Browser won't go to Avast after malware removal

Viruses and worms
1

Machine: Gateway laptop, Windows Vista Home Premium
Original issues was I was unable to go to any website and Avast would pop up with an Alarm.
Then…
I copied Malwarebytes’ Anti-Malware and OTS to the Desktop via external HD.
Ran both progams, Reports are below.
Now I can’t go to Avast.com.
I can go to other websites.
Yes, I checked the firewall settings in Avast and Windows.
-Thank you

Report
Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6644

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

5/23/2011 8:38:39 AM
mbam-log-2011-05-23 (08-38-39).txt

Scan type: Quick scan
Objects scanned: 141044
Time elapsed: 2 hour(s), 20 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Windows\System32\win32sta.dll (Spyware.Passwords.XGen) → Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\win32sta.dll (Spyware.Passwords.XGen) → Delete on reboot.

2 

OTS logfile created on: 5/23/2011 9:40:12 AM - Run 3
OTS by OldTimer - Version 3.1.43.0     Folder = D:\VIRUS-Malware help
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 60.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.88 Gb Total Space | 172.38 Gb Free Space | 77.34% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 107.53 Gb Free Space | 11.54% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: GATEWAY-PC
Current User Name: Gateway
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
ots.exe -> D:\VIRUS-Malware help\OTS.exe -> [2011/05/22 18:35:06 | 000,645,632 | ---- | M] (OldTimer Tools)
avastui.exe -> C:\Program Files\AVAST Software\Avast\AvastUI.exe -> [2011/05/10 07:10:58 | 003,459,712 | ---- | M] (AVAST Software)
avastsvc.exe -> C:\Program Files\AVAST Software\Avast\AvastSvc.exe -> [2011/05/10 07:10:57 | 000,042,184 | ---- | M] (AVAST Software)
flashutil10p_activex.exe -> C:\Windows\System32\Macromed\Flash\FlashUtil10p_ActiveX.exe -> [2011/04/23 15:54:37 | 000,235,168 | ---- | M] (Adobe Systems, Inc.)
epowersvc.exe -> C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe -> [2009/06/18 20:00:24 | 000,723,488 | ---- | M] (Acer Incorporated)
epowertray.exe -> C:\Program Files\Gateway\Gateway Power Management\ePowerTray.exe -> [2009/06/18 20:00:24 | 000,703,008 | ---- | M] (Acer Incorporated)
epowerevent.exe -> C:\Program Files\Gateway\Gateway Power Management\ePowerEvent.exe -> [2009/06/18 20:00:22 | 000,453,152 | ---- | M] (Acer Incorporated)
lmanager.exe -> C:\Program Files\Launch Manager\LManager.exe -> [2009/05/11 00:14:54 | 000,805,384 | ---- | M] (Dritek System Inc.)
amicosinglun.exe -> C:\Program Files\Selective Suspend Driver\AmIcoSinglun.exe -> [2009/04/29 17:09:14 | 000,237,568 | ---- | M] (AlcorMicro Co., Ltd.)
iaantmon.exe -> C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -> [2009/02/11 19:38:40 | 000,354,840 | ---- | M] (Intel Corporation)
iaanotif.exe -> C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe -> [2009/02/11 19:38:38 | 000,186,904 | ---- | M] (Intel Corporation)
explorer.exe -> C:\Windows\explorer.exe -> [2008/10/29 01:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation)
audiodg.exe -> C:\Windows\System32\audiodg.exe -> [2008/01/20 21:24:54 | 000,088,064 | ---- | M] (Microsoft Corporation)
msascui.exe -> C:\Program Files\Windows Defender\MSASCui.exe -> [2008/01/20 21:23:32 | 001,008,184 | ---- | M] (Microsoft Corporation)
 
[Modules - Safe List]
ots.exe -> D:\VIRUS-Malware help\OTS.exe -> [2011/05/22 18:35:06 | 000,645,632 | ---- | M] (OldTimer Tools)
snxhk.dll -> C:\Program Files\AVAST Software\Avast\snxhk.dll -> [2011/05/10 07:10:55 | 000,199,792 | ---- | M] (AVAST Software)
comctl32.dll -> C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18523_none_5cdd65e20837faf2\comctl32.dll -> [2010/08/31 10:39:57 | 001,684,480 | ---- | M] (Microsoft Corporation)
syshook.dll -> C:\Program Files\Gateway\Gateway Power Management\SysHook.dll -> [2009/06/18 20:00:42 | 000,215,584 | ---- | M] (Acer Incorporated)
 
[Win32 Services - Safe List]
(Norton Internet Security) Norton Internet Security [Auto | Stopped] ->  -> File not found
(avast! Antivirus) avast! Antivirus [Auto | Running] -> C:\Program Files\AVAST Software\Avast\AvastSvc.exe -> [2011/05/10 07:10:57 | 000,042,184 | ---- | M] (AVAST Software)
(ePowerSvc) Acer ePower Service [Auto | Running] -> C:\Program Files\Gateway\Gateway Power Management\ePowerSvc.exe -> [2009/06/18 20:00:24 | 000,723,488 | ---- | M] (Acer Incorporated)
(IAANTMON) Intel(R) Matrix Storage Event Monitor [Auto | Running] -> C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -> [2009/02/11 19:38:40 | 000,354,840 | ---- | M] (Intel Corporation)
(GameConsoleService) GameConsoleService [On_Demand | Stopped] -> C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe -> [2008/05/05 17:25:46 | 000,165,416 | ---- | M] (WildTangent, Inc.)
(WinDefend) Windows Defender [Auto | Running] -> C:\Program Files\Windows Defender\MpSvc.dll -> [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation)
 
[Driver Services - Safe List]
(aswSnx) aswSnx [File_System | System | Running] -> C:\Windows\System32\drivers\aswSnx.sys -> [2011/05/10 07:03:54 | 000,441,176 | ---- | M] (AVAST Software)
(aswSP) aswSP [Kernel | System | Running] -> C:\Windows\System32\drivers\aswSP.sys -> [2011/05/10 07:03:44 | 000,307,928 | ---- | M] (AVAST Software)
(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> C:\Windows\System32\drivers\aswTdi.sys -> [2011/05/10 07:02:37 | 000,049,240 | ---- | M] (AVAST Software)
(aswRdr) aswRdr [Kernel | System | Running] -> C:\Windows\System32\drivers\aswRdr.sys -> [2011/05/10 06:59:56 | 000,025,432 | ---- | M] (AVAST Software)
(aswMonFlt) aswMonFlt [File_System | Auto | Running] -> C:\Windows\System32\drivers\aswMonFlt.sys -> [2011/05/10 06:59:44 | 000,053,592 | ---- | M] (AVAST Software)
(aswFsBlk) aswFsBlk [File_System | Auto | Running] -> C:\Windows\System32\drivers\aswFsBlk.sys -> [2011/05/10 06:59:35 | 000,019,544 | ---- | M] (AVAST Software)
(L1C) NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\L1C60x86.sys -> [2009/04/27 03:16:04 | 000,050,176 | ---- | M] (Atheros Communications, Inc.)
(NETw5v32) Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\NETw5v32.sys -> [2009/03/03 21:49:22 | 004,232,704 | ---- | M] (Intel Corporation)
(IntcHdmiAddService) Intel(R) High Definition Audio HDMI [Kernel | On_Demand | Running] -> C:\Windows\System32\drivers\IntcHdmi.sys -> [2008/12/04 13:25:38 | 000,112,640 | ---- | M] (Intel(R) Corporation)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp32&d=1109&m=ec18 -> 
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp32&d=1109&m=ec18 -> 
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> 
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> 
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3149059129-435206734-2226088797-1000\] > -> -> 
HKEY_USERS\S-1-5-21-3149059129-435206734-2226088797-1000\: Main\\"Default_Page_URL" -> http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=2&o=vp32&d=1109&m=ec18 -> 
HKEY_USERS\S-1-5-21-3149059129-435206734-2226088797-1000\: Main\\"SearchDefaultBranded" -> 1 -> 
HKEY_USERS\S-1-5-21-3149059129-435206734-2226088797-1000\: Main\\"Start Page" -> http://www.google.com/ -> 
HKEY_USERS\S-1-5-21-3149059129-435206734-2226088797-1000\: Main\\"StartPageCache" -> 1 -> 
HKEY_USERS\S-1-5-21-3149059129-435206734-2226088797-1000\: "ProxyEnable" -> 0 -> 
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
< FireFox Extensions [User Folders] > -> 
< HOSTS File > ([2008/01/20 21:24:21 | 000,007,369 | ---- | M] - 348 lines) -> C:\Windows\System32\drivers\etc\hosts -> 
First 25 entries...
3

Ok I gave up on coping the incrediblily log OTS file. How are other’s attaching the file?

4

lower left corner > additional options > attach

and your Malwarebytes log is from and old scan
5/23/2011 8:38:39 AM
mbam-log-2011-05-23 (08-38-39).txt

update MBAM and run a quick scan, post new log

5

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6733

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

5/31/2011 10:45:20 AM
mbam-log-2011-05-31 (10-45-20).txt

Scan type: Quick scan
Objects scanned: 142255
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected

6

Looks fairly straightforward this - your host file was hijacked - once run then check out to see if the alarm stops by going to any AV site

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (Norton Internet Security) Norton Internet Security [Auto | Stopped] -> 
[Registry - Safe List]
< HOSTS File > ([2008/01/20 21:24:21 | 000,007,369 | ---- | M] - 348 lines) -> C:\Windows\System32\drivers\etc\hosts
YN -> Reset Hosts -> 
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

7

Happy Joy, Joy
Seems that all is well for today.
I’m currently talking to you from the Gateway laptop.
Thanks

All Processes Killed
[Win32 Services - Safe List]
Service Norton Internet Security stopped successfully!
[Registry - Safe List]
HOSTS file reset successfully!
[Custom Items]
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Gateway\Desktop\cmd.bat deleted successfully.
C:\Users\Gateway\Desktop\cmd.txt deleted successfully.
[Empty Temp Folders]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Gateway
->Temp folder emptied: 47564948 bytes
->Temporary Internet Files folder emptied: 36972973 bytes
->Java cache emptied: 65093 bytes
->Flash cache emptied: 2885046 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 30256344 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 112.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Gateway
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.43.0 fix logfile created on 06012011_084858

Files\Folders moved on Reboot…
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…

8

This is an avast file (used by the web shield and protected by the avast self-defence module) in the temp sub-folder that avast uses to scan content.

Files\Folders moved on Reboot... File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

So in a way a good job that it failed, however, had it been removed it should have been recreated when you started browsing again.

9

I have never yet seen OTL remove that - but to give it it’s due it does try

Any remaining problems Karelia