MALICIOUS URL BLOCKED! dances.us??? What is going on???

Almost every link I click when doing a search on google.com for something gets blocked by avast. I understand avast is trying to protect my system, what I don’t understand however is what the heck could possibly be causing avast to think each and every site (even about.com pages and ezinearticles etc.) is malicious?

I have searched the forums for some info on the subject and found a very useful post about attempting to resolve such issues using MBAM here: http://forum.avast.com/index.php?topic=53253.0.

I tried this, step by step. Even found and deleted something. Here is the log:

Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org

Database version: 7045

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/8/2011 12:54:32 AM
mbam-log-2011-07-08 (00-54-32).txt

Scan type: Quick scan
Objects scanned: 178901
Time elapsed: 9 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

IP: 64.111.211.158 url: hxxp://64.111.211.158/c.php?s=eNodTtuuokAA-yCT4wwDDDycB0HkjoKAwMuG24jITQQEwsevu2nSpk3TtNwogGhqozGAm3W8r8bN6dLaL83y8LuBH0BB_E8Q_BYhBBhwACIGgi2l_DILtCoShXccCFOKvl7mR1Wep_BG_26EJoiPAZ2zEOU4gQnP8TDJ45glDCY8-gNwQigIEi5GMEsRx_EMYLPkeygFNKLxBr_IrdZ_esPUrodDceGsCrw0hRHlKp596n6MLsbHCg_nXW-KNZP7B2lW1QnhLnKdtT5zH2_v8Dw1MoH2NGIR5sBWxXSpE2-IjX4sdgR7T0SqQzJMihQ3Cpcboia8sHMk0Mss5dSHZXO91i6e9EmP9IaPbVxGxj0LqewamINxl8tTq-Rax5GgW3qJ5Z7X8hB2mmr6SWy_45cXzq-ljXpcKZd-z7Tv0HOEnaW007uZyehgHsuC8VSErvOBsVQRX9jKZL-n_HOks_r4qhutngADQq8aPtV58tR2EDmaXd4RySXXB7keBOAwyLp_mC9qCOsetDvdf4q7x9iPFMuFi5HuxFGV3nJhkrOT24tjWa7HMiaW9IGRrdhrUOML-PgSikexztFBUKCl3CLVMGg50YCfyXUbFIxfijVP0jUaL0C_R_kaStNJn8kgT5ccWQqDr8e5WTFNwKVQ1c4MZbfma87q0vbhkIa-pnuKNWuMsJmWdwk-eT04i6lt2-phfqswaSqmevr7feXAqHfS-mYK0TFoOjHUemmeCNpdb8v-Df2Ft6jkhsbdmixgcrsiOw5L25jsyXMkNuHkKVP7h2svBYXJ6zqt7AUV-mc-TeeFd1FIDGVah1krOUutrXxV8yAOrjn3WT6GfJal_Z3YQi8s99_fjeV-aPADv7xtPPsDKfwDmX8Bu4FtozYHzBf7wWjuMxxtwFsGtE429K-OZ_euVNkutHwbOhf3MZguOJ2Nz3cU_MeGtgxlyKitNgzsMZOLKqT4Oqr9KpZ5mFLe-PXDxqQkZjHJWcRRVJrmkMsgSzgqyQnDMHm8fTMaAkKyhNCQTWLIs3FG04DOmBSQDP8FOLNFkg

After restarting my system I attempted to open the links again from google.com but avast keeps doing it. I’ve noticed however that when/if avast doesn’t block the sites the url changes to dances.us and then it asks me to download something. It says something like “Search from google.com” asking for me to download it. I always click cancel and hit the back button, or close the tab and do the search over again, and it either blocks, or does the download search thing again. What can I do to stop this, I want to stop this thing whatever it is and get it the heck out of my computer as soon as possible before it goes rogue or something so please somebody, anybody help me! ??? :-\ :cry:

Oh and btw, this doesn’t happen when I type url’s into my browser. Only seems to happen when I use google search (haven’t tried yahoo, msn or any other). And almost forgot, sometimes when I click a link in google search it takes me to one of those “this domain not taken” type sites with search results for what I searched for on google. ???

…reason for edit, happened again:
Ok this time the redirect is another site, besides the old dances.us one. Now it redirects to http://w w w.chat.thecoffeehouse.c o m/. Which shows up as the usual blank page just as with dances.us. Here is the info from the download popup:
Opening search
You have chosen to open
search
which is a: application/json
from: http://www.google.com
What should firefox do with this file…etc etc.

ok,need ots log for analysis so:

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.

Ok, so did the scan and got the log, but having some strange issues saving/viewing it. I can’t see the log file on my desktop even though when I try to re-save it with the same name it says a file exists already with the same name, strange thing is I can’t see it there on my desktop, I’ve searched for it and my computer says it doesn’t exist. I tried to save it with another name and I can’t see or find that file either, I even made a new file with different text in it and named it apple, nothing. So I had to copy and paste the log into notepad++ and save it from there. That’s why the name is different and not ots.txt. Weird huh? Oh, and I just opened a new notepad after closing the log and seems to be working fine now, saved a text file and can see it on my desktop and everything… ???

anyways, the log is attached and I hope I can get this resolved soon since I can’t search for ANYTHING anymore! It’s really killing meh! :cry: I just don’t want this to get worse, to where I wake up one morning and my computer is a brick! :o. I just died at the thought!

BTW, thanks for helping! :wink:

Okay, it seems to be getting worse now as every google search link I click is getting blocked by avast! :-[

Hi there - lets run this to start with

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< 64bit-BHO's [HKEY_LOCAL_MACHINE] > -> 64bit-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> [Java(tm) Plug-In 2 SSV Helper]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> MRI_DISABLED [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  ~38985464 -> C:\ProgramData\~38985464
NY ->  ~38985464r -> C:\ProgramData\~38985464r
NY ->  38985464 -> C:\ProgramData\38985464
[Files - No Company Name]
NY ->  ~38985464 -> C:\ProgramData\~38985464
NY ->  ~38985464r -> C:\ProgramData\~38985464r
NY ->  38985464 -> C:\ProgramData\38985464
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

Okay, so I performed the ots fix but it never created a log for me, it just asked me to reboot so I did since it didn’t give me any other option. Sorry about that, but it didn’t feel like giving me a log for that…

Performed the aswMBR scan and the log is attached! Lots of red stuff during the scan! Wonder what that is. Hope it means I can fully get rid of this stuff and have my computer back to normal again asap!

Okay, it seems to be getting worse by the minute. About 8 out of 10 of ANY links I click are being redirected now…this really sucks to say the least!!! ???

ok now try this:

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i1116.photobucket.com/albums/k567/com155/kastdsskiller.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i1116.photobucket.com/albums/k567/com155/kastdsskiller1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i1116.photobucket.com/albums/k567/com155/kastdsskiller-1.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

Okay, so I did the tdsskiller scan and it found nothing… ???

Report attached…this virus seems cleverer than I thought.

this was just a try essexboy will guide u further i dont want to come in between when he is on the job.

oh…okay. So how long till you think he’ll be on?

He will be late by 8 to 10 today night according to UK time.

:-[, aww that’s a good long while! :stuck_out_tongue:

As it’s weekend, he may be here earlier. :wink:

YAY HOPE! ;D

Ignore the red from aswMBR they are FP’s

OK time to inspect your drivers I feel

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[
]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please ignore my earlier post about this being a firefox add-on. It seems to be re-occurring.
Dave

Okay…not sure what just happened but i think combofix just killed my computer!!! I started the scan which in itself took incredibly long then i think i fell asleep with my laptop at my bedside at around “completed section 46” i believe then when i woke up many hours later and i tried to get my comps screen back to active state to see whether the scan had completed or not i noticed that although my comp was on the screen was black. I restarted it and now everytime i restart it attempts to do some startup repair thing and when its finished or after i hit cancel and follow the prompts it restarts and does the same thing over again. I also tried system recovery through it but it tells me THERE ARE NO SYSTEM RECOVERIES TO USE!!! Before this happened i manually created atleast 3 very very recent ones and thats not even including the auto ones my computer made…i simply dont know what to do and have no clue whats gone wrong and aside from using my phone to get back on the forums to ask these questions am utterly lost. Now my computer wont even start! Now what do i do???

Btw what kind of crappy scan application does that man! Aaaah!!!

Hi that is not a usual occurence - I feel you may have fallen foul of the new variant - I will pass this on to sUBS and see what his thoughts are

Two types of fix here- one is if you have the recovery console installed the other if not

[*]Start the safe mode menu by rebooting and pressing and holding F8
[*]Select Repair your computer.
[*]Select the operating system you want to repair, and then click Next.
[*]Select command prompt
[*]Type in the following command
.
Bootrec.exe /FixMbr
.
[*]Once finished type Exit

.
No recovery console installed

Download the recovery console ISO from Here
Also download Imgburn from here and install

Once Imgburn is installed double click the ISO to burn to disc

[*]Insert the disc and select start from the cd
[*]Select Repair your computer.
[*]Select the operating system you want to repair, and then click Next
[*]Select command prompt
[*]Type in the following command
.
Bootrec.exe /FixMbr
.
[*]Once finished type Exit

Allow it to do its thing and then try a reboot to normal windows

Okay so i tried the first one for recovery console installed and it doesnt work. The moment i press f8 my computer screams bloody murder…literally. It just starts a continous long beep that makes the screen jam and nothing happens till a bit after i let the buttun go. Then it does the same thing again by going to the repair dialog…i cant believe i just lost my computer and dont have a penny to get it fixed or anything…this is just not fair.