avast malicious url popup?

Viruses and worms
1

Hi. i am fixing a friends computer and i first used malwarebytes to run a scan. I detected about 13 infections that i removed. Then i ran an avast scan which also detected some viruses. I though they had all been removed, but now i get a popup saying a malicious url has been blocked? It happens all the time no matter what i do? So i have ran other scans with malwarebytes, and every time i do, it always detects 2 viruses no matter how many times i remove them. and the pop up is still there. i even tried running both programs in safe mode. any help would be great! thanks. malwarebytes logs below

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.25.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Elizabe :: ELIZABE-PC [administrator]

10/26/2012 11:47:25 AM
mbam-log-2012-10-26 (11-47-25).txt

Scan type: Full scan (C:|D:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 323803
Time elapsed: 1 hour(s), 4 minute(s), 48 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → 2828 → Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → Delete on reboot.

(end)

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.25.07

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Elizabe :: ELIZABE-PC [administrator]

10/25/2012 3:22:03 PM
mbam-log-2012-10-25 (15-22-03).txt

Scan type: Full scan (C:|D:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 325862
Time elapsed: 1 hour(s), 7 minute(s), 9 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → 2536 → Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 12
C:$Recycle.Bin\S-1-5-18$396bc10f298855c1bcfdd01a8cd3c029\n (Trojan.0Access) → Quarantined and deleted successfully.
C:$Recycle.Bin\S-1-5-18$396bc10f298855c1bcfdd01a8cd3c029\U\00000001.@ (Trojan.0Access) → Quarantined and deleted successfully.
C:$Recycle.Bin\S-1-5-18$396bc10f298855c1bcfdd01a8cd3c029\U\80000000.@ (Trojan.0Access) → Quarantined and deleted successfully.
C:$Recycle.Bin\S-1-5-18$396bc10f298855c1bcfdd01a8cd3c029\U\800000cb.@ (Trojan.0Access) → Quarantined and deleted successfully.
C:$Recycle.Bin\S-1-5-21-4053214801-2201288139-1469879384-1000$396bc10f298855c1bcfdd01a8cd3c029\n (Trojan.0Access) → Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\DRM\4394.tmp (Rootkit.ZeroAccess) → Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\DRM\43E3.tmp (Rootkit.ZeroAccess) → Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\DRM\B4BD.tmp (Rootkit.ZeroAccess) → Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\DRM\B4DE.tmp (Rootkit.ZeroAccess) → Quarantined and deleted successfully.
C:\Users\Elizabe\AppData\Local\Temp\4432.tmp (Rootkit.0Access) → Quarantined and deleted successfully.
C:\Users\Elizabe\AppData\Local\Temp\B5B9.tmp (Rootkit.0Access) → Quarantined and deleted successfully.
C:\Windows\svchost.exe (Trojan.Agent) → Delete on reboot.

(end)

2

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

3

AdwCleaner v2.005 - Logfile created 10/27/2012 at 02:26:01

Updated 14/10/2012 by Xplode

Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

User : Elizabe - ELIZABE-PC

Boot Mode : Normal

Running from : F:\AdwCleaner.exe

Option [Search]

***** [Services] *****

***** [Files / Folders] *****

Folder Found : C:\Users\Elizabe\AppData\Local\Temp\boost_interprocess

***** [Registry] *****

Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKLM\SOFTWARE\Software

***** [Internet Browsers] *****

-\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\ Mozilla Firefox v13.0.1 (en-US)

Profile name : default
File : C:\Users\Elizabe\AppData\Roaming\Mozilla\Firefox\Profiles\3ws574mi.default\prefs.js

[OK] File is clean.

-\ Google Chrome v [Unable to get version]

File : C:\Users\Elizabe\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

AdwCleaner[R1].txt - [1172 octets] - [27/10/2012 02:26:01]

########## EOF - C:\AdwCleaner[R1].txt - [1232 octets] ##########

4

here is the log from OTL…,

5

Hi you will need to remove Norton

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Files
C:\$Recycle.Bin\S-1-5-18\$396bc10f298855c1bcfdd01a8cd3c029

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

6

here the other otl log after running the fix and the quick scan. I am in the middle of running combofix now. will post log. thanks

7

here is the combpofix result log. i am now installing avast again and will see if i still get the pop malicious url warning. will let you know the results. thank you is there anything else i should do?

8

I see that you have run TDSSKiller … Could you attach the log at C:\TDSSKiller date time

9

i ran tdsskiller and accidently deleted 2 files/infections that it found. now, when i try and re-install avast, i get a message that says locale data files missing? how do i fix this?

10

Download aswClear to the desktop http://files.avast.com/files/eng/aswclear.exe
Uninstall Avast via Programs and features
Run aswClear
The re-install Avast

How is the computer behaving now ?

11

ok i ran aswclear and after i did the reboot and my laptop boots to the desktop i immediatley get a RunDLL message stating that there was a problem starting, c:\Users\Elizabe\AppData\Roaming\uicof.dll
the specified module could not be found

now what is this? lol any help would be greatly appreciated. thanks@

12

Could you run a fresh OTL scan please and ensure all users is selected, then I will do a seek and destroy on that ;D