Avast blocking malicious URL every google search

[Reacher_Gilt]

avast has been blocking a malicious URL that starts with the name "22.ppcclickfeed.net" nearly every google search. I'll include the standard longs.  OTL.text to large to include in this one so I'll add that to a follow up post.

[Reacher_Gilt]

OTL.txt with this post

[essexboy]

Let me know if this cures it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
IE - HKU\S-1-5-21-1399003062-4201162359-2867435019-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/home?AF=66520
IE - HKU\S-1-5-21-1399003062-4201162359-2867435019-1000\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No CLSID value found
IE - HKU\S-1-5-21-1399003062-4201162359-2867435019-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=0.0.0.0:80
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{7458E393-F3C7-11E1-8270-B8AC6F996F26}: C:\Users\drewroz\AppData\Local\{7458E393-F3C7-11E1-8270-B8AC6F996F26}\ [2012/08/31 16:58:28 | 000,000,000 | ---D | M]
[2011/01/10 13:55:34 | 000,000,935 | ---- | M] () -- C:\Users\drewroz\AppData\Roaming\Mozilla\Firefox\Profiles\kh5mk534.default\searchplugins\conduit.xml
[2011/12/07 12:21:14 | 000,001,210 | ---- | M] () -- C:\Users\drewroz\AppData\Roaming\Mozilla\Firefox\Profiles\kh5mk534.default\searchplugins\search.xml
[2012/08/31 16:58:28 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\USERS\DREWROZ\APPDATA\LOCAL\{7458E393-F3C7-11E1-8270-B8AC6F996F26}
[2011/10/06 18:23:40 | 000,002,226 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\bh\BabylonToolbar.dll (Babylon BHO)
O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarTlbr.dll (Babylon Ltd.)
O3 - HKU\S-1-5-21-1399003062-4201162359-2867435019-1000\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O4 - HKU\S-1-5-21-1399003062-4201162359-2867435019-1000..\Run: [tpuseb] "C:\Windows\System32\rundll32.exe" "C:\Users\drewroz\AppData\Roaming\tpuseb.dll",List_Type File not found
[2012/08/31 16:58:28 | 000,000,000 | ---D | C] -- C:\Users\drewroz\AppData\Local\{7458E393-F3C7-11E1-8270-B8AC6F996F26}
[2012/08/29 14:30:31 | 000,681,472 | ---- | C] (C-Media Electronics Inc.) -- C:\Users\drewroz\AppData\Roaming\wocre.dll
[2011/05/12 17:25:18 | 000,586,752 | -HS- | C] (Microsoft Corporation) -- C:\Users\drewroz\AppData\Local\kpb.exe
[2012/09/11 20:57:03 | 000,000,000 | ---- | M] () -- C:\Users\drewroz\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
[2011/08/18 19:23:40 | 000,010,984 | -HS- | C] () -- C:\Users\drewroz\AppData\Local\82p6qrw8l0gqk643spti3e804q07bl8p0o2d86557876b
[2011/08/18 19:23:40 | 000,010,984 | -HS- | C] () -- C:\ProgramData\82p6qrw8l0gqk643spti3e804q07bl8p0o2d86557876b
[2011/07/21 13:15:37 | 000,010,532 | -HS- | C] () -- C:\Users\drewroz\AppData\Local\7k5163102wde7353x17fe6b3dbxjdpch1
[2011/07/21 13:15:37 | 000,010,532 | -HS- | C] () -- C:\ProgramData\7k5163102wde7353x17fe6b3dbxjdpch1
[2011/07/13 11:54:05 | 000,009,082 | -HS- | C] () -- C:\Users\drewroz\AppData\Local\43sn62iuivpq5p6avdx3
[2011/07/13 11:54:05 | 000,009,082 | -HS- | C] () -- C:\ProgramData\43sn62iuivpq5p6avdx3
[2011/06/04 16:25:10 | 000,009,186 | -HS- | C] () -- C:\Users\drewroz\AppData\Local\806jq53806334f47p2e2s0n
[2011/06/04 16:25:10 | 000,009,186 | -HS- | C] () -- C:\ProgramData\806jq53806334f47p2e2s0n
[2011/05/29 08:51:16 | 000,009,098 | -HS- | C] () -- C:\Users\drewroz\AppData\Local\455e18762l34t
[2011/05/29 08:51:16 | 000,009,098 | -HS- | C] () -- C:\ProgramData\455e18762l34t
[2011/05/12 17:25:24 | 000,009,550 | -HS- | C] () -- C:\Users\drewroz\AppData\Local\mxfvglcuf5lp6c06n0118lap1tpbhyoa0242p836ls
[2011/05/12 17:25:24 | 000,009,550 | -HS- | C] () -- C:\ProgramData\mxfvglcuf5lp6c06n0118lap1tpbhyoa0242p836ls


:Files
C:\Program Files (x86)\BabylonToolbar
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Reacher_Gilt]

it seems to have solved the problem, posting the log at your request nonetheless. thanks for your assisstance.

[essexboy]

O1 HOSTS File: ([2012/01/30 15:26:38 | 000,001,401 | RHS- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: ::1             localhost
O1 - Hosts: 109.163.226.208 www.google-analytics.com.
O1 - Hosts: 109.163.226.208 ad-emea.doubleclick.net.
O1 - Hosts: 109.163.226.208 www.statcounter.com.
O1 - Hosts: 69.72.252.254 www.google-analytics.com.
O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
O1 - Hosts: 69.72.252.254 www.statcounter.com.

This was the problem - your host file was hijacked

If you are happy run OTL and press the cleanup button