Avast window pops up and displays sereral sites, every 10 to twenty seconds, in a never ending loop.
http://kar-gen-pl1.net/b/opt/xxxxxxxxxxxxxxxx (where x is a changing number)
http://oto-kar1.net/b/opt/xxxxxxxxxxxxxx
http://summer-watr1.biz/b/opt/xxxxxxxxxxxxxxx

All are displayed as an Infection: URL:MAL and Process: C:\WINDOWS\Explorer.EXE

I have attached the files described in the "Topic: Logs to assist in cleaning malware " posting.

Thanks for any help you may render.

Could you let me know if this stops the alerts

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-1044272327-3890023630-4042175641-1009\...\Run: [CDDB Update] => regsvr32.exe "C:\Documents and Settings\L-3\Local Settings\Application Data\CDDB\EP0NH4J3.DLL" ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled. URLSearchHook: HKU\S-1-5-21-1044272327-3890023630-4042175641-1009 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File 2015-04-25 03:00 - 2015-04-25 03:00 - 00000000 ____D () C:\257a568577d13e68e74fd4c26064 C:\Documents and Settings\L-3\Local Settings\Application Data\CDDB Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

No it did not stop the alerts. However, after the reboot that was required a RootKit Found message window displayed “MBR:\.PHYSICAL DRIVE0\Boot MBR:Cidox-D [Rtk]”. On prior occasions I have seen this message and have tried deleting as the pop up window suggests. I did not do so this time.

Here is the log you requested.

For EssexBoy, this is what I came up with for the fixlist:

Start CreateRestorePoint: Closeprocesses: Emptytemp: HKLM\...\Run: [] => [X] HKLM\...\Policies\Explorer: [NoCDBurning] 0 HKU\S-1-5-21-1044272327-3890023630-4042175641-1009\...\Run: [CDDB Update] => regsvr32.exe "C:\Documents and Settings\L-3\Local Settings\Application Data\CDDB\EP0NH4J3.DLL" ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled. CHR StartupUrls: Default -> "hxxp://www.google.com/" S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X] 2015-04-25 03:00 - 2015-04-25 03:00 - 00000000 ____D () C:\257a568577d13e68e74fd4c26064 URLSearchHook: HKU\S-1-5-21-1044272327-3890023630-4042175641-1009 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No File BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File BHO: Google Dictionary Compression sdch -> {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} -> C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll No File Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll No File DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f CMD: ipconfig /flushdns CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh winsock reset catalog CMD: bitsadmin /reset /allusers End

So I ran FRST with the new fixlist but the alerts have not stopped. Attached is the latest fixlog file.

Somehow I did not feel it would

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

ComboFix got past step 50 then started deleteting some files and then I got a blue screen. The think the message stated that mbr.sys driver was halted with items in que. I used BlueScreenView to View the following message.

“Mini042515-03.dmp 4/25/2015 10:11:37 AM SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD 0x100000d4 0xb2add61e 0x00000002 0x00000001 0x806e7a16 hal.dll hal.dll+2a16 Hardware Abstraction Layer DLL Microsoft® Windows® Operating System Microsoft Corporation 5.1.2600.5512 (xpsp.080413-2111) 32-bit hal.dll+2a16 ntoskrnl.exe+154f93 ntoskrnl.exe+fae95 ntoskrnl.exe+fb232 C:\WINDOWS\Minidump\Mini042515-03.dmp 4 15 2600 90,112 4/25/2015 10:13:42 AM”

Did the sytem reboot OK ?

Is there a log at c:\combofix.txt

Yes the system rebooted OK but blue screened again later. I have attached the Combofix.txt file.

Does the blue screen reference a driver ?

Are the alerts still present

Yes the alarts are still occuring. I attached the blue screen crash list. I’m not very familar with the BlueScreen program so let me know if I provided the wronge info.

Here is the BlueScreen dump file.

Just to be clear, the Blue screen data I have sent you pertains to only the most recent crash. There are 41 crashes listed.

Could you re-run combofix please, allow it to update if it asks

Here you go. No change in the problem.

Could you download a fresh copy of FRST please, run the scan again but this time also tick shortcut txt
Please download Farbar Recovery Scan Tool and save it to your Desktop.

Then attach all 3 logs

Here are the FRST & Shortcut text files you requested.

I’m a little confused as to what file you wanted. Here are two files from FRST in my documents directory and one from the Desk Top directory. Is this what you requested?

I am unable to locate the trigger yet

This programme will produce a zip file, could you upload that to a file sharing site for me to collect

Download AVZ tool from here to your desktop
Unzip all files to a folder on your desktop
Open the folder and double click the AVZ icon
https://dl.dropboxusercontent.com/u/73555776/avz.JPG

When the tool opens select “File” > “Standards scripts”

https://dl.dropboxusercontent.com/u/73555776/avz1.jpg

Place a tick in :

5. Update signature database

Then press “Execute selected scripts”

https://dl.dropboxusercontent.com/u/73555776/avz2.JPG

Once that has execute then
select “File” > “Standards scripts”
Place a tick in :

3. Advanced System Analysis with malware removal mode enabled

When finished look in the folder AVZ4 on your desktop
Open the LOG folder
Upload virusinfo_syscure to a file sharing site for me to collect

https://dl.dropboxusercontent.com/u/73555776/vz3.JPG