Web Shield URL: Mal ledoborota

Please help:

Avast Web Shield is popping up alerts frequently whether a browser windo is open or not.

Windows 7 Pro Version 6.1.7601 Service Pack 1 Build 7601

Avast Webshield has blocked a harmful web page or file:
url: http//ledoborota.com/aa/
infection: URL: Mal
Process: C:\Windows\SysWow64\svchost.exe

Avast Webshield has blocked a harmful web page or file:
url: http//5.45.73.129/aa/
infection: URL: Mal
Process: C:\Windows\SysWow64\svchost.exe

these pop up alternately every minute or so.

Ran Malwarebytes, now different URL’s are blocked in addition to the first two:

http://bombamovie-searcher.com/?q=judgement+posted+to+my+credit+report
infection: URL: Mal
Process: C:\Windows\SysWow64\svchost.exe

http://dobbieshow-searcher.com/?q= (etc.)
http://woohooshow-searcher.com/?q= (etc.)
http://volvoshow-searcher.com/?q= (etc.)

after an hour or so the warnings are now only about variations on the ledoborota url, but with increasing frequency (every minute or so.)

Mine is doing the exact same thing. I have run multiple different marware & spyware removal scans and programs. Nothing seems to remove it. It only happens when I am connected to the internet. Seems as though it is a virus on the machine that is trying to reach back out to the web and is being blocked by Avast, but not removed.

how to start your own topic and recive help instructions https://forum.avast.com/index.php?topic=53253.0

jstewart00617

Let me know if this cures it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-1209427738-228762128-437975776-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File 2014-10-26 07:29 - 2014-10-26 07:29 - 00000028 _____ () C:\Windows\SysWOW64\u 2014-10-25 18:48 - 2014-10-25 18:48 - 00070656 _____ () C:\Windows\system32\ytoqq.dll 2014-10-25 18:48 - 2014-10-25 18:48 - 00003856 _____ () C:\Windows\System32\Tasks\{5046DA1A-2B71-E004-6829-AAE803219D96} 2014-10-25 18:48 - 2014-10-25 18:48 - 00000000 _____ () C:\Windows\system32\jbdooj.dll 2014-10-25 06:01 - 2014-10-25 06:01 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\30469 CustomCLSID: HKU\S-1-5-21-1209427738-228762128-437975776-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? Task: {23BA297A-B003-46F8-8D02-133C6978AF79} - System32\Tasks\{5046DA1A-2B71-E004-6829-AAE803219D96} => C:\Windows\system32\ytoqq.dll [2014-10-25] () CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

All looks good. No warnings for an hour.

Thanks for the help.

If all is well tomorrow let me know and I will tidy up

This fix did not work for me, her is the fixlog:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-10-2014 01
Ran by Embries at 2014-10-29 13:00:18 Run:2
Running from C:\Users\Embries\Desktop
Loaded Profile: Embries (Available profiles: Embries & UpdatusUser)
Boot Mode: Normal

Content of fixlist:


HKU\S-1-5-21-1209427738-228762128-437975776-1000.…A8F59079A8D5}\localserver32: rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";eval(“epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
2014-10-26 07:29 - 2014-10-26 07:29 - 00000028 _____ () C:\Windows\SysWOW64\u
2014-10-25 18:48 - 2014-10-25 18:48 - 00070656 _____ () C:\Windows\system32\ytoqq.dll
2014-10-25 18:48 - 2014-10-25 18:48 - 00003856 _____ () C:\Windows\System32\Tasks{5046DA1A-2B71-E004-6829-AAE803219D96}
2014-10-25 18:48 - 2014-10-25 18:48 - 00000000 _____ () C:\Windows\system32\jbdooj.dll
2014-10-25 06:01 - 2014-10-25 06:01 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\30469
CustomCLSID: HKU\S-1-5-21-1209427738-228762128-437975776-1000_Classes\CLSID{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 → rundll32.exe javascript:”..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
Task: {23BA297A-B003-46F8-8D02-133C6978AF79} - System32\Tasks{5046DA1A-2B71-E004-6829-AAE803219D96} => C:\Windows\system32\ytoqq.dll [2014-10-25] ()
CMD: bitsadmin /reset /allusers


“HKU\S-1-5-21-1209427738-228762128-437975776-1000\Software\Classes\CLSID{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32” => Key not found.
“HKU\S-1-5-21-1209427738-228762128-437975776-1000\Software\Classes\CLSID{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}” => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => Value not found.
“HKCR\CLSID{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}” => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => Value not found.
“HKCR\CLSID{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F}” => Key not found.
“C:\Windows\SysWOW64\u” => File/Directory not found.
“C:\Windows\system32\ytoqq.dll” => File/Directory not found.
“C:\Windows\System32\Tasks{5046DA1A-2B71-E004-6829-AAE803219D96}” => File/Directory not found.
“C:\Windows\system32\jbdooj.dll” => File/Directory not found.
“C:\Users\Owner\AppData\Roaming\30469” => File/Directory not found.
“HKU\S-1-5-21-1209427738-228762128-437975776-1000_Classes\CLSID{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}” => Key not found.
“HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{23BA297A-B003-46F8-8D02-133C6978AF79}” => Key not found.
C:\Windows\System32\Tasks{5046DA1A-2B71-E004-6829-AAE803219D96} not found.
“HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree{5046DA1A-2B71-E004-6829-AAE803219D96}” => Key not found.

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

==== End of Fixlog ====

Did you see the big red warning at the start of the fix

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Please follow the steps here
https://forum.avast.com/index.php?topic=53253.0