Malicious URL with Weird Consequences

[AllyU]

Hello
Last night while on the internet I ran into a website that Avast! told me contained malware on it, so I followed it's advice and clicked "Back to Safety." Soon after this happened Avast! pop ups continued to tell me that Malicious URL's that were targeting the System 32's "svchost" and a lovely bright "oh so serious" application came up (one without a Close Cross in the corner I might add) began telling me I had over 23 viruses and should press the big button that would get rid of them for me. The application was called Mal-Doctor or something, but it wasn't Malware-Doctor because I've never installed that, so I closed it with task manager. Soon after I had the BSOD, which said something about a memory dump before the computer suddenly restarted.
Once I was back in I immediately ran a full scan with Avast!, Ad-Aware, and Windows Defender. After they completed it told me that they did find something and I hit the delete button as it recommended. I thought all was now well, but after another warning of malicious URL, all the icons on my desktop flickered, and the appearance of the windows changed, from the standard appearance of Vista (key example are the buttons in the corner which are elongated and highlight when moused over) to something which looked more like Windows 99. I shut the computer down and restarted, and it was back to the Vista look.
I thought that the URL would mean something to do with the browser I had used when the problem first arose (Google Chrome) so I started it up...but it didn't. Chrome was completely unresponsive and loaded nothing. I uninstalled, downloaded it again with Firefox, and still it loaded nothing. I tried using CCleaner to uninstall again, and when I Ran the Cleaner (Habit) it told me that i have to shut down Google Chrome if i want the cache to be cleared. Okay....but Google chrome wasn't running at the time. I started it again, shut it down with Task Manager, and still it told me Google Chrome is running.
Now I have just come back from leaving it scanning for 4 hours (With Malware bytes included this time) and now the appearance is like that in the screenshot, (that is if it's loaded, but if not it looks more akin to Windows 93 than Vista.)
I'm now fairly annoyed, and in all honesty quite scared. Apologies if the description isn't very clear, it's hard to describe.
Can anybody help me?
Many thanks in advance.

[AllyU]

Image didn't load, I'll post link from a different site.

[AllyU]

STILL didn't load. Bear with me.

[Pondus]

you are infected with a Rogue...probably one of these.....follow the guide step by step to remove it

Remove Antimalware Doctor (Uninstall Guide)
http://www.bleepingcomputer.com/virus-removal/remove-antimalware-doctor

How to remove MalwareDoc or Malware Doctor (Uninstall Instructions)
http://www.bleepingcomputer.com/virus-removal/remove-malwaredoc

[AllyU]

Yeh, that was the one. It told me all my firewalls and systems were offline and if I didn't "ACT NOW!" my computer would be ruined.
Checking now Malwarebytes has found about 7 things since I ran it earlier. I'll keep running it then.
Thank you very much, I'll post again once the scan is finished 

[Pondus]

Very important that you update Malwarebytes so scan with latest database.....

post the log here when done....

[rogtilford]

My Avast keeps saying threat has been detected. I ran a full system and nothing then I ran a boot scan that took forever and nothing. MBAM (newbie) and this is the results and I am still getting threat has been detected message.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4936

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/24/2010 12:52:01 PM
mbam-log-2010-10-24 (12-52-01).txt

Scan type: Quick scan
Objects scanned: 161481
Time elapsed: 20 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lirizizari (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\inf\UltraMonMirror.inf (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\UltraMonMirror.PNF (Malware.Trace) -> Quarantined and deleted successfully.

[Pondus]

@rogtilford when asking for help you should start your own topic, as helping multiple people in the same tread will only create chaos

[AllyU]

Okay, ran it through and it found 17 (!) issues. Quarantined, Deleted, here are the results.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4932

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

24/10/2010 22:53:09
mbam-log-2010-10-24 (22-53-09).txt

Scan type: Quick scan
Objects scanned: 136279
Time elapsed: 26 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\System32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Ally\AppData\Local\Temp\ofumfal.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\2DFD.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Windows\Temp\D5C0.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\E86F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\Windows\System32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\Users\Ally\AppData\Local\Temp\0.13037860400203882.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Public\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.

Just ran a second scan and all appears well. I will remain cautiously paranoid about passwords and will not touch online banking for a while, but everything seems tidy.
Thank you for fixing my laptop and equipping me with a useful anti Malware Program.

[AllyU]

Oh wait hang on.
The second I finished typing that, the pop up told me again about that Malicious URL threat against the SVCHost.
What IS a malicious URL, how do I stop them, please?
In the mean time I'll run more scans. Paranoia Train Boarded.

[Altarir.]

Try ZbotKiller.

[AllyU]

Managed to get the number of where the URL messages keep coming.
so far in the past 2 minutes I've had 2 from 199.80.55.19 (with the long strand of code that I can't copy.
A 3rd from 199.80.55.80.
Here are the strands I can read up to before they go off the page;
199.80.55.19/go.php?data=BUBOabqjfyz4IzjguunRnDynD%2F%2B
199.80.55.19/go.php?data=SJiFrBiOhc1jo1yzjQehkey%2Bctrx32Anc
199.80.55.80/go.php?data=rjH9Ivj4SjPxcW3NJsonfwzjgCW8V7AeG

Sorry for inconsistent posting but the problems hit one after the other and I thought posting them as they happened might help.

[Pondus]

you may also run this Kaspersky TDSSKiller

http://support.kaspersky.com/viruses/solutions?qid=208280684


your MBAM scan log say that you scanned with database 4932 .....latest is 4938