Avast keeps blocking malicious websites

I recently contracted some pretty serious malware on my system, including rootkits and an FBI scamware that accused me of taking part in illegal activities. I have read several things online and tried a number of different methods, and finally I seemed to be free of everything.

List of software used (not necessarily in this order): Avira Free Antivirus (the original software I’d hoped would protect me); rkill; TDSSKiller; MalwareBytes; Autorun Eater; HitmanPro Trial scan; F-secure online scanner; Zone Alarm free version; SUPERAntiSpyware free version.

I originally scanned the computer with Avira, then used rkill and MalwareBytes. After that I did a system restore. Scans then wouldn’t pick up anything, but my active defense was disabled and I couldn’t update the virus definitions, making it obvious that something was still going on. I continued with F-secure and SUPERAntiSypware, but still couldn’t get rid of that problem. After further reading, I tried TDSSKiller, and from there it seemed like things really freed up. Avira detected a number of different bits of malware and quarantined them. I then used HitmanPro, which really knocked out a lot. But strange things continued to happen. Avira started thinking hundreds of files had been infected. I let it quarantine them at first, but then restored them and did a full scan. After this it only seemed to believe some of them were viruses. I wondered if Avira was having problems, so I uninstalled it and installed Avast, which required that I remove MalwareBytes. After a full Avast scan and another F-secure scan, I seemed to finally have eliminated everything. Things seemed okay on the computer, though I’ve stayed away from banking and such on this computer. But after a week or two, Avast is blocking malicious sites, sometimes every 2 or 3 minutes, and lasting for several minutes. Then it seems to leave me alone. This often starts after I start Windows Live Movie Maker. Avast tells me that it is blocking these sites that I’m clearly not going to, tells me that programs like Google Chrome and Movie Maker are the programs trying to access them, etc. Further use of the same scanners including TDSSKiller, Avast, and HitmanPro seem to turn up nothing. Am I still infected? Are all my good programs infected? How can I get rid of this?

follow this guide and attach the logs…not copy and paste
http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done the malware experts will be notified and help you. it may take hours before one arrive so be patient

Thanks. I’ll do as you suggest :slight_smile:

Monitoring

Sorry for not posting my logs sooner. I had to leave that computer before the final scan was done. Here are most of the logs.

And the rest for OTL. I guess I do have some virus problem and probably should have put this in a different part of the forum. Sorry.

No problem as I can run just as easily from here

Could you confirm that it is just chrome giving the alerts ?

Could you start chrome in incognito mode and see if the alerts persist http://support.google.com/chrome/bin/answer.py?hl=en&answer=95464

Could you attach the Combofix log please

Oh, I forgot about ComboFix. Here’s the log for that. Thanks for the help.

network.proxy.socks - 202.164.211.76 did you set these proxies ?

Also does incognito stop the alerts

Yeah, I used a YouTube video which suggested that exact proxy address with Firefox to get past a particular IP address block to a Star Wars site I enjoy (I got my work IP blocked because I jokingly signed up with a sock account to tease other site patrons, though they didn’t suspend my account). The proxy had numerous problems so I stopped using it and only use “No proxy.” I do visit proxy4free.com and use one of the suggested proxy sites there to access that site now.

As for Chrome, it’s hard to tell. It isn’t always blocking anything. When it has, I know I had the normal window open. I can try with incognito. Also, it isn’t just Chrome causing the problem. I’ll have to see if I can get it to start blocking again, but it actually seems to start with Windows Live Movie Maker. Avast! tells me the program trying to do it is Movie Maker, then it tells me it’s Chrome. I believe there was at least one other program it implicated, but I can’t remember which it was. Anyway, I’ll start Movie Maker and see if I can spur it to start blocking stuff again, and I’ll only keep incognito mode open with Chrome.

If you do get the block could you screenshot the alert and post that

Okay, here’s an example. I cropped it for privacy. It seems to start when I’m working on a particular project in Windows Live Movie Maker, not just when the program is merely open, as I left it open with nothing happening, but once I opened that project, it started. So far only one block.

EDIT: There has been a second block. I should also note that I only have Google Chrome open in incognito mode. No new website or tab actually opened–just the notice from Avast. I’m posting my second block.

I won’t post every block I get, but just as a sample I’ll include two more, one from RealPlayer and one from Chrome. At this point I had Chrome open and not incognito because I’d pressed ‘More Details’ when Avast blocked a site, causing the regular window to pop open and tell me I dodged a bullet. It’s blocked Chrome twice, but now I’ve closed the regular window. It’s blocked RealPlayer once, though I seldom use that software.

And if you do not open that project then all is sweetness and light… When you open that project then all hell breaks loose

Could you get Avast to scan that projects files

Just scanned My Documents where all files associated with the project including the project file itself are saved. Nothing showed up :frowning: My MalwareBytes scan last night found a single threat and eliminated it. Then the aswMBR found a rootkit. Not sure what to do about that one.

PEV is a part of combofix

Does chrome behave itself in incognito mode

I have a feeling that one of the images in that project is infected, Avast does not recognise the file but it is preventing it from calling home

Could you try a different project in windows movie maker to see if that prompts the same alerts

Thus far I haven’t gotten any more notices with other projects. Strange thing is that even the original project doesn’t seem to be causing any problems anymore either. It seems that every day it tries a few times (I think it totalled like six tries in about an hour), then it seems to give up for a while. Could be the pictures.

Aye if just one of the images is infected then it would be the devils own job to track down which one

I’m still concerned–aswMBR did pick up on a rootkit. What can I do to get rid of that? I’m pretty naive with this sort of thing, but in my limited knowledge those things scare me more than anything.

If it picked up PEV then when we remove combofix that will disappear