Got this yesterday, spent the day scanning cleaning nothing helped. Did a system restore to the latest backup, but half the files on my desktop is gone. Now I cant run or update malwarebytes. here is the ots scan.

Help duly appreciated.
Thanx
Dale.

URL.mal usually mean avast blocked a infected/blacklisted website before you could enter it…

or do you get this pop up even when not surfing?

can you also attach aswMBR log

Hi OTS is no longer supported or updated so it misses a lot of the infections

If Roguekiller fails to run then rename it to Iexplore

[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

THEN

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache /s
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

Thanx for replies.
Yes I was getting that popup while not searching. However today I opened firefox and it said that it was already running, I couldn’t get it to stop so I uninstalled it.

I will download Rouge Killer and upload the report here when done.

Thanx for your help.
Dale.

Here are the RK reports

You should have your icons and menus back now once I get the OTL log I will see what the malware is

Yes icons are back! Thank you. Here are the OTL reports.

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL O3 - HKU\S-1-5-21-3431719136-111017766-3804047868-1000\..\Toolbar\ShellBrowser: (no name) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No CLSID value found. O3 - HKU\S-1-5-21-3431719136-111017766-3804047868-1000\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found. [2012/07/16 10:52:34 | 000,000,072 | ---- | M] () -- C:\ProgramData\-g0LfE2GkrMNryCr [2012/07/16 10:52:34 | 000,000,072 | ---- | M] () -- C:\ProgramData\-g0LfE2GkrMNryC [2012/07/16 10:52:17 | 000,000,368 | ---- | M] () -- C:\ProgramData\g0LfE2GkrMNryC [2011/12/14 01:17:02 | 000,008,340 | --S- | C] () -- C:\Users\dale\AppData\Local\502843u1s876d065e433s4int3x4 [2011/12/14 01:17:02 | 000,008,340 | --S- | C] () -- C:\ProgramData\502843u1s876d065e433s4int3x4

:Files

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here is the 2nd run OTL Log.

It is running something called Administrator: Autoscan on top of my desktop.

just got a popup combi fix zero access infected with Rootkit.ZeroAccess it has inserted into tcp/ipStack.

wow that is one long ass file. Hope this is what your looking for.

How is the computer behaving now, any problems ?

It seems to be running ok. I am still getting popup notifications from Avast blocking malware even though I don’t have any browsers open or running. I am concerned about this.

Could you take a screenshot of the popup please and run a fresh OTL log for me selecting all users

Here is the new OTL scan. After my last post I rebooted my computer and I haven’t seen anymore popups from Avast. If it happens I will get you a screenshot.

As far as I can see it has gone, could you run as normal for a bit. Then tomorrow let me know if all is OK

Ok will do. Here is one of the popups…I didn’t have a browser open, but I am connected to the internet.

Thanx for all your help.

Dale.

So it is still present ?

Yes I am still getting the popups even with no browsers open. I clicked on one and it was stopsmokingpumaDOTcom I think one of the others was a ~pumaDOT com too.