Avast Free help

Starting just today I have been getting pop-ups from Avast Free about blocking Mal URLs;
1–
201407db0a.eamia.net/get2.php/(long sequence or characters follows here), process listed as explorer.exe

2–
95.143.193.171, longtrip-todayz.com, lkckclcklili.com these 3 are listed as process svchost.exe

The only things I changed to day was look for some no-cd patches for some of my old games that i have installed but haven’t played in years, for one it was just a simple file swap the other was a patcher utility but it was downloaded from a reputable site that I have used many time in the past without problems.

I made sure Avast is up to date and ran scans, I used CCleaner and Spy-bot to scan also.

Avast is blocking them but I can’ figure out how to find them and remove the problems. Any help is greatly appreciated, Thank you

Hey I suggest you run an Malware bytes ANTI Malware scan find it at this link and post log when complete

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html Is malwarebytes.

Malware bytes is a Scanner, but since its the free version its an on-demand scanner and not real-time scanner therefor it is fine to install with no conflicts with Avast.

Secondly, Avast does not need to be disabled, just let it run, and if Avast finds anything during the scan move it to chest and proceed with MBAM scan.

CD-patches are often looked for by people pirating the game and you will experience mass numbers of “no-cd patch downloads” that are suspicious being the “no cd” process is usually illegal

lo ngtrip-todayz. com, lkckcl cklili. com both came back as infected links.

Thanks I will try that. I don’t want to do anything to Avast, been a long time user. It is that the pop-ups tell me Avast blocked the URLs but that is it, no info or any kind of action to take against them.

It is blocking something malicious from accessing those sites. Meaning there is most probably something infected causing this to happen. Malwarebytes will more than likely find it.

UPDATE: Which version of Windows are you using?

Windows XP

I also need the service pack level for XP to do this just follow the following and it should be easy to retrieve this information.

Press the start Icon, Right click “My Computer” on the right side near the top and scroll down to “properties”. The service pack should be shown in the information the “General” tab shows Also knowing whether its Windows XP Home, Professional or etc. would be good information as well. The above will only work providing that you have two columns of programs when you open your start menu, otherwise right click my computer on your desktop and follow the above as mentioned.

How did the scan go? Did you just do a quick or full scan?

Windows XP Pro Service Pack 3

MalwareBytes did detect and elimanate some items but still haveing the URL:MAL pop-ups. I tried both a quick and full scan and double checked to make sure it was up to date.

Download[b] aswMBR.exe /b to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

Ok here is the aswMBR scan log -

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-17 01:52:27

01:52:27.670 OS Version: Windows 5.1.2600 Service Pack 3
01:52:27.670 Number of processors: 1 586 0x402
01:52:27.670 ComputerName: KRIS-9D594FBFC9 UserName: Kris
01:52:29.853 Initialize success
01:56:11.362 The log file has been saved successfully to “C:\Documents and Settings\Kris\Desktop\aswMBR.txt”

And here is the results from the MalWareBytes scans, first is a quick second is a full -

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6580

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/14/2011 9:58:20 PM
mbam-log-2011-05-14 (21-58-01).txt

Scan type: Quick scan
Objects scanned: 136759
Time elapsed: 9 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\msvbdl.dll (Trojan.Hiloti) → No action taken.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} (Adware.Gamevance) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} (Adware.Gamevance) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (Adware.GameVance) → No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) → No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jsijeboqutuna (Trojan.Hiloti) → Value: Jsijeboqutuna → No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\msvbdl.dll (Trojan.Hiloti) → No action taken.
c:\downloads\webfettisetup2.3.67.1.zkfox000.exe (Adware.MyWebSearch) → No action taken.
c:\downloads\zwinkysetup2.3.67.1.zjfox000.exe (Adware.MyWebSearch) → No action taken.
c:\documents and settings\Kris\local settings\Temp\aecxomwsrn.tmp (Trojan.Hiloti) → No action taken.

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6580

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/14/2011 11:10:49 PM
mbam-log-2011-05-14 (23-10-40).txt

Scan type: Full scan (C:|)
Objects scanned: 198212
Time elapsed: 46 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\daemon tools pro\daemon.tools.pro.patch.exe (Trojan.Agent) → No action taken.

I have no idea why it says ‘No Action Taken’ they were all quarenteened.

That is not the log… the log can be found here: “C:\Documents and Settings\Kris\Desktop\aswMBR.txt”
Use the “additional Options” to attach the file to the post. (see screenshot)

@ KMT4977,

Update MBAM again.

Check your settings in MBAM:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select “Perform Quick Scan”, then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
· Copy & Paste the entire report in your next reply.

Follow the directions regarding the aswMBR scan log that Zyndstoff posted and you can post that in your next post with your MBAM log as well. Thank you.

Ok here is the aswMBR log -

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-17 01:52:27

01:52:27.670 OS Version: Windows 5.1.2600 Service Pack 3
01:52:27.670 Number of processors: 1 586 0x402
01:52:27.670 ComputerName: KRIS-9D594FBFC9 UserName: Kris
01:52:29.853 Initialize success
01:56:11.362 The log file has been saved successfully to “C:\Documents and Settings\Kris\Desktop\aswMBR.txt”

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-18 04:38:45

04:38:45.253 OS Version: Windows 5.1.2600 Service Pack 3
04:38:45.253 Number of processors: 1 586 0x402
04:38:45.253 ComputerName: KRIS-9D594FBFC9 UserName: Kris
04:38:46.365 Initialize success
04:38:59.704 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
04:38:59.714 Disk 0 Vendor: WDC_WD800JB-00JJA0 05.01C05 Size: 76319MB BusType: 3
04:38:59.714 Device \Driver\atapi → DriverStartIo 822b053b
04:38:59.714 Disk 0 MBR read error 0
04:38:59.714 Disk 0 MBR scan
04:38:59.714 Disk 0 unknown MBR code
04:38:59.714 MBR BIOS signature not found 0
04:38:59.724 Disk 0 scanning sectors +156280320
04:38:59.724 Disk 0 scanning C:\WINDOWS\system32\drivers
04:39:04.601 Service scanning
04:39:06.103 Disk 0 trace - called modules:
04:39:06.113 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x822b06f0]<<
04:39:06.113 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x823cfab8]
04:39:06.113 3 CLASSPNP.SYS[f8576fd7] → nt!IofCallDriver → \Device\0000005e[0x823b0030]
04:39:06.464 5 ACPI.sys[f83eb620] → nt!IofCallDriver → [0x823edd98]
04:39:06.464 \Driver\atapi[0x822655c0] → IRP_MJ_CREATE → 0x822b06f0
04:39:06.474 Scan finished successfully
04:39:27.905 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Kris\Desktop\MBR.dat”
04:39:27.915 The log file has been saved successfully to “C:\Documents and Settings\Kris\Desktop\aswMBR.txt”


When I tried to run Malware I got these messages -
vbAccelerator SGrid II con…
Run-time error ‘0’

MalwareBytes’ Anti-Malware
Run-time error ‘440’
Automation Error

I tried uninstalling it and reinstalling it and that didn’t help.
I appreciate all the help you are offering but this is maddening, I am about ready to just find out when my buddy will have time to reinstall Windows and just format my HD.

So that I can see what is going on in your machine, check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions for obtaining the OTS logs (save them as ANSI and not Unicode). Post the OTS log as an attachment (Additional Options > Attach > Post).

I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine after you have provided the logs.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, sync your phone, etc. if possible.

Let me know if you have any questions. Thank you.

OK will run that now. Not sure if disconnecting will do any good since this has been going on for a few days and my fiances and my computers are just plugged into our router, no actually network set up ( not sure if that would make a differance ). I’ll post the log when done.

I am posting this from my fiance’s computer, Whenever I try to post a reply from my computer I get a screen saying that the connection has been reset almost immediatly. My internet is still connected so I could attach the log file, I can browse the web as normal.

UPDATE- My computer won’t upload the OTS log file, not even to attach it to an email to send to myself. :cry:

Looks like a TDL3 & 4 infection

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

The log was too many characters to paste so i attached it

Here is the OTS log also, no idea why it didn’t work before-

On completion of this run can you let me know what the problems are

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {0ED403E8-470A-4a8a-85A4-D7688CFE39A3} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {9D425283-D487-4337-BAB6-AB8354A81457} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {BEAC7DC8-E106-4C6A-931E-5A42E7362883} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "LClock" -> [C:\Program Files\LClock\LClock.exe]
< RunOnce [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "ShowDeskFix" -> [regsvr32 /s /n /i:u shell32]
< RunOnce [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "ShowDeskFix" -> [regsvr32 /s /n /i:u shell32]
< RunOnce [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "ShowDeskFix" -> [regsvr32 /s /n /i:u shell32]
< Run [HKEY_USERS\S-1-5-21-73586283-492894223-854245398-1004\] > -> HKEY_USERS\S-1-5-21-73586283-492894223-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Exetender" -> ["C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Documents and Settings\Kris\Desktop\EQ UF Beta\EQVoiceService.exe" -> [C:\Documents and Settings\Kris\Desktop\EQ UF Beta\EQVoiceService.exe:*:Enabled:EQVoiceService]
YN -> "C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe" -> [C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe:*:Enabled:Soulstorm]
YN -> "C:\Program Files\Ventrilo\Ventrilo.exe" -> [C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe]
YN -> "C:\Program Files\World of Warcraft Trial\Launcher.exe" -> [C:\Program Files\World of Warcraft Trial\Launcher.exe:*:Enabled:Blizzard Launcher]
[Custom Items]
:Files
c:\WINDOWS\msvbdl.dl
c:\downloads\webfettisetup2.3.67.1.zkfox000.exe
c:\downloads\zwinkysetup2.3.67.1.zjfox000.exe
c:\documents and settings\Kris\local settings\Temp\aecxomwsrn.tmp 
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Here is the log-

All Processes Killed
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{0ED403E8-470A-4a8a-85A4-D7688CFE39A3}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{9D425283-D487-4337-BAB6-AB8354A81457}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{9D425283-D487-4337-BAB6-AB8354A81457}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LClock deleted successfully.
Registry value HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ShowDeskFix deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ShowDeskFix not found.
Registry value HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ShowDeskFix deleted successfully.
Registry value HKEY_USERS\S-1-5-21-73586283-492894223-854245398-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exetender deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Kris\Desktop\EQ UF Beta\EQVoiceService.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\THQ\Dawn of War - Soulstorm\Soulstorm.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Ventrilo\Ventrilo.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\World of Warcraft Trial\Launcher.exe deleted successfully.
[Custom Items]
========== FILES ==========
File/Folder c:\WINDOWS\msvbdl.dl not found.
File/Folder c:\downloads\webfettisetup2.3.67.1.zkfox000.exe not found.
File/Folder c:\downloads\zwinkysetup2.3.67.1.zjfox000.exe not found.
File/Folder c:\documents and settings\Kris\local settings\Temp\aecxomwsrn.tmp not found.
[Empty Temp Folders]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: Kris
->Temp folder emptied: 86958400 bytes
->Temporary Internet Files folder emptied: 8810792 bytes
->Java cache emptied: 488 bytes
->FireFox cache emptied: 77998726 bytes
->Flash cache emptied: 2345 bytes

User: LocalService
->Temporary Internet Files folder emptied: 13474285 bytes
->Flash cache emptied: 1078 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 39950102 bytes
->Flash cache emptied: 2458 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2381003 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 169883614 bytes

Total Files Cleaned = 383.00 mb

[EMPTYFLASH]

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: Kris
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 05182011_174339

Files\Folders moved on Reboot…
File move failed. C:\WINDOWS\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…