Avast URL:Mal longtrip-todayz.com

Hello.

Last night Avast alerted me several times in a row that it was blocking a suspicious URL that I was not manually visiting.

The error message was this:

object:
95.143.193.171/bWFza3N8ZWYz0DQ0YmM3NWVhZJl2NWZiZWFlMJgZtg0Zj
Infection: URL: Mal
Action: Blocked
Process: C:\WINDOWS\System32\svchost.exe

And I’ve found that while browsing in firefox 4, it will periodically open a new tab to a suspicious web page

Alternately, I’ve found I also cannot access windows update, which I assume is related to this.

After some searching, I’ve discovered I seem to have almost exactly the same problem as this person:

http://forum.avast.com/index.php?topic=77998.0
(also this user, too: http://forum.avast.com/index.php?topic=77333.0)

I noticed my avast messages sometimes include the block urled of “longtrip-todayz.com”, just like his avast window.

What I’ve done so far:

Ran Malware Bytes scan (log attached), no results
Ran Avast boot scan, no results
Ran CWshredder, no results
Ran aswMBR, similar results to the user who was experiencing the same problem (log attached)
Opted to “fix” after the scan, rebooted

Same avast error messages persist, and running aswMBR again brings the same results.
Ran OTS (log attached) with the following parameters:

[i] Select All Users
Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT[/i]

Ran hijack this (log attached)
Panicked (log not attached)

I would forever be in your debt if you could help me in the slightest.

Thank you in advance!

I noticed that it looks like my other logs didn’t go through. Sorry, let me try that again!

If it helps anything at all, here are the three malicious url warnings I receive from this infection:

http://i508.photobucket.com/albums/s329/fundogmo/pinned_avast2.jpg

http://i508.photobucket.com/albums/s329/fundogmo/pinned_avast1.jpg

http://i508.photobucket.com/albums/s329/fundogmo/pinned_avast3.jpg

Whilst I am looking at the log we can remove one miscreant

Re-Run aswMBR

Click Scan

On completion of the scan

Click the FixButton

http://public.avast.com/~gmerek/aswMBR3.png

Save the log as before and post in your next reply

Thank you so much!

I ran aswMBR (pre-fix log attached)
clicked fix
confirmed reboot request
it didn’t quite prompt me to save log I clicked scan again for a new log (post-fix attached)

If it means anything, I got another avast warning window in the time after rebooting and running the scan a second time for the post-fix log.

Ok seems to be the new variant

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

Found one infected file and one suspicious file.

I think it went well!

(I attached the file instead of copy and pasted it because it is a little too long)

On your desktop should be a file called MBR.dat, could you scan that with Avast and once it is in the chest upload it to the virus labs please

Could you confirm the alerts have now ceased

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Malware bytes has found nothing.

Scanning the mbr.dat file gave me “Threat: Alureon-G@mbr[rtk]” and I’ve submitted it to the lab after moving it to my chest like you said.

And the avast warning windows SEEM to have ceased.

I’m surprised this fix didn’t involve a custom OTS fix like the similar problems on this board, but no warning windows, redirects or anything out of the ordinary so far.

If this worked out then I can’t express how grateful I am. This is wonderful! Thank you so much!

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6585

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

5/15/2011 12:02:10 PM
mbam-log-2011-05-15 (12-02-10).txt

Scan type: Quick scan
Objects scanned: 142814
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

No requirement for an OTS fix ;D

Thank you for submitting the file, as this variant does not seem to want to go with aswMBR - but yesterdays TDSSKiller update seems to get it

Any further problems ?

Twenty full minutes of browsing and everything looks perfect.

I can access windows update works again (my quick to see if the problem was fixed before I resorted to posting here) and no sign of infection.

I’ll keep a vigilant eye on my any other local system that mine might have infected and have a much smaller heart attack knowing that with your help, a fix existed and no damage appears to have been done.

Thank you again, really!

Run OTS and hit the cleanup button to remove it ;D