Hello
Recently I was infected with ScareWare (AntiMalware Doctor) and having followed advice from the forum to Run MalwareBytes, ZBotKiller and other Kaspersky pieces, I thought I was free of it. (Aside from the fact Google Chrome no longer works)
However recently I’ve been getting moments of being pinged by the Avast! pop up with “Malicious URL Blocked” in groups of 5’s and 7’s, with breaks of about 15 minutes in-between.
The Pop-Up tells me that the process is for C:\Windows\system32\svchost.exe, and each time they come from 1 of 2 IP Addresses;
199.80.55.80
or
199.80.50.19
(each time followed by very long sets of code.)
The Avast! site the pop up directs me towards doesn’t tell me much other that to get Sandbox for £27. Is this what I have to do just to stop these pop ups or is my system still infected with something?
Many thanks in advance
(PS: Does anyone have any idea how to fix Google Chrome? Because I really prefer it to Firefox.)

Follow this guide form our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt.)

Thank you for the Link. I will post the logs given in sepearate posts due to passage size limitations.
(STANDBY FOR WALL OF TEXT)
Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4938

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

24/10/2010 22:53:09
mbam-log-2010-10-24 (22-53-09).txt

Scan type: Quick scan
Objects scanned: 136279
Time elapsed: 26 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) → Quarantined and deleted successfully.
HKEY_USERS.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) → Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) → Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\System32\lowsec (Stolen.data) → Quarantined and deleted successfully.

Files Infected:
C:\Users\Ally\AppData\Local\Temp\ofumfal.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
C:\Windows\Temp\2DFD.tmp (Spyware.Passwords.XGen) → Quarantined and deleted successfully.
C:\Windows\Temp\D5C0.tmp (Trojan.Agent) → Quarantined and deleted successfully.
C:\Windows\Temp\E86F.tmp (Trojan.Agent) → Quarantined and deleted successfully.
C:\Windows\System32\lowsec\local.ds (Stolen.data) → Quarantined and deleted successfully.
C:\Windows\System32\lowsec\user.ds (Stolen.data) → Quarantined and deleted successfully.
C:\Users\Ally\AppData\Local\Temp\0.13037860400203882.exe (Trojan.Dropper) → Quarantined and deleted successfully.
C:\Users\Public\Documents\Server\admin.txt (Malware.Trace) → Quarantined and deleted successfully.

Nevermind, they are 46000 characters each, I’ll just attach them.

and here’s Extras.Txt

Now wait for Essexboy and his magic tools ;D

Can do. Thanks again.

Hi you have an infected USB drive with Ravmon on it

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found O33 - MountPoints2\{4769656a-d637-11dc-b657-0002c7e4db69}\Shell\Auto\command - "" = RavMonE.exe e [2010/10/26 17:17:11 | 000,000,482 | -HS- | M] () -- C:\Users\Ally\AppData\Local\3724060260 [2010/10/26 17:17:06 | 000,028,672 | -HS- | M] () -- C:\Users\Ally\AppData\Local\csncui.dll [2010/10/24 10:37:19 | 000,000,000 | -H-D | C] -- C:\ProgramData\{E961CE1B-C3EA-4882-9F67-F859B555D097} [2010/10/24 00:43:23 | 000,000,000 | ---D | C] -- C:\Users\Ally\AppData\Roaming\8A9504518EE27FC2CCF22EC6B520B7DA

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

That had me very scared for a second there. I was afraid something had wrong.
I downloaded Combofix and followed your instructions. I disabled the active Shield of Avast! and unchecked everything in the Status bar in Settings. I turned off the firewall, shutdown Defender, and deactivated Ad-Aware. When I ran the file I was sure that all security software was turned off and deactivated my internet. Combofix told me Avast! real time scanner was still on. I searched the whole program and couldn’t find anything still running in the Avast! user interface. I retiried and rechecked many times but it told me that it was still running and I should proceed at my own risk. I took the chance.
While running it told me it had to reboot, which I let it, and all the rest took care of itself. But i’ve just read the Log and it tells me that most of the systems I turned off where enabled. Did they restart along with the computer when it rebooted? Otherwise I thought the program had carried out as normal.
But EVERYTHING I clicked on after it comlpeted told me that it is an “illegal operation of a REgistry KEy that has been marked for Deletion.” This is including everything from Mozilla to MSPaint. I could get certain programs running if they have the option for running as administrator.
However a quick reboot has put everything back in working order (touchwood)
Otherwise, here’s the log.

That looks nearly better - a few bits still to go, on completion can you let me know of any remaining problems

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
??\c:\windows\TEMP\900B.tmp

Driver::
pscxrunibvpqwbr

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pscxrunibvpqwbr]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt [*]A new OTListit log.

Here we are.

Looks good - what problems do you have now ?

Occasionally when I’m on the internet new tabs will open themselves to websites which Avast! immediately blocks, which is slightly worrying. I turn off my internet when I’m not at the computer now just in case they pop up and wreak chaos.

Please download MBRCheck.exe to your desktop.

[]Be sure to disable your security programs
[]Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
[*]A window similar to this should open on your desktop:

http://i677.photobucket.com/albums/vv132/RPMcMurphy_album_photos/mbrcheck.png

[*]If you are prompted with options, enter N at the prompt and press [i]Enter[/i]
[*]Press [i]Enter[/i] again
[*]A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

Hi Again.
First I’d like to sincerely apologise for not replying to your instructions and neglecting the help you have given me, but I was called out the country for the previous month on urgent family issues and the laptop was something I couldn’t afford to take with me.
Here are the results as per requested. The laptop hasn’t been on for the past month so I’m hoping the results haven’t been effected in anyway.
Many Thanks and Sincerest Apologies.

Hmm intriguing at the moment I can detect no malware - are you still getting the same problem ?

The pop ups when browsing and the Avast! URL messages seemes to have stopped now, but instead I’m getting Microsoft Window pop ups every 20 seconds about HXE****.exe (the *'s seem to be random selections of numbers and letters) and 1VW703Vp.exe having “Stopped working.” (“send a report” and all that) and Defender telling me that it has encountered “1 Harmful Item” and when it prompts me to “remove it,” Defender has the “taking Actions…” bar moving but nothing seems to happen. I imagine I’ve got a trojan thrown in somewhere, so I’m running Malwarebytes and might try ComboFix before I turn it off for the night, I’ll post again if when I see how that turns out. (unless there is anything else you recommend)
Thank you for your patience in solving the URL problem, a lot less scared to turn my laptop on now.

I would go straight to combofix, allow it to update if it asks, as the error indicates a file is either trying to run or has inserted a run key but failed to install the file