Avast popups started occuring Thursday evening August 9, 2012 while on the website hxxp://p2p4u.net that are persistent and have escaped my efforts to remove them. I need your help. Whatever is infecting my machine is blocking www.google.com from loading . This occurs with IE, Chrome and Firefox.

MALICIOUS URL BLOCKED
avast! Network Shield has blocked a harmful site.

Object: hxxp://espeak911.com/x/
Infection: URL:Mal
Process: C:\Windows\system32\svchost.exe

Object: hxxp://colexity911.com/x/
Infection: URL:Mal
Process: C:\Windows\system32\svchost.exe

Object: hxxp://37.220.36.44/x/
Infection: URL:Mal
Process: C:\Windows\system32\svchost.exe

I have attached the malwarebytes log, and both OTL logs.

Monitoring

Hi,

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.

I see that you have running Combofix. Bad move.

Please read this topic:
http://www.bleepingcomputer.com/forums/topic273628.html

Attach here: C:\ComboFix.txt

It’s not the first time I’ve made a bad move.

I’ve attached combofix.txt

Hehe, you may want to read this one:
Words from author:
http://www.techsupportforum.com/forums/showpost.php?p=1829551

And just to let you know, Combofix hase just deleted several legitimate files.

Did you settup this as your home page webcite?

bellsouthpwp2.net

Please download aswMBR and save it to your desktop.

Double click aswMBR.exe to start the tool. Select Yes if prompted to download the Avast database.

[*]Click Scan
[*]Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
Note: do NOT attempt any Fix yet.
[*]You will also notice another file created on the desktop named MBR.dat. Right click that file and select [b]Send To>Compressed /b file. Attach that zipped file in your next reply as well.

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds to run the tool.

* When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

Yes, the homepage website is legitimate.

I’ve attached the four files resulting from the two programs. The forum would not allow a zip file extension so I renamed MBR.zip to MBR.jpg. You’ll have to change the file extension back to zip.

Ok, we are in good progress

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.

I believe you have cured the infection! GOOD JOB! Thanks very much! You’re GREAT!

Now all I have to do is to fix some self inflicted wounds I caused with combofix. Heh heh heh. I can handle that. Again thanks for all your help!

tdskiller log is attached.

BTW, what infection did (do) I have?

Easy, we have not yet finished. When I put to uninstall used tools, and when I bee free to tell you that your system is clean, then you know thats the end.

[*]Re-run TDSSKiller.exe and click on Change parametres.
[*]Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
[*]Click on Start Scan.
[*]If an infected file is detected, the default action will be Cure, click on
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the [b]C:[/b] directory.

Well,you had what we call an some variant of MBR rootkit infection.
It lives outside of the Windows operating system but delivers it’s payload into Windows.
Since it’s not within Windows itself, your resident security program may have difficulties dealing with it.

Too many characters to post in reply so I copy/pasted it into a text file that’s attached.

Re-run TDSSKiller as before with changes parametres and use Delete options for this if shows:

\Device\Harddisk0\DR0 ( TDSS File System )

Re-run Combofix and attach here fresh Combofix.txt

How is your computer running now?

I’ve attached the text of the second tdskiller run and the fresh combofix.txt.

I think everything’s okay. I haven’t had any more “Malicious URL” popups since the first running of tdskiller.

Ok, thats looking good. We will remove thouse tools now.

It is necessary to uninstall the ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Re-run OTL and click on CleanUp! button

Done and done.

Are we finished now?

Yap.

YEE HAW! I want you to know that I greatly appreciate all your help. I can tell from the timestamps on the messages that you must spend most of your waking hours helping others. It is appreciated. Get some rest