The message "malicious url blocked" keeps popping up

Hi. The same file system32/svchost.exe keeps getting blocked. I scanned the computer but nothing comes up as inflected. How do I stop the pop ups?

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.19.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Andy :: ANDY-PC [administrator]

4/19/2012 6:16:49 PM
mbam-log-2012-04-19 (18-16-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 172261
Time elapsed: 6 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Andy\AppData\Local\Temp\ICReinstall_MediaPlayerSetup.exe (Adware.Agent) → Quarantined and deleted successfully.
C:\Users\Andy\AppData\Local\Temp\0.32877906369715815 (Exploit.Drop.9) → Quarantined and deleted successfully.

(end)

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-19 18:40:16
-----------------------------

18:40:16.416 OS Version: Windows 6.1.7601 Service Pack 1
18:40:16.416 Number of processors: 2 586 0x403
18:40:16.416 ComputerName: ANDY-PC UserName: Andy
18:40:42.526 Initialize success
18:40:44.526 AVAST engine defs: 12041901
18:40:50.010 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T1L0-7
18:40:50.010 Disk 0 Vendor: Maxtor_7L250S0 BANC1G10 Size: 238475MB BusType: 3
18:40:50.041 Disk 0 MBR read successfully
18:40:50.041 Disk 0 MBR scan
18:40:50.057 Disk 0 Windows 7 default MBR code
18:40:50.057 Disk 0 MBR hidden
18:40:50.073 Disk 0 Partition 1 00 12 Compaq diag NTFS 7169 MB offset 63
18:40:50.088 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 231303 MB offset 14683410
18:40:50.104 Disk 0 scanning sectors +488392065
18:40:50.182 Disk 0 scanning C:\Windows\system32\drivers
18:41:12.823 Service scanning
18:41:43.495 Modules scanning
18:41:51.745 Disk 0 trace - called modules:
18:41:52.276 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x856744b1]<<
18:41:52.291 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85334030]
18:41:52.291 3 CLASSPNP.SYS[86faa59e] → nt!IofCallDriver → [0x8525f408]
18:41:52.307 5 ACPI.sys[830a33d4] → nt!IofCallDriver → \IdeDeviceP2T1L0-7[0x85279908]
18:41:52.323 \Driver\atapi[0x85622b18] → IRP_MJ_CREATE → 0x856744b1
18:41:53.916 AVAST engine scan C:\Windows
18:41:55.526 AVAST engine scan C:\Windows\system32
18:44:32.737 AVAST engine scan C:\Windows\system32\drivers
18:44:43.799 AVAST engine scan C:\Users\Andy
18:45:41.440 AVAST engine scan C:\ProgramData
18:45:44.877 File: C:\ProgramData\Microsoft\Windows\DRM\8043.tmp INFECTED Win32:Alureon-ASZ [Rtk]
18:45:47.768 Scan finished successfully
18:46:21.706 Disk 0 MBR has been saved successfully to “C:\Users\Andy\Desktop\MBR.dat”
18:46:21.721 The log file has been saved successfully to “C:\Users\Andy\Desktop\aswMBR.txt”

Sammyc.

I will call one of the specialist to review your logs and remove the infection here. Essexboy is in UK so he must be in bed by now, but Jeffce might help. You can check later on.

Thank you for taking the time reviewing my case.

Hi,

Let me look over the logs and get back as quick as I can. :slight_smile:

Hi,

Please download TDSSKiller

[*]Right-click and Run as Administrator TDSSKiller.exe
[*]Press Change Parameters
[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
[*]Click on the Start Scan button

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

[*]Copy and paste the log in your next reply

[*]A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.


21:09:37.0487 1988 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
21:09:37.0534 1988 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
21:09:37.0534 1988 \Device\Harddisk0\DR0 - detected TDSS File System (1)
21:09:37.0581 1988 Boot (0x1200) (9ede1331561cbb639b2bf018afa2a793) \Device\Harddisk0\DR0\Partition0
21:09:37.0581 1988 \Device\Harddisk0\DR0\Partition0 - ok
21:09:37.0581 1988 ============================================================
21:09:37.0581 1988 Scan finished
21:09:37.0581 1988 ============================================================
21:09:37.0596 2648 Detected object count: 1
21:09:37.0596 2648 Actual detected object count: 1
21:10:12.0323 2648 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
21:10:12.0323 2648 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
21:12:59.0687 4080 Deinitialize success

Hi,

Run TDSSKiller again. When you see this >> \Device\Harddisk0\DR0 ( TDSS File System ) be sure to delete it. Attach the log that is created to your next reply. :slight_smile:

File attached.

After I followed your previous to delete the file, I shut down the computer for the night and now when I try to turn it back on it goes to the VIAO screen and after that the screen goes black. I tried to press f8 to go to a safe boot screen but whatever I do, the screen goes black after the boot screen.

Hi,

I am just checking with a colleague about something and then I will return as quickly as I can. :slight_smile:

Hi,

Do you have the recovery disk? If no please go here >> http://www.forum.probz.net/index.php?/files/file/18-windows-7-recovery-environment-iso/ to download one. Let me know when you get that. :slight_smile:

downloaded at burned as an imaged.

Hi,

Now let’s boot into the Windows Recovery Environment:

Verify that you can access the Recovery Environment:

To do so, restart your computer and begin tapping the F8 key to enable the Advanced Start menu.
If the option Repair your computer is available, select it.
Select a language, a keyboard or an input method, and then click Next
It will ask for a password > if you have one > enter it now, or just hit OK if you don’t have one.

(If Recovery Environment is not preinstalled, you will need to insert your installation DVD and restart, then press any key when prompted to boot from the CD. At the Install Windows screen, select Repair your computer )

First we need to verify what drive letter is assigned. Once you reach the System Recovery Options screen, the drive letter for the operating system will be shown, make note of the the drive shown:

http://i1224.photobucket.com/albums/ee380/jeffce74/recoveryconsolepic.jpg

You will need to substitute the x with the verified drive letter you noted earlier:
[*]select the Command Prompt

It opens to an x:\sources> prompt
(this may vary depending if you boot from cd or an installed RE)
At the prompt, type the following:

[*]bootrec /FixMbr
[*]bootrec /FixBoot
[*]exit

Reboot Normally and let me know if you are back on your system.

Sorry I am still get a black screen

Do you see the message for the F2 and F12 keys when you boot before the screen goes black? They should appear in the lower right hand corner of your screen.

no i do not, it goes from the vaio’s logo to blank.

Hi,

Last Known Good Configuration

Start the computer by using the last known good configuration. To start the computer by using the last known good configuration, follow these steps:
* Restart your computer.
* As the computer starts to boot-up, Tap the F8 KEY repeatedly,
* This will bring up a menu of selections.
* Use the Up and Down Arrow Keys to scroll to Last Known Good Configuration
* Then press the Enter Key on your Keyboard
* Log into your normally used account

Hi,

Are you still with us? :slight_smile: