I keep getting an Avast pop–up that says:
“Malicious URL Blocked.”
It then shows the alleged URL that was blocked and states:
Infection: URL:Mal
Process: C:\Windows\system32\svchost.exe

http://i.imgur.com/Xeta8.png

I scanned with MBAM and got this.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.21.03

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Zack :: ZACK-HP [administrator]

5/26/2012 2:08:48 PM
mbam-log-2012-05-26 (14-08-48).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 503170
Time elapsed: 1 hour(s), 9 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Please attach your logs.
http://forum.avast.com/index.php?topic=53253.0

Alright thanks. So can I just attach the log for each of the programs mentioned? Or do I need to copy and paste certain ones?

Just follow the instructions…!!
Your aswMBR log is still missing.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-26 15:54:12

15:54:12.896 OS Version: Windows x64 6.1.7600
15:54:12.896 Number of processors: 4 586 0x2505
15:54:12.896 ComputerName: ZACK-HP UserName: Zack
15:54:16.579 Initialize success
15:54:17.593 AVAST engine defs: 12052600
15:54:22.522 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
15:54:22.522 Disk 0 Vendor: Hitachi_ PC4O Size: 476940MB BusType: 3
15:54:22.554 Disk 0 MBR read successfully
15:54:22.554 Disk 0 MBR scan
15:54:22.569 Disk 0 unknown MBR code
15:54:22.585 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
15:54:22.600 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 459189 MB offset 409600
15:54:22.632 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 17447 MB offset 940828672
15:54:22.647 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 976560128
15:54:22.663 Disk 0 scanning C:\Windows\system32\drivers
15:54:34.394 Service scanning
15:54:57.529 Modules scanning
15:54:57.529 Disk 0 trace - called modules:
15:54:58.075 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys
15:54:58.075 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa80051ee060]
15:54:58.090 3 CLASSPNP.SYS[fffff88001bc843f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8004f65050]
15:54:58.870 AVAST engine scan C:\Windows
15:55:00.805 AVAST engine scan C:\Windows\system32
15:57:39.203 AVAST engine scan C:\Windows\system32\drivers
15:58:00.723 AVAST engine scan C:\Users\Zack
16:00:31.268 Disk 0 MBR has been saved successfully to “C:\Users\Zack\Desktop\MBR.dat”
16:00:31.283 The log file has been saved successfully to “C:\Users\Zack\Desktop\aswMBR.txt”

Got it, thanks
I don’t need to do the roguekiller program right? Sorry, I’m horrible with this stuff.

1. You’re welcome.
2. Not until you’re asked to do so.

Can someone help me?
I’m pretty sure Avast is just being strange, because my computer seems to be running pretty perfect. And other scans are showing nothing.

Please wait for a malware remover to check your logs

alright thanks.

I will PM Jeff now.

Hi,

Let me look over your logs and I will return as quickly as I can. I have some things going on this morning so it may be a little bit before I can get back. Thanks for your patience.

Hi,

Download CKScanner by askey127 from Here & save it to your Desktop.
[*] Right-click and Run as Administrator CKScanner.exe then click Search For Files
[*] When the cursor hourglass disappears, click Save List To File
[*] A message box will verify the file saved
[*] Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

Thank you very much for the help. Seems as if Avast! was not just acting up. Whenever I turn my computer on, it is just a white screen with 5 or 6 processes running,
I’m doing this from safe mode now.

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files (x86)\steam\steamapps\common\magic the gathering tactics\export_win32\resources\particles\cha_fidget_colossus_crack.tga
c:\program files (x86)\steam\steamapps\common\magic the gathering tactics\export_win32\resources\particles\eff_animals_crackedearth.tga
c:\program files (x86)\steam\steamapps\common\magic the gathering tactics\export_win32\resources\pssg\props\plains_manadevicecracked.pssg.gz
scanner sequence 3.CP.11.GUAPSV
----- EOF -----

Hi,

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {51350968-854B-4129-B44A-1F9F4CCDF1D8}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{51350968-854B-4129-B44A-1F9F4CCDF1D8}: "URL" = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{65941A8E-F0DF-436D-B9DD-B27A4848A423}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{96BB636E-6204-47DA-BAE6-CBDAC90700D9}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{DA3BB462-5308-466C-A7A7-21E8AD7A729D}: "URL" = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
IE - HKLM\..\SearchScopes,DefaultScope = {51350968-854B-4129-B44A-1F9F4CCDF1D8}
IE - HKLM\..\SearchScopes\{51350968-854B-4129-B44A-1F9F4CCDF1D8}: "URL" = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
IE - HKLM\..\SearchScopes\{65941A8E-F0DF-436D-B9DD-B27A4848A423}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
IE - HKLM\..\SearchScopes\{96BB636E-6204-47DA-BAE6-CBDAC90700D9}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE - HKLM\..\SearchScopes\{DA3BB462-5308-466C-A7A7-21E8AD7A729D}: "URL" = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
IE - HKU\S-1-5-21-119983348-1287959658-2686769120-1001\..\SearchScopes,DefaultScope = {51350968-854B-4129-B44A-1F9F4CCDF1D8}
IE - HKU\S-1-5-21-119983348-1287959658-2686769120-1001\..\SearchScopes\{51350968-854B-4129-B44A-1F9F4CCDF1D8}: "URL" = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
IE - HKU\S-1-5-21-119983348-1287959658-2686769120-1001\..\SearchScopes\{65941A8E-F0DF-436D-B9DD-B27A4848A423}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
IE - HKU\S-1-5-21-119983348-1287959658-2686769120-1001\..\SearchScopes\{96BB636E-6204-47DA-BAE6-CBDAC90700D9}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
IE - HKU\S-1-5-21-119983348-1287959658-2686769120-1001\..\SearchScopes\{DA3BB462-5308-466C-A7A7-21E8AD7A729D}: "URL" = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
FF - prefs.js..browser.startup.homepage: "http://www.reddit.com/r/HITsWorthTurkingFor/new/?sort=new"
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
[2012/02/16 10:30:46 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-21-119983348-1287959658-2686769120-1001\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-119983348-1287959658-2686769120-1001\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-119983348-1287959658-2686769120-1001\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-119983348-1287959658-2686769120-1001\..Trusted Domains: sony.com ([]* in Trusted sites)
O33 - MountPoints2\{088ddeb0-57bf-11e0-b3ba-cd0b4190c0f3}\Shell - "" = AutoRun
O33 - MountPoints2\{088ddeb0-57bf-11e0-b3ba-cd0b4190c0f3}\Shell\AutoRun\command - "" = F:\OblivionLauncher.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Hey,
I should probably mention that I re-scanned my computer using Avast on safemode earlier this evening and found 4 infected files.
I deleted the files and have since then been able to run my computer pretty well outside of safemode (no white screen anymore.)
The original “Malicious URL Blocked” Avast alert has also not happened since then. However, I am not sure if I am in the clear yet…

I downloaded ERUNT and used it as you stated.

Whenever I try to run OTL, I am greeted by the following error:
http://i.imgur.com/RH0hV.png

I ran the program just the other day to provide the logs that are already up, so I am not sure what could be going on.
I tried deleting the program and re-downloading, but that didn’t help.

It could help if you reported the file names and locations of the avast detections that you deleted ?

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest (a protected area) and investigate.

I didn’t think to write down the information on the viruses it detected
I tried sending all four of them to the chest at first, but two of them were not cooperating and would not go into the chest, so I deleted the files.
I’m not sure if I can retrieve the information about the files I had deleted, but the two files in my chest have the following descriptions:

File 1: http://i.imgur.com/Z7sAn.jpg
File 2: http://i.imgur.com/VGPvf.jpg

Hi,

Yes please do not delete or run anything else without being asked. There are infections that will render your system a fancy paperweight if you remove it improperly.

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

Note: It is important that it is saved directly to your desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.

The files at 1 & 2 certainly look suspect, based on their file names whilst the c:\windows\installer\ folder is commonly used, it is also seen being used by malware. Given that and the Malware name the detections look good and are safely locked away in the chest for now.

If the other two detections were along the same lines, e.g. strange file name and also in the c:\windows\installer\ folder, it is possible that they were/are related to these other two detections.

That’s me for the night, almost 2:50am here, hopefully jeffce can continue.

I’m not sure what scan that you did from safe mode or even if scans from safe mode are recorded in the same way as scans run from normal mode. You can check the avastUI, Scan Computer, Scan Logs and see if the scan that you ran is listed there, if so that should have the information on the detections.