Yes, yet another constant Malicious URL blocked pop up problem

I started having this problem a couple of days ago; at first I was seeing the same colexity/espeak URL’s that others were reporting but today there’s a different, larger batch. MWB is apparently finding the problem but not fixing it. Avast scans turned up a couple of false positives. One thing I noticed before the popups started was a bunch of weird redirects in Google searches and ‘connection was reset’ pages. Once those cleared up the popups started. FWIW, I have an XP machine on the same network that doesn’t appear to be affected; one difference is that machine is rarely use for browsing. Thanks for the help!

could you also attach AdwCleaner and aswMBR logs…see the guide

http://forum.avast.com/index.php?topic=53253.0

Hello,

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:files
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{400f82ac-9f5d-edc0-6938-035420770c0a}
C:\Windows\System32\config\systemprofile\AppData\Local\{400f82ac-9f5d-edc0-6938-035420770c0a}
C:\Windows\Installer\{400f82ac-9f5d-edc0-6938-035420770c0a}
ipconfig /flushdns /c

:commands
[CREATERESTOREPOINT]
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Thanks, guys, I’ll try these and upload the logs this evening.

Thanks for the help so far, here are the log files; I also ran the custom fix in OTL and attached that log file. Looks like like I’m back to the original colexity/espeak URL’s this evening.

Mike, Combofix log not released.
Please follow the instructions, now I’m working with you.

Hi Argus, here’s the combofix log:

Mike, how’s your computer behaving now?

Argus, I’m still getting the pop-ups. Performance wise, the machine seems to be operating normally.

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

/md5start
services.exe 
/md5stop 

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Opsss sorry, click the RunScan

Here you go.

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.

Hi, Argus, here are the TDSS log files.

[*]Re-run TDSSKiller.exe and click on Change parametres.
[*]Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
[*]Click on Start Scan.
[*]If an infected file is detected, the default action will be Cure, click on Continue.
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and attach the contents of it into your next reply
Note:It will also create a log in the [b]C:[/b] directory.


Step2

Delete old Combofix icon and download fresh Combofix from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Open notepad and copy/paste the text present inside the code box below:

File::
c:\windows\svchost.exe

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Latest batch; thanks again for the help!

Edit - it looks like progress is being made; no popups since I posted the log files!

We have not finished

Do not run two times TDSSKiller

Please re-run TDSSKiller as before (with change parametres ) and use Delete option for this entry:

\Device\Harddisk0\DR0 ( TDSS File System )


Open notepad and copy/paste the text present inside the code box below:

File::
c:\windows\svchost.exe

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

I think it will now be all right :wink:

I hope so! You do want me to run TDSS Killer and Combofix one more time, is that correct?