-21-1956881657-2582393608-3223477302-1000\Software\Microsoft\Windows\CurrentVersion\Run','Umuquxis');
DeleteFile('C:\Users\Mo\AppData\Roaming\sdra64.exe');
RegKeyParamDel('HKEY_USERS','S-1-5-21-1956881657-2582393608-3223477302-1000\Software\Microsoft\Windows\CurrentVersion\Run','userinit');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.


---------------------------

After run script, attach a Combofix log, please review and follow these instructions carefully.

Before downloading and Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.

Download Combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

-------------------------------------------------

Are you still getting the popups after doing as shown above?



I still havent received a reply with regards to the first 2 files.
After scanning C:\Users\Mo\AppData\ kaspersky detected and removed the sdra64.exe file.
i successfully ran the AVZ script and have attached the combofix file.

My PC has been running 'alert free' for 40mins now... so i think you solved the problem.

Thanks for your help. I'll get back to you if/when i receive a reply with regards to the 2 files i sent to virus lab.

BTW i'm literally shocked at how much better kaspersky is to Norton, i'd been using Norton for the past 7 years purely because i thought it was the most recognised brand, therefore meaning the best... boy was i wrong
dawgg
Great. Click Start - Run (or Search) and type in ComboFix /Uninstall and 123.exe /uninstall.

I think we're done smile.gif.
Post back if you have any further issues.
mowzza
QUOTE(dawgg @ 14.02.2010 14:55) *
Great. Click Start - Run (or Search) and type in ComboFix /Uninstall and 123.exe /uninstall.

I think we're done smile.gif.
Post back if you have any further issues.


Brilliant, Thanks very much for your help. Just one other thing, when i try to uninstall combofix i get an error message from windows saying 'Windows cannot find '123.exe'. make sure you typed the name correctly, and then try again.'

Any ideas why i'm getting this message?
dawgg
If you done "combofix /uninstall" and it worked, then "123.exe /uninstall" wont work. Sometimes one or the other works, so I gave both, just incase.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.