It started yesterday after reboot
http://i72.photobucket.com/albums/i184/JusAleDan/DesktopCapture-05-21-201411-51-35.png
in the time it took me to make a screnenshot and post it here @11:59 (in 8 min) I had an additional 60 blocks popup. always different addresses.
Follow this guide and attach logs from Malwarebytes,OTL and aswMBR (Not Win 8 and up)
Hello jusaledan,
Let’s make an exception this time, skip MBAM and OTL scan analysis and preform the diagnosis with these tools. That will allow us to quickly ascertain whether or not malware may be running on your machine.
=> Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
=> Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:
Gmer download link
Note: file will be random named
Double-clicking to run GMER.
[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ]- save the report to the Desktop (named ARK );
Attach here Gmer logreport. (ARK.txt)
As a disclaimer, I did run most of these tools yesterday trying to solve the problem myself…which is why addition shows an earlier timestamp than FRST.
note: the final file listed by Gmer is the filename it downloaded as.
Magna will continue to help you. I’m just curious about something…
Go to www.virustotal.com. Scan the following File… C:\Windows\System32\rpcss.dll
That MD5 hasn’t been scanned yet. Just curious what the other AV’s say about it, not needed or mandatory. Just my own curiosity. (This won’t affect anything Magna86 has done).
Odd, file won’t show up when I search for it using the website’s choose file, but i can find it manually on my harddrive using the search in windows 7.
addendum, I had to move it out of System32 to scan it, but it received a clean bill of health.
Why did you run ComboFix and who told you to run that tool? Why did you not mentioned that you have been run it?
Post me the log C:\ComboFix.txt
Also, post me all TDSSKiller .txt logreprot located on C:\ as well …
Edit:
C:\DelFix.txt
Realy … even that one?
…and you have used Zoek as well. I wonder if is a worth …
I did say I ran almost everything…
first part
Well, this is your mashine, not mine. 
I would not dare to run anything what I do not understand … but that’s just me.
I have fix for you but I need to see ComboFix.txt logreport if is there as well as all TDSSKiller reports as it has preform some cleaning…
PS: no need for JRT and Zoek logs…
part 2 and delfix.txt
combofix.txt is missing delfix got rid of it.
Delfix is fairly thorough isn’t it…got rid of zoek as well…
Ignore what I’ve said previously, but do read this.
→ http://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/
Can do.
Ok, just for you info, TDSSKiller has been kill one legit driver. Since you don’t have ComboFix.txt report, I’ll need to use FRST one more time for additional check before preforming the fix.
Re-run FRST/FRST64 by double-clicking:
[*]Type rpcss.dll into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.
Here it is…
Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
File: C:\Windows\assembly\GAC_64\GBHO\1.0.0.0__709f1911357dc329\GBHO.dll
C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper
C:\Windows\system32\bmpdvfn.qnl
C:\Windows\system32\rggjmf.yxc
C:\Windows\system32\qlmovr.akj
C:\Windows\system32\kwwpsk.qzx
REPLACE: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll C:\Windows\System32\rpcss.dll
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
And here is the fixlog, I want want you to know I really appreciate you helping me out here. 
As an aside it looks to have solved the problem…what was the problem anyway?
Ok, malware is removed. I want to confirm that.
- Re-run FRST, just hit the Scan button and post me the fresh FRST.txt logreport.
- Re-run GMER, after initial run press the Scan button and post me the fresh created ARK.txt logfile.
Here you go.
Hi jusaledan,
Yes, malware is removed. However, again we shall use GMER for additional checks.
Re-run GMER by double-clicking, wait for initial scan to finish …
[*]Right-click wherever in the GMER’s window and select Options > 3rd party - click the Scan button;
[*]Please wait until the full scan is complete;
[*]Click Save … button and save report to Desktop (named Gmer2 );
note: time scan for Gmer2 log may take some time
Please post here Gmer2.txt logfile and tell me do you still get the avast! alerts?