URL:Mal followed by Win32.Malware-gen

I get a pop-up that reads:
Object: 95.143.193.171 (sometimes this says: longtrip-todayz.com)
Infection: URL:Mal
Action: Blocked
Process: C:\Windows\System32\svchost.exe

It will quickly be followed by:
Object: c:\windows\temp****\setup.exe
Infection: Win32.Malware-gen
Action: Moved to chest
Process: c:\windows\System32\svchost.exe

I ensured everything was updated. Then reboot in safe mode and ran Malware Bytes, Kaspersky rootkit, then Avast full computer scan, then I set it to run a full computer bootscan and reboot. Nothing is found by any of these scans. I was using a different anti-virus software package and it did not find anything either. I’m currently testing avast and using the free version.

I would appreciate whatever assistance or suggestions that could be provided.

Thanks!

There was a malicious file within your temporary folder that Avast blocked and then deleted

What are your current problems ?

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Thanks for your reply, essexboy.

I followed your instructions and did a manual reboot, but the same thing is occurring.

First, I get the URL:Mal Block, then a setup.exe file tries to open, but avast allows me to cancel the open, then I get the c:\windows\temp****\setup.exe block. **** are letters which change. Folders matching the letters are created in the windows\temp directory, but these folders are empty.

In that case lets have a look see

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

I’ve run OTS from the desktop and attached the result as you requested.

Thanks again for the help.

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1292428093-746137067-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1292428093-746137067-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{472734EA-242A-422B-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Documents and Settings\Calvin\Desktop\utorrent.exe" -> [C:\Documents and Settings\Calvin\Desktop\utorrent.exe:*:Enabled:µTorrent]
YN -> "C:\Program Files\AVG\AVG10\avgmfapx.exe" -> [C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{5dcbfc0a-0a0d-11df-9cf7-463500000031} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5dcbfc0a-0a0d-11df-9cf7-463500000031}\Shell\Auto\command -> 
YN -> \{5dcbfc0a-0a0d-11df-9cf7-463500000031}\Shell\Auto\command\\"" -> [G:\run.exe]
YN -> \{5dcbfc0a-0a0d-11df-9cf7-463500000031} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5dcbfc0a-0a0d-11df-9cf7-463500000031}\Shell\AutoRun -> 
YN -> \{5dcbfc0a-0a0d-11df-9cf7-463500000031}\Shell\AutoRun\\"" -> [Auto&Play]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5dcbfc0a-0a0d-11df-9cf7-463500000031}\Shell\AutoRun\command -> 
YN -> \{5dcbfc0a-0a0d-11df-9cf7-463500000031}\Shell\AutoRun\command\\"" -> [C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL run.exe]
YN -> \{7d2fbfe6-223a-11e0-9f17-463500000031} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7d2fbfe6-223a-11e0-9f17-463500000031}\Shell\Auto\command -> 
YN -> \{7d2fbfe6-223a-11e0-9f17-463500000031}\Shell\Auto\command\\"" -> [G:\run.exe]
YN -> \{7d2fbfe6-223a-11e0-9f17-463500000031} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7d2fbfe6-223a-11e0-9f17-463500000031}\Shell\AutoRun -> 
YN -> \{7d2fbfe6-223a-11e0-9f17-463500000031}\Shell\AutoRun\\"" -> [Auto&Play]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7d2fbfe6-223a-11e0-9f17-463500000031}\Shell\AutoRun\command -> 
YN -> \{7d2fbfe6-223a-11e0-9f17-463500000031}\Shell\AutoRun\command\\"" -> [C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL run.exe]
[Files/Folders - Modified Within 30 Days]
NY ->  85ofw6p8b0gy3qnjn6mw -> C:\Documents and Settings\Calvin\Local Settings\Application Data\85ofw6p8b0gy3qnjn6mw
NY ->  85ofw6p8b0gy3qnjn6mw -> C:\Documents and Settings\All Users\Application Data\85ofw6p8b0gy3qnjn6mw
[Files - No Company Name]
NY ->  85ofw6p8b0gy3qnjn6mw -> C:\Documents and Settings\Calvin\Local Settings\Application Data\85ofw6p8b0gy3qnjn6mw
NY ->  85ofw6p8b0gy3qnjn6mw -> C:\Documents and Settings\All Users\Application Data\85ofw6p8b0gy3qnjn6mw
[File - Lop Check]
NY ->  AVG10 -> C:\Documents and Settings\All Users\Application Data\AVG10
NY ->  avg9 -> C:\Documents and Settings\All Users\Application Data\avg9
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Here are the contents of the file created after running the fix in OTS:

All Processes Killed
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_USERS\S-1-5-21-1292428093-746137067-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_USERS\S-1-5-21-1292428093-746137067-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Documents and Settings\Calvin\Desktop\utorrent.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\AVG\AVG10\avgmfapx.exe deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5dcbfc0a-0a0d-11df-9cf7-463500000031}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{5dcbfc0a-0a0d-11df-9cf7-463500000031}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5dcbfc0a-0a0d-11df-9cf7-463500000031}\Shell\Auto\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5dcbfc0a-0a0d-11df-9cf7-463500000031}\Shell\Auto\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5dcbfc0a-0a0d-11df-9cf7-463500000031}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{5dcbfc0a-0a0d-11df-9cf7-463500000031}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5dcbfc0a-0a0d-11df-9cf7-463500000031}\Shell\AutoRun\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5dcbfc0a-0a0d-11df-9cf7-463500000031}\Shell\AutoRun not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5dcbfc0a-0a0d-11df-9cf7-463500000031}\Shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{5dcbfc0a-0a0d-11df-9cf7-463500000031}\Shell\AutoRun\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7d2fbfe6-223a-11e0-9f17-463500000031}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{7d2fbfe6-223a-11e0-9f17-463500000031}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7d2fbfe6-223a-11e0-9f17-463500000031}\Shell\Auto\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7d2fbfe6-223a-11e0-9f17-463500000031}\Shell\Auto\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7d2fbfe6-223a-11e0-9f17-463500000031}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{7d2fbfe6-223a-11e0-9f17-463500000031}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7d2fbfe6-223a-11e0-9f17-463500000031}\Shell\AutoRun\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7d2fbfe6-223a-11e0-9f17-463500000031}\Shell\AutoRun not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7d2fbfe6-223a-11e0-9f17-463500000031}\Shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{7d2fbfe6-223a-11e0-9f17-463500000031}\Shell\AutoRun\command not found.
[Files/Folders - Modified Within 30 Days]
C:\Documents and Settings\Calvin\Local Settings\Application Data\85ofw6p8b0gy3qnjn6mw moved successfully.
C:\Documents and Settings\All Users\Application Data\85ofw6p8b0gy3qnjn6mw moved successfully.
[Files - No Company Name]
File C:\Documents and Settings\Calvin\Local Settings\Application Data\85ofw6p8b0gy3qnjn6mw not found!
File C:\Documents and Settings\All Users\Application Data\85ofw6p8b0gy3qnjn6mw not found!
[File - Lop Check]
C:\Documents and Settings\All Users\Application Data\AVG10 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\update\prepare\temp folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\update\prepare folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\update\backup folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\update folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\Temp folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\scanlogs folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\Log folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\emc\Queue\TEMP folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\emc\Queue\OUT folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\emc\Queue\IN\10110 folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\emc\Queue\IN folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\emc\Queue\ACTIVE folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\emc\Queue folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\emc\Log folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\emc folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\Dumps folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\CfgAll folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\Cfg folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\AvgApi folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\AvgAm folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9\admincli folder moved successfully.
C:\Documents and Settings\All Users\Application Data\avg9 folder moved successfully.
[Custom Items]
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Calvin\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Calvin\Desktop\cmd.txt deleted successfully.
[Empty Temp Folders]

User: All Users

User: Calvin
->Temp folder emptied: 63198 bytes
->Temporary Internet Files folder emptied: 49288 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 23363009 bytes
->Flash cache emptied: 1654 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 28554890 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 2458 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1887481 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 52.00 mb

[EMPTYFLASH]

User: All Users

User: Calvin
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 05012011_150323

Files\Folders moved on Reboot…
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HN74XVAQ\ADTECH;adid=1222513;bnid=-1;target=blank;sub1=;misc=844122141[1].htm moved successfully.
File move failed. C:\WINDOWS\temp_avast
\Webshlock.txt scheduled to be moved on reboot.
File\Folder C:\WINDOWS\temp\fla48.tmp not found!

Registry entries deleted on Reboot…

Could you now check for alerts please

Okay, the setup.exe issue has been resolved, thank you.

However, the URL:Mal alerts are still popping up randomly.

OK phase two ;D

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Here’s the mbam-log file created by Malwarebytes:

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6485

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/1/2011 3:57:40 PM
mbam-log-2011-05-01 (15-57-40).txt

Scan type: Quick scan
Objects scanned: 140660
Time elapsed: 2 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

MBAM showing that you’re not infected. Looks like you’re clean.
But try to rescan with avast! and make a boot-time scan to be sure you’re realy clear of viruses.

Get Internet Explorer V8 as it is the basis of all Windows

Windows Explorer is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file systems. It is also the component of the operating system that presents many user interface items on the monitor such as the taskbar and desktop. Controlling the computer is possible without Windows Explorer running (for example, the File | Run command in Task Manager on NT-derived versions of Windows will function without it, as will commands typed in a command prompt window). It is sometimes referred to as the Windows Shell, explorer.exe, or simply “Explorer”.
http://en.wikipedia.org/wiki/Windows_Explorer

You know not of what you speak! ::slight_smile:
See my post!

Do the alerts still appear ? If so I will need to use a stronger tool

Whilst this programme is running you will need to temporarily disable Avast, any files that Avast wants to sandbox let them run normally

To disable Avast right click the orange blob
Select shield control
Select disable for 1 hour

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks for all the help.

There was en error trying to install the Windows Recovery Console. Tried to do it twice, but no luck. I ran ComboFix anyway. I’ve attached the log file.

As of now, still getting the URL:Mail alerts.

OK that has given me a slight hint… What error do you get when you try to install the recovery console ?

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

When I tried to install the recovery console, I got an insufficient disk space error. I freed up around 10 GB of space before trying again and received the same error.

The results of the aswMBR are:

aswMBR version 0.9.5.232 Copyright(c) 2011 AVAST Software
Run date: 2011-05-02 06:58:13

06:58:13.265 OS Version: Windows 5.1.2600 Service Pack 3
06:58:13.265 Number of processors: 2 586 0x6B01
06:58:13.265 ComputerName: XP2-REMOTE UserName: Calvin
06:58:13.656 Initialize success
06:58:17.515 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
06:58:17.515 Disk 0 Vendor: WDC_WD5000AADS-00M2B0 01.00A01 Size: 476938MB BusType: 3
06:58:17.515 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP0T1L0-c
06:58:17.515 Disk 1 Vendor: WDC_WD6400AAKS-75A7B2 01.03B01 Size: 610479MB BusType: 3
06:58:17.515 Device \Driver\atapi → DriverStartIo 8a58157b
06:58:19.515 Disk 0 MBR read successfully
06:58:19.515 Disk 0 MBR scan
06:58:19.515 Disk 0 TDL4@MBR code has been found
06:58:19.515 Disk 0 Windows XP default MBR code found via API
06:58:19.515 Disk 0 MBR hidden
06:58:19.515 Disk 0 MBR [TDL4] ROOTKIT
06:58:19.515 Disk 0 trace - called modules:
06:58:19.515 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a581730]<<
06:58:19.515 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a5deab8]
06:58:19.515 3 CLASSPNP.SYS[ba908fd7] → nt!IofCallDriver → \Device\0000006f[0x8a5f5f18]
06:58:19.515 5 ACPI.sys[ba77f620] → nt!IofCallDriver → [0x8a5f1940]
06:58:19.515 \Driver\atapi[0x8a621a80] → IRP_MJ_CREATE → 0x8a581730
06:58:19.515 Scan finished successfully
07:00:04.765 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Calvin\Desktop\MBR.dat”
07:00:04.890 The log file has been saved successfully to “C:\Documents and Settings\Calvin\Desktop\aswMBR.txt”

Here we go TDL4

06:58:19.515 Disk 0 MBR [TDL4] **ROOTKIT**
Re-Run aswMBR

Click Scan

On completion of the scan

Click the Fix Button

http://public.avast.com/~gmerek/aswMBR3.png

Save the log as before and post in your next reply

I ran the Scan then Fix options. I tried to save a log from there, but aswMBR was Not Responding and it did note to reboot ASAP. So, I reboot the PC, then ran the Scan option again. I have attached the log file below.

I’ve had the computer on for a few minutes and have not received any of the URL:Mal alerts. Your help has been invaluable. I really appreciate it!

aswMBR version 0.9.5.232 Copyright(c) 2011 AVAST Software
Run date: 2011-05-02 07:58:08

07:58:08.812 OS Version: Windows 5.1.2600 Service Pack 3
07:58:08.812 Number of processors: 2 586 0x6B01
07:58:08.812 ComputerName: XP2-REMOTE UserName: Calvin
07:58:09.171 Initialize success
07:58:13.875 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
07:58:13.875 Disk 0 Vendor: WDC_WD5000AADS-00M2B0 01.00A01 Size: 476938MB BusType: 3
07:58:13.875 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP0T1L0-c
07:58:13.875 Disk 1 Vendor: WDC_WD6400AAKS-75A7B2 01.03B01 Size: 610479MB BusType: 3
07:58:15.875 Disk 0 MBR read successfully
07:58:15.875 Disk 0 MBR scan
07:58:15.875 Disk 0 Windows XP default MBR code
07:58:17.875 Disk 0 scanning sectors +268414020
07:58:17.921 Disk 0 scanning C:\WINDOWS\system32\drivers
07:58:23.109 Service scanning
07:58:24.453 Disk 0 trace - called modules:
07:58:24.468 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
07:58:24.468 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a606ab8]
07:58:24.468 3 CLASSPNP.SYS[ba908fd7] → nt!IofCallDriver → \Device\0000006f[0x8a60df18]
07:58:24.468 5 ACPI.sys[ba77f620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-4[0x8a591d98]
07:58:24.468 Scan finished successfully
07:58:38.125 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Calvin\Desktop\MBR.dat”
07:58:38.140 The log file has been saved successfully to “C:\Documents and Settings\Calvin\Desktop\aswMBR.txt”