Help PLEASE!

The same 3 urls are being reported as blocked by Avast! (red popup).
hXXp://pasparttux.com/z/
hXXp://crossmatchx.com/x/
hXXp://85.195.92.11/x/
Same process listed for all: \/\globalroot\systemroot\svchost.exe

This is happening on my wifes laptop running win7 home premium. Avast! Internet Suite, fully updated. I ran a quick scan, then a full scan, then a custom scan with every thing turned on. NO THREATS FOUND on all 3 scans. Popups occurring repeatedly during all scans. Other pc’s on the same network (also running Avast! Internet Suite) have not indicated any problems all day. Does anyone have a clue what is happening and how to fix it?

Thanks in advance,
LDD

Update: Spybot found Smitfraud-C.generic trojan and fixed it. After the reboot the messages are still popping up but there are additional urls listed. I’ll list them when I catch the next round of popups. Rescanned with Spybot and the same trojan was found again so it hasn’t been removed.

Update: Attaching requested log files.

follow the guide and attach logs. http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done the removers will be notified. it may take hours before one arrive so be patient

Rescanned with Spybot and the same trojan was found again so it hasn't been removed.

@ LordDragonDan
Please ‘modify’ your post change the URL from http to hXXp, to break the link and avoid accidental exposure to suspect sites, thanks.

Sorry, forgot it would post as a link. :-[

No problem just a reminder.

Adding FSS log. MB quarantined something and the popup have stopped.

Hi

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
FF - prefs.js..extensions.enabledAddons: ffxtlbr@funmoods.com:1.5.0
[2012/06/10 15:58:12 | 000,000,000 | ---D | M] (Funmoods.com) -- C:\Users\Cathy\AppData\Roaming\Mozilla\Firefox\Profiles\zrfje0e2.default\extensions\ffxtlbr@funmoods.com
O2 - BHO: (Funmoods Helper Object) - {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - C:\Program Files (x86)\Funmoods\1.5.23.22\bh\escort.dll (Funmoods BHO)
O3 - HKLM\..\Toolbar: (Funmoods Toolbar) - {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - C:\Program Files (x86)\Funmoods\1.5.23.22\escorTlbr.dll (Funmoods)
O3 - HKU\S-1-5-21-1621724973-44800832-941819771-1000\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O33 - MountPoints2\{8c6d9e12-8197-11e0-95f7-a4badbc61937}\Shell - "" = AutoRun
O33 - MountPoints2\{8c6d9e12-8197-11e0-95f7-a4badbc61937}\Shell\AutoRun\command - "" = E:\HWPcAssistant.exe
O33 - MountPoints2\{935223d5-c9cb-11e1-9db4-a4badbc61937}\Shell - "" = AutoRun
O33 - MountPoints2\{935223d5-c9cb-11e1-9db4-a4badbc61937}\Shell\AutoRun\command - "" = E:\HWPcAssistant.exe
O33 - MountPoints2\{ac6e56ae-07da-11e1-92b2-a4badbc61937}\Shell - "" = AutoRun
O33 - MountPoints2\{ac6e56ae-07da-11e1-92b2-a4badbc61937}\Shell\AutoRun\command - "" = F:\HWPcAssistant.exe
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\HWPcAssistant.exe
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\HWPcAssistant.exe
@Alternate Data Stream - 196 bytes -> C:\ProgramData\TEMP:33A7CC67
@Alternate Data Stream - 189 bytes -> C:\ProgramData\TEMP:07A75CBF
@Alternate Data Stream - 153 bytes -> C:\ProgramData\TEMP:5095D8B1
@Alternate Data Stream - 135 bytes -> C:\ProgramData\TEMP:2B059D79
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:DA18FD1D
@Alternate Data Stream - 124 bytes -> C:\ProgramData\TEMP:EA029835
@Alternate Data Stream - 107 bytes -> C:\ProgramData\TEMP:211ED887

:files
C:\Users\Cathy\AppData\Local\funmoods.crx
ipconfig /flushdns /c

:commands
[CREATERESTOREPOINT]
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

New OTL log and ComboFix log

Open notepad and copy/paste the text present inside the code box below:

File::
c:\windows\svchost.exe

Firefox::
FF - ProfilePath - c:\users\Cathy\AppData\Roaming\Mozilla\Firefox\Profiles\zrfje0e2.default\
FF - user.js: extensions.funmoods.hmpg - false
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=axl&chnl=axl&cd=2XzutAtN2Y1L1Qzu0AyE0B0A0D0B0CyCtCzytAyB0EyE0B0CtN0D0TzutBtDtCtBtDyCtCtD&cr=1539127201
FF - user.js: extensions.funmoods.dfltSrch - false
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - false
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=axl&chnl=axl&cd=2XzutAtN2Y1L1Qzu0AyE0B0A0D0B0CyCtCzytAyB0EyE0B0CtN0D0TzutBtDtCtBtDyCtCtD&cr=1539127201
FF - user.js: extensions.funmoods.tlbrSrchUrl - 
FF - user.js: extensions.funmoods.id - 4608e4bc00000000000078e40052b25a
FF - user.js: extensions.funmoods.instlDay - 15501
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2215:56
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - axl
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - axl
FF - user.js: extensions.funmoods.dfltLng - 
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.

Here’s the logs.

Here’s the second TDSSKiller log. It was too much for 1 post.

[*]Re-run TDSSKiller.exe and click on Change parametres.
[*]Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
[*]Click on Start Scan.
[*]If an infected file is detected, the default action will be Cure, click on Continue.
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and attach the contents of it into your next reply
Note:It will also create a log in the [b]C:[/b] directory.

Here are the log and report file from TDSSKiller. My wife ran a scan earlier and Avast! found 2 infected files. We then ran a boottime scan. The only thing it found was what was in the TDSSKiller quarantine folder. I moved them to the chest in case someone at Avast! wants them. Have to add the report to another post due to size limit.

report file

Please re-run TDSSKiller as before (with change parametres ) and use Delete option for this entry:

\Device\Harddisk0\DR0 ( TDSS File System )

Open notepad and copy/paste the text present inside the code box below:

File::
c:\windows\svchost.exe

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

When I ran ComboFix it reported that the Avast! file shield was still running. I double checked and all 10 shields were disabled according to Avast!

This looks good

How’s your computer behaving now?

Good. My wife is using it now with no signs of popups, no problems at the moment.

Thank you!

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Run OTL and hit the CleanUp button.

Cheers

Done! Everything seems to be working fine.

Thanks again,

Dan