Malicious URl blocked

Hi, I hope someone can help.
I keep getting malicious url blocked popup
url: 64.111.211.158
the program being blocked is avastsvc.exe or iexplorer (even when it is not running)
the machine is xp sp3 and cant follow any link from any search result in web browser IE or safari, constantly gets redirected
i have run latest malwarebytes and superantispyware. and obviously avast. problem persists. i have also run ccleaner.
i have run hijack this but i do not know what is a problem and what is not, log attached, hopefully someone can help.

Thanks in advance
Pete

ok do u get redirected on sites like google?

just want to make sure that this is the thing that i am guessing i think if ur answer is yes then it is a rootkit.

post mbam logs on next comment i saw ur hijack this log.i will wait for ur reply and then only start guiding u…

ok so ur answer is yes then this is a rootkit here are some tools:

Download http://public.avast.com/~gmerek/aswMBR.exe][aswMBR.exe[511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

do tell me whether did this thing work or not if not then i have some more simple tools in the backup.

sorry, i was getting lunch. in answer to first question if i search with google and click on a result, i get redirected to all sorts of different sites including more google search results but usually to a totally unrelated web site.

i am running aswMBR now and will post results shortly.

also i should mention that “network diagnostics for xp” window keeps popping up usually after avast malicious url blocked popup.

a couple of things came up in red, but it means nothing to me

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-07-04 13:40:31

13:40:31.484 OS Version: Windows 5.1.2600 Service Pack 3
13:40:31.484 Number of processors: 2 586 0x304
13:40:31.484 ComputerName: PCPUB UserName:
13:40:32.281 Initialize success
13:40:33.187 AVAST engine defs: 11070301
13:40:36.093 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
13:40:36.093 Disk 0 Vendor: WDC_WD1200LB-55EDA0 15.05R15 Size: 114473MB BusType: 3
13:40:38.109 Disk 0 MBR read successfully
13:40:38.109 Disk 0 MBR scan
13:40:38.109 Disk 0 Windows XP default MBR code found via API
13:40:38.109 Disk 0 unknown MBR code
13:40:38.109 Disk 0 MBR hidden
13:40:40.109 Disk 0 scanning sectors +234420480
13:40:40.156 Disk 0 scanning C:\WINDOWS\system32\drivers
13:40:52.046 Service scanning
13:40:56.562 Disk 0 trace - called modules:
13:40:56.593 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86b4ff16]<<
13:40:56.593 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86b85ab8]
13:40:56.609 3 CLASSPNP.SYS[f7656fd7] → nt!IofCallDriver → \Device\00000062[0x86b8cf18]
13:40:56.609 5 ACPI.sys[f75cd620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x86bc7940]
13:40:56.609 \Driver\atapi[0x86b8e720] → IRP_MJ_INTERNAL_DEVICE_CONTROL → 0x86b4ff16
13:40:56.953 AVAST engine scan C:\WINDOWS
14:03:54.250 AVAST engine scan C:\Documents and Settings\Client
14:06:57.015 AVAST engine scan C:\Documents and Settings\All Users
14:08:32.375 Scan finished successfully
14:08:54.312 Disk 0 MBR has been saved successfully to “C:\Mac Share Folder\Pete\MBR.dat”
14:08:54.312 The log file has been saved successfully to “C:\Mac Share Folder\Pete\aswMBR.txt”

nothing malcious as such click fixmbr or just fix option and try this out:

OK, another tool to check for other types of rootkit.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

I have the same issue on a clients computer. I got rid of various Trojans and worms with Malware Bytes, but every 5 minutes Avast is blocking this IP address 64.111.211.158 Please tell me if you find a fix.

pls post in a diffirent thread kairukens and not here

Why would I create a new thread for the EXACT same issue?..

Also, to Bitodd, I’m not getting redirects, just the Avast popups, try going to Internet Explorer > Tools > Internet Options > Connections Tab > LAN settings

Make sure the “Use a Proxy” box is not checked. If it is, it would explain the redirects, but Avast may still bug you for something underlying like a rootkit or keylogger, which is what I’m still trying to figure out.

@KairuKins each infection is different some are caused by TDL3 as bitodd has, others are caused by a hijacked Host file or an innocuous file/toolbar that is not as it seems

Each will require a different approach and a different fix

I can’t run tdsskiller, i double click and nothing happens. I read on another site that a rootkit can cause this and it said to rename the executable to something else like 123.com and then run. I renamed it and it completely disappeared from the desktop so i extracted it again and renamed it on C drive, i double click and nothing happens. again.

I am wondering if there is any boot disc that I may be able to use to try and fix it from outside the OS, linux style??

ok,before going to anything compex i will need to get some more information provided by ots.may be this can fix the problem.try this:

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

[b]
%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

also copy paste the this into the paste and fix here panel and then hit run fix.
code:
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001] > →
YN → HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001: URLSearchHooks\“{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
< FireFox Extensions [User Folders] > →
YY → XUL Cache → C:\Users\bitodd\AppData\Roaming\iexplorer\Profiles\nr8zccsm.default\extensions{57427a7e-7448-4510-9ee0-34a6e752b42c}
YY → ShopToWin13 → C:\Users\bitodd\AppData\Roaming\iexplorer\Profiles\nr8zccsm.default\extensions{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001] > → HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Internet Explorer\Toolbar
YN → WebBrowser\“{30F9B915-B755-4826-820B-08FBA6BD249D}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
YN → WebBrowser\“{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
YN → WebBrowser\“{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
YN → WebBrowser\“{D4027C7F-154A-4066-A1AD-4243D8127440}” [HKLM] → Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY → iscsied32.dll → C:\ProgramData\iscsied32.dll
NY → Free Offers from Freeze.com → C:\Program Files (x86)\Free Offers from Freeze.com
[Files/Folders - Modified Within 30 Days]
NY → 573779942 → C:\Windows\SysWow64\573779942
NY → iscsied32.dll → C:\ProgramData\iscsied32.dll
[Files - No Company Name]
NY → 573779942 → C:\Windows\SysWow64\573779942
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

[/b]
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Edited to add custom scans

Please ensure that all logs are saved in the ANSI format

http://i1224.photobucket.com/albums/ee362/Essexboy3/Untitled.gif

your desktop icons may dissapear or any other unusual behavior this is no malfunction do not panic after its finished restart and check whether the problem still persists.

problem is fixed. i downloaded kaspersky av (30day trial)
it picked up rootkit straight away. no more “malicious url blocked” popups and no more redirected URL’s in browser
after several restarts, it appears quite stable.

thanks for your help anyway

no probem

and here @com155

how can you post a OTS fix when you have not recived a OTS log to look at first ???

sorry i will be carefull next time

just curious…may i ask how old you are ?

just 16

Just capturing/plagiarising essexboy’s scripts and images and not even acknowledging his work. But worse still not realising that Fixes are Unique, not good for a self proclaimed virus buster who asks us to trust him.

13:40:56.593 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86b4ff16]< \Device\Harddisk0\DR0[0x86b85ab8] 13:40:56.609 3 CLASSPNP.SYS[f7656fd7] -> nt!IofCallDriver -> \Device\00000062[0x86b8cf18] 13:40:56.609 5 ACPI.sys[f75cd620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86bc7940] 13:40:56.609 \Driver\atapi[0x86b8e720] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x86b4ff16
The problem was a TDL3 bootkit - TDSSKiller or AVP tool or Dr webb will cure that. Selecting the fix or fixmbr with aswMBR could render the system unbootable as aswMBR is not designed to repair these - just report