Annoying Popup every few seconds: MALICIOUS URL BLOCKED

Avast! is showing this popup:


MALICIOUS URL BLOCKED

avast! Network Shield has blocked a harmful site

Object: hxxp://xxxxxxxxx.com/x/
Infection: URL:Mal
Process: C:\WINDOWS\System32\svchost.exe

It seem to be adware trying to call home. It’s trying to connect with 5 or 6 different sites, e.g., credit, loans, merchant accounts, etc.

Neither avast! nor MBAM appear to be able to find it.

I’ve posted and attached the logs.

Help will be appreciated!

=================
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.12.16.06

Windows XP Service Pack 3 x86 NTFS (Safe Mode)
Internet Explorer 8.0.6001.18702
Louis :: POWERHORSE [administrator]

12/17/12 10:04:33 AM
mbam-log-2012-12-17 (10-04-33).txt

Scan type: Full scan (C:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 557305
Time elapsed: 2 hour(s), 45 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

=================
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-18 04:05:11

04:05:11.703 OS Version: Windows 5.1.2600 Service Pack 3
04:05:11.703 Number of processors: 1 586 0x602
04:05:11.703 ComputerName: POWERHORSE UserName:
04:05:31.984 Initialize success
04:06:20.125 AVAST engine defs: 12121700
04:06:26.343 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
04:06:26.343 Disk 0 Vendor: ST3120026A 8.01 Size: 114473MB BusType: 3
04:06:26.390 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP0T1L0-c
04:06:26.421 Disk 1 Vendor: ST340016A 3.21 Size: 38166MB BusType: 3
04:06:26.421 Device \Driver\atapi → DriverStartIo 876c12e2
04:06:26.437 Disk 0 MBR read successfully
04:06:26.437 Disk 0 MBR scan
04:06:36.203 Disk 0 Windows XP default MBR code
04:06:36.218 Disk 0 MBR hidden
04:06:36.328 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 114470 MB offset 63
04:06:43.375 Disk 0 scanning sectors +234435600
04:06:46.843 Disk 0 scanning C:\WINDOWS\system32\drivers
04:08:43.640 Service scanning
04:09:46.359 Modules scanning
04:09:58.140 Disk 0 trace - called modules:
04:09:58.156 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x876c14b1]<<
04:09:58.187 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8774dab8]
04:09:58.187 3 CLASSPNP.SYS[f785dfd7] → nt!IofCallDriver → [0x876bb8f0]
04:09:58.203 \Driver\atapi[0x876bcdb8] → IRP_MJ_CREATE → 0x876c14b1
04:10:01.921 AVAST engine scan C:\WINDOWS
04:10:38.796 AVAST engine scan C:\WINDOWS\system32
04:19:32.609 AVAST engine scan C:\WINDOWS\system32\drivers
04:20:02.500 AVAST engine scan C:\Documents and Settings\Louis
04:39:41.515 AVAST engine scan C:\Documents and Settings\All Users
04:42:08.046 Scan finished successfully
04:42:26.718 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Louis\Desktop\MBR.dat”
04:42:26.718 The log file has been saved successfully to “C:\Documents and Settings\Louis\Desktop\aswMBR.txt”

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-18 04:05:11

04:05:11.703 OS Version: Windows 5.1.2600 Service Pack 3
04:05:11.703 Number of processors: 1 586 0x602
04:05:11.703 ComputerName: POWERHORSE UserName:
04:05:31.984 Initialize success
04:06:20.125 AVAST engine defs: 12121700
04:06:26.343 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
04:06:26.343 Disk 0 Vendor: ST3120026A 8.01 Size: 114473MB BusType: 3
04:06:26.390 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP0T1L0-c
04:06:26.421 Disk 1 Vendor: ST340016A 3.21 Size: 38166MB BusType: 3
04:06:26.421 Device \Driver\atapi → DriverStartIo 876c12e2
04:06:26.437 Disk 0 MBR read successfully
04:06:26.437 Disk 0 MBR scan
04:06:36.203 Disk 0 Windows XP default MBR code
04:06:36.218 Disk 0 MBR hidden
04:06:36.328 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 114470 MB offset 63
04:06:43.375 Disk 0 scanning sectors +234435600
04:06:46.843 Disk 0 scanning C:\WINDOWS\system32\drivers
04:08:43.640 Service scanning
04:09:46.359 Modules scanning
04:09:58.140 Disk 0 trace - called modules:
04:09:58.156 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x876c14b1]<<
04:09:58.187 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8774dab8]
04:09:58.187 3 CLASSPNP.SYS[f785dfd7] → nt!IofCallDriver → [0x876bb8f0]
04:09:58.203 \Driver\atapi[0x876bcdb8] → IRP_MJ_CREATE → 0x876c14b1
04:10:01.921 AVAST engine scan C:\WINDOWS
04:10:38.796 AVAST engine scan C:\WINDOWS\system32
04:19:32.609 AVAST engine scan C:\WINDOWS\system32\drivers
04:20:02.500 AVAST engine scan C:\Documents and Settings\Louis
04:39:41.515 AVAST engine scan C:\Documents and Settings\All Users
04:42:08.046 Scan finished successfully
04:42:26.718 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Louis\Desktop\MBR.dat”
04:42:26.718 The log file has been saved successfully to “C:\Documents and Settings\Louis\Desktop\aswMBR.txt”
04:49:28.312 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Louis\Desktop\MBR.dat”
04:49:28.328 The log file has been saved successfully to “C:\Documents and Settings\Louis\Desktop\aswMBR.txt”

=================

malware removers are notified. it may take hours before one arrive so be patient

Hi lets get at it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O3 - HKLM\..\Toolbar: (no name) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No CLSID value found.
O3 - HKU\S-1-5-21-2752991226-2699939882-557728558-1006\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2752991226-2699939882-557728558-1006\..\Toolbar\WebBrowser: (no name) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No CLSID value found.
O3 - HKU\S-1-5-21-2752991226-2699939882-557728558-1006\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2752991226-2699939882-557728558-1006\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O7 - HKU\S-1-5-21-2752991226-2699939882-557728558-1006\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
@Alternate Data Stream - 88 bytes -> C:\Program Files\data1.cab:SummaryInformation

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Hi,

Here are the OTL log attached and a copy of the TDSSKiller Report:

============
12:14:19.0218 2972 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
12:14:20.0312 2972 ============================================================
12:14:20.0312 2972 Current date / time: 2012/12/18 12:14:20.0312
12:14:20.0312 2972 SystemInfo:
12:14:20.0312 2972
12:14:20.0312 2972 OS Version: 5.1.2600 ServicePack: 3.0
12:14:20.0312 2972 Product type: Workstation
12:14:20.0312 2972 ComputerName: POWERHORSE
12:14:20.0312 2972 UserName: Louis
12:14:20.0312 2972 Windows directory: C:\WINDOWS
12:14:20.0312 2972 System windows directory: C:\WINDOWS
12:14:20.0312 2972 Processor architecture: Intel x86
12:14:20.0312 2972 Number of processors: 1
12:14:20.0312 2972 Page size: 0x1000
12:14:20.0312 2972 Boot type: Normal boot
12:14:20.0312 2972 ============================================================
12:14:23.0125 2972 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3C91, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type ‘K0’, Flags 0x00000054
12:14:23.0156 2972 Drive \Device\Harddisk1\DR1 - Size: 0x9516AE000 (37.27 Gb), SectorSize: 0x200, Cylinders: 0x1431, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type ‘K0’, Flags 0x00000054
12:14:23.0171 2972 Drive \Device\Harddisk2\DR5 - Size: 0x1D1C0F00000 (1863.01 Gb), SectorSize: 0x200, Cylinders: 0x3B601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘W’
12:14:23.0593 2972 ============================================================
12:14:23.0593 2972 \Device\Harddisk0\DR0:
12:14:23.0593 2972 MBR partitions:
12:14:23.0593 2972 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xDF933D1
12:14:23.0593 2972 \Device\Harddisk1\DR1:
12:14:23.0593 2972 MBR partitions:
12:14:23.0593 2972 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x42BBD01
12:14:23.0609 2972 \Device\Harddisk1\DR1\Partition2: MBR, Type 0xB, StartLBA 0x42BBD7F, BlocksNum 0x7CD091
12:14:23.0609 2972 \Device\Harddisk2\DR5:
12:14:23.0609 2972 MBR partitions:
12:14:23.0625 2972 \Device\Harddisk2\DR5\Partition1: MBR, Type 0x7, StartLBA 0x3F00, BlocksNum 0x11BFC629
12:14:23.0625 2972 ============================================================
12:14:23.0656 2972 D: ↔ \Device\Harddisk1\DR1\Partition2
12:14:23.0687 2972 E: ↔ \Device\Harddisk1\DR1\Partition1
12:14:23.0734 2972 C: ↔ \Device\Harddisk0\DR0\Partition1
12:14:23.0781 2972 H: ↔ \Device\Harddisk2\DR5\Partition1
12:14:23.0781 2972 ============================================================
12:14:23.0781 2972 Initialize success
12:14:23.0781 2972 ============================================================

Could you attach the log located at C:|TDSSKiller date time please it will be bigger than the one you posted

Here is the correct TDSSKiller report attached.

Re-run TDSSKiller with the same parameters
When this element appears then select delete :

\Device\Harddisk0\DR0 ( TDSS File System )

Avast will alert

Once done could you let me know what problems remain

Hi,

Re-ran TDSSKiller with the same parameters
and the element did not appear:

\Device\Harddisk0\DR0 ( TDSS File System )

Avast did not alert.

OK how is the computer behaving now ?

Hi essexboy,

The Popups have stopped.

Thanks very much for your patience and help…

How can this problem be prevented, and will Avast attack it in the future?

The malware changes on an almost hourly basis, but if it does get in then Avast will block it from accessing then net

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: