Help - Avast URL:Mal issues

Hey guys. First post here, but I need some massive help. Yesterday my computer started getting avast network shield coming up blocking harmful sites. It now happens very few minutes or so. Sometimes without even being on line. I pinned the most recent one.

Object: 95.143.193.171/ (sometimes it says something like “longtrip-todayz”)
Infection: URL:Mal
Action: Blocked
Process: C:\Windows\system32\svchost.exe

So far, here’s what I have done to try to fix the problem.

  • Updated and ran Avast scan. Came up clean.
  • Updated and ran Malwarebytes. Again came up clean.
  • Updated and ran SuperAntiSpyware. It found adware.HBhelper & browser hijacker.deskbar
    • I quarantined and deleted those.
  • After some more searching and reading, I decided to download and run CW-shredder.
    • It found CWS.msconfig. I deleted and reran several times, but it wouldn’t be deleted.
  • I turned off system restore, rebooted (which caused a problem with my computer).
  • After having to reboot my computer several times, I finally got everything back up.
  • I have now reran Avast, Malwarewareytes, SuperAntiSpyware and CW-Shredder and found nothing on any of those.

However, I am still getting the same messages as I posted above from Avast. I am as clueless as to what to do now as possible. If anyone has any possible solutions, let me know. I will post whatever logs you need to be as helpful as possible. Just let let me know. Thanks.

Give this a shot and see what happens: http://www.schmahl.net/avastbootscan.php

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

We’ll have that fixed in a moment, I believe. ;D

Thanks. Here’s the log.

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-04 14:44:32

14:44:32.343 OS Version: Windows 6.0.6000
14:44:32.343 Number of processors: 2 586 0x604
14:44:32.345 ComputerName: TDFS01 UserName:
14:44:35.117 Initialize success
14:44:37.786 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
14:44:37.788 Disk 0 Vendor: ST325082 3.AA Size: 238475MB BusType: 3
14:44:37.800 Disk 0 MBR read successfully
14:44:37.802 Disk 0 MBR scan
14:44:37.804 Disk 0 TDL4@MBR code has been found
14:44:37.806 Disk 0 MBR hidden
14:44:37.808 Disk 0 MBR [TDL4] ROOTKIT
14:44:37.810 Disk 0 trace - called modules:
14:44:37.815 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x882904f0]<<
14:44:37.817 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8508b1e0]
14:44:37.820 3 ntkrnlpa.exe[820b07e2] → nt!IofCallDriver → [0x88310f18]
14:44:37.823 \Driver\iaStor[0x857f5910] → IRP_MJ_CREATE → 0x882904f0
14:44:37.825 Scan finished successfully
14:45:19.096 Disk 0 MBR has been saved successfully to “C:\Users\Triangle Detailers\Desktop\MBR.dat”
14:45:19.103 The log file has been saved successfully to “C:\Users\Triangle Detailers\Desktop\aswMBR.txt”

Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix Button

http://public.avast.com/~gmerek/aswMBR3.png

Save the log as before and post in your next reply

Okay. I ran the scan and fixed it. I had to restart the computer. After that I reran the scan and here is the saved file.

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-04 15:02:08

15:02:08.681 OS Version: Windows 6.0.6000
15:02:08.681 Number of processors: 2 586 0x604
15:02:08.682 ComputerName: TDFS01 UserName:
15:02:18.946 Initialize success
15:02:20.521 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-0
15:02:20.523 Disk 0 Vendor: ST325082 3.AA Size: 238475MB BusType: 3
15:02:20.546 Disk 0 MBR read successfully
15:02:20.551 Disk 0 MBR scan
15:02:20.554 Disk 0 unknown MBR code
15:02:20.562 Disk 0 scanning sectors +488395120
15:02:20.645 Disk 0 scanning C:\Windows\system32\drivers
15:02:31.688 Disk 0 MBR has been saved successfully to “C:\Users\Triangle Detailers\Desktop\MBR.dat”
15:02:31.688 The log file has been saved successfully to “C:\Users\Triangle Detailers\Desktop\aswMBR.txt”

Unfortunately, as I was typing this, I just had another of the Avast warnings come up. I pinned it adn here is what is says …

Object: topsaj.com/1wave.php
Infection: URL:Mal
Action: Blocked
Process: C:\windows\TEMP\Dg0.exe

Okay, there is obviously more to clean up.

Please download MBAM free by clicking on the MBAM in my signature.
Start it.
Update it via the “Update” tab (important).
Run a quick scan and have it remove all it finds.

Post log here please.

Well, it found something. Here is the log.

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6507

Windows 6.0.6000
Internet Explorer 7.0.6000.17037

5/4/2011 3:23:49 PM
mbam-log-2011-05-04 (15-23-43).txt

Scan type: Quick scan
Objects scanned: 169311
Time elapsed: 4 minute(s), 36 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
c:\Windows\Temp\Dg0.exe (Trojan.Downloader) → 1596 → No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Temp\Dg0.exe (Trojan.Downloader) → No action taken.
c:\Windows\Tasks{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) → No action taken.

I saved the log. Now I’m going to remove the files. What else do you think I need to do?

I am not sure…

Have that removed first, I’ll call our expert for help. ;D

In the meantime, please do this, as we need that log anyway:

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

I removed the stuff that Malwarebytes found and then had to re-start. Ran another scan with it. Here’s is that file.

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6507

Windows 6.0.6000
Internet Explorer 7.0.6000.17037

5/4/2011 3:34:50 PM
mbam-log-2011-05-04 (15-34-50).txt

Scan type: Quick scan
Objects scanned: 169073
Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BTW, I appreciate all of the help. I’ve been scratching my head over this since yesterday.

Proceed:

Here’s the OTS file attached.

Okay… you will be helped by “essexboy” in a minute. He’s the expert for this kind of stuff.

Please be patient for a moment.

No problem. Thanks again for all of your help !!!

I can not download the log…? Blocked by Avast…

How did you save this log-file? You used notepad or something else?

On a side note … any idea where this stuff comes from. This is my work computer. So, I rarely use it for much of anything except checking my yahoo mail and some occasional internet radio (which in hindsight sounds like perfect places to pick this virus junk up).

I thought it was in notepad. hold on … I’ll try something else.

USB sticks? Drive-by infection? Email?

There are many ways…

I am off now.

essexboy will take further care, but it may have to wait until tomorrow as he is not online atm.

We will get that straight, again: please have patience.

Thank you & good night.