Avast Malicious URL Blocked

Viruses and worms
1

Hello I’ve recently been getting pop ups stating that a “Malicious URL” has been blocked.

The logs are posted below and apparently my OTL is too large, please help.

2

aswMBR:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-03 12:57:24

12:57:24.304 OS Version: Windows x64 6.1.7601 Service Pack 1
12:57:24.304 Number of processors: 8 586 0x2A07
12:57:24.304 ComputerName: ANTHONY-PC UserName: Anthony
12:57:24.594 Initialize success
12:57:24.654 AVAST engine defs: 12080300
12:57:39.725 Disk 0 \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T1L0-7
12:57:39.725 Disk 0 Vendor: Hitachi_HDS721010CLA332 JP4OA3MA Size: 953869MB BusType: 3
12:57:39.735 Disk 1 (boot) \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP4T0L0-8
12:57:39.735 Disk 1 Vendor: Corsair_Force_GT 1.3 Size: 114473MB BusType: 11
12:57:39.745 Disk 2 \Device\Harddisk2\DR2 → \Device\Ide\IdeDeviceP5T0L0-9
12:57:39.745 Disk 2 Vendor: WDC_WD1002FAEX-00Z3A0 05.01D05 Size: 953869MB BusType: 11
12:57:39.745 Device \Driver\atapi → MajorFunction fffffa800712b5e8
12:57:39.755 Disk 1 MBR read successfully
12:57:39.755 Disk 1 MBR scan
12:57:39.765 Disk 1 Windows 7 default MBR code
12:57:39.765 Disk 1 MBR hidden
12:57:39.765 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
12:57:39.775 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 114371 MB offset 206848
12:57:39.785 Disk 1 scanning C:\Windows\system32\drivers
12:57:40.725 Service scanning
12:57:42.845 Modules scanning
12:57:42.845 Disk 1 trace - called modules:
12:57:42.855 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800712b5e8]<<
12:57:42.855 1 nt!IofCallDriver → \Device\Harddisk1\DR1[0xfffffa8006f67790]
12:57:42.865 3 CLASSPNP.SYS[fffff8800160143f] → nt!IofCallDriver → [0xfffffa80069cce40]
12:57:42.865 5 ACPI.sys[fffff88000eca7a1] → nt!IofCallDriver → \Device\Ide\IdeDeviceP4T0L0-8[0xfffffa8006ce0060]
12:57:42.875 \Driver\atapi[0xfffffa8006ec1ac0] → IRP_MJ_CREATE → 0xfffffa800712b5e8
12:57:43.135 AVAST engine scan C:\Windows
12:57:43.515 AVAST engine scan C:\Windows\system32
12:57:59.205 AVAST engine scan C:\Windows\system32\drivers
12:58:00.285 AVAST engine scan C:\Users\Anthony
12:58:13.395 AVAST engine scan C:\ProgramData
12:58:17.025 Scan finished successfully
12:59:05.369 Disk 1 MBR has been saved successfully to “E:\OTL\MBR.dat”
12:59:05.373 The log file has been saved successfully to “E:\OTL\aswMBR.txt”

3

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Malwarebytes:

Database version: v2012.08.03.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Anthony :: ANTHONY-PC [administrator]

8/3/2012 12:11:39 PM
mbam-log-2012-08-03 (12-11-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 235085
Time elapsed: 45 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → 2264 → Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → Delete on reboot.

(end)

4

You should be able to attach the log (not copy and paste) using the Attachments and other options, in the Reply window, see image click to expand.

Provided the file isn’t greater than 192KB.

If it does exceed that you can use a file sharing site such as Mediafire.com - Upload to http://www.mediafire.com/ and post the sharing link.

5

Thanks, didn’t think of that. Here’s the OTL log

http://www.mediafire.com/?zv9uq1wa8r5zlg1

6

You’re welcome.

A malware removal specialist has been informed of your topic.

7

Hi this will be a long fix, please do all steps in the following order

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Files ipconfig /flushdns /c C:\Windows\Installer\{d6b79236-9382-cc24-b7b9-86ba93e108a7} C:\Users\Administrator\AppData\Local\{d6b79236-9382-cc24-b7b9-86ba93e108a7}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

FINALLY

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

8

The popup’s have ceased so I assume that the infection is now fixed, thanks! I’ll update if they come back or not, but so far so good. Here are the logs as well, thanks again!

9

Could you attach the TDSSKiller log please

10

Sorry, forgot about this one.

11

Could you re-run TDSSKiller please as the report was incomplete