Avast is giving me "Malicious URL Blocked" msgs

Avast is giving me “Malicious URL Blocked” msgs every few seconds…cannot connect to Google but can connect to Bing. Running updated XP Pro, very unstable, having wireless connectivity problems too.
Researched various malware removal forums and did the following and attached logs.
1.-Downloaded latest versions of MBAM, OTL, Fanbar and Kaspersky TDSS Killer.
2.-Ran all following forums advice and have attached logs for MBAM to start with.
I’m sure that more is needed and will await further instructions.
Many thanks in advance.

MBAM Log
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org
Database version: v2012.09.23.05
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: OPTIPLEXGX280 [administrator]
9/23/2012 1:35:05 PM
mbam-log-2012-09-23 (13-35-05).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP |

PUM
Scan options disabled: P2P
Objects scanned: 254031
Time elapsed: 16 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCR\AppID\activex.DLL (Adware.180Solutions) → Quarantined and deleted successfully.
HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) → Quarantined and deleted successfully.

Registry Values Detected: 2
HKCR.exe\shell\open\command| (Hijack.ExeFile) → Data: "C:\Documents and Settings\Owner\Local

Settings\Application Data\upw.exe" -a “%1” %* → Quarantined and deleted successfully.
HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) → Data:

825178b8003c4cc23212908bf0008128 → Quarantined and deleted successfully.

Registry Data Items Detected: 7
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel

(PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp

(PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs

(PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun

(PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command|

(Hijack.StartMenuInternet) → Bad: ("C:\Documents and Settings\Owner\Local Settings\Application

Data\upw.exe" -a “C:\Program Files\Mozilla Firefox\firefox.exe”) Good: (firefox.exe) → Quarantined and repaired

successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command|

(Hijack.StartMenuInternet) → Bad: ("C:\Documents and Settings\Owner\Local Settings\Application

Data\upw.exe" -a “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode) Good: (firefox.exe -safe-mode) →

Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command|

(Hijack.StartMenuInternet) → Bad: ("C:\Documents and Settings\Owner\Local Settings\Application

Data\upw.exe" -a “C:\Program Files\Internet Explorer\iexplore.exe”) Good: (iexplore.exe) → Quarantined and

repaired successfully.

Folders Detected: 3
C:\Documents and Settings\Owner\Application

Data\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com (PUP.PlaySushi)

→ No action taken.
C:\Documents and Settings\Owner\Application

Data\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome

(PUP.PlaySushi) → No action taken.
C:\Documents and Settings\Owner\Application

Data\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components

(PUP.PlaySushi) → No action taken.

Files Detected: 7
C:\Documents and Settings\Owner\Application

Data\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome.manifest

(PUP.PlaySushi) → No action taken.
C:\Documents and Settings\Owner\Application

Data\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\install.rdf

(PUP.PlaySushi) → No action taken.
C:\Documents and Settings\Owner\Application

Data\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome\pstextlin

ks.jar (PUP.PlaySushi) → No action taken.
C:\Documents and Settings\Owner\Application

Data\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\Play

SushiFF.dll (PUP.PlaySushi) → No action taken.
C:\Documents and Settings\Owner\Application

Data\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\PS

TextLinks.xpt (PUP.PlaySushi) → No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\is1438683437\IWantThis.exe (Adware.GamePlayLabs)

→ Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\sdhttt.exe (Exploit.Drop.GS) → Quarantined and deleted successfully.
(end)

See the guide at top in this forum section
We need adwcleaner / otl / aswmbr logs

Here are the adwcleaner and the ASWmbr logs asked for.
OTL will follow in second post.
Thanks again…

Here is the OTL log…

OK zero access is the culprit

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (.netbt)
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Search the web (Babylon)"
FF - prefs.js..browser.startup.homepage: "http://search.babylon.com/?affID=110790&tt=120912_nocpc_3812_7&babsrc=HP_ss&mntrId=7cb1a7d20000000000000026f21304f4"
FF - prefs.js..keyword.URL: "http://search.babylon.com/?affID=110790&tt=120912_nocpc_3812_7&babsrc=KW_ss&mntrId=7cb1a7d20000000000000026f21304f4&q="
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
[2012/09/20 10:16:11 | 000,002,362 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-1659004503-725345543-1195008661-1003\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
[2011/12/25 15:01:25 | 000,001,210 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\ob67akwv7ou5114we4760jn1oi7nx4o7
[2011/12/25 15:01:25 | 000,001,210 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\ob67akwv7ou5114we4760jn1oi7nx4o7
[2011/11/25 19:10:55 | 000,000,448 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\OfMqzobdP3uXeN
[2011/07/11 21:37:00 | 000,011,634 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\5rsib6l462hk4lw57
[2011/07/11 21:37:00 | 000,011,634 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\5rsib6l462hk4lw57
@Alternate Data Stream - 85 bytes -> C:\Documents and Settings\All Users\Desktop:$SS_DESCRIPTOR_PBVUV9VK9VF9FPMVAP4RKXT95KVVVVVVVVVVVVV

:Files
C:\WINDOWS\Installer\{3c60d7a8-d9a5-7926-b286-d8a2e324b183}
C:\Documents and Settings\Owner\Local Settings\Application Data\{3c60d7a8-d9a5-7926-b286-d8a2e324b183}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Thanks again for your help, did the following…
Ran OTL with your script fix - log attached
Ran ComboFix - noticed “rootkit detected, Rootkit.ZeroAccess” - log attached.

During process, dialog box indicated a failed restore point attempt due to “failed to download required files - Aborting”
Also saw that “Recovery Console not installed”

PC seems to run ok for now and Google can be accessed. So far so good…
Anything else?

Any further problems before I tidy up ?

Thanks again for the help. Much appreciated!!!
This morning I had a problem over and over before finally getting past booting to desktop.
Tried to download Mircosoft XP Updates, none ever downloaded no matter how long I waited. Then system started locking up.
At every completed desktop, system tray loaded, every action after that kept totally locking up entire pc to the point of having to do a hard reboot many times. Tried safe mode, debugging mode, etc. No difference.
Even tried to do a system restore to the last OTL restore point from yesterday and that would not work either, “failed to restore to…”
Then one time it all loaded correctly and I am now able to use pc as before.
When system seemed stable, I made a new system restore point for this afternoon.

Anyway, right now it’s working ok. Faster online, boots faster, Google is now working, no more Avast network sheild pop ups. I am wondering though if anything else is still lurking around.
Should I rescan with Avast, MBAM, etc.?

Yes run a further MBAM scan and an Avast quick scan (Avast may detect quarantined files in Qoobox and OTL_moved files )

OK, will do. Thanks!!!

All’s well. Run additional scans, nothing showing.
Thanks again for the service you have provided as it’s been very, very helpful.

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: