Avast Webshield Has blocked a malicious url every 5 minutes

[KingRobKoopa]

I followed the steps that were given and have added the reports

[Pondus]

malware experts are notified, it may take some hours before they are online.....

[magna86]

Hi,

Logs shows the active malware known to us as 'Zekos'. We shall start with ComboFix . . .


1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
Note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

• Right click on the avast! system tray icon () in the lower right corner of the screen and scroll up to avast! shield controls;
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.
- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
- ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
Note:If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
ComboFix shall also create addition log. Please attach it to your reply.
C:\Qoobox\ComboFix-quarantined-files.txt

[KingRobKoopa]

Done here is the log

[magna86]

Hi,

First, warning. You need to use only one AV. Uninstall one, use another ...
Then we shall target malware via ComboFix's CFScript.

Multiple Antivirus Programs
You are running more than 1 Antivirus program!

AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}


Running - more than one - antivirus program is not recommended because:[list=1]

• They can conflict with each other.
• Report the other antivirus software as malicious.
• Antivirus programs use an enormous amount of computer's resources... actively scanning your computer.
• Can cause your computer to become unstable...run slowly and even, in rare cases, BSOD crash...etc

I strongly suggest you uninstall one of them.  Which one, is your decision.

Then download uninstall utility and remove posible leftovers.
http://singularlabs.com/uninstallers/security-software/
http://www.askvg.com/ultimate-collection-of-uninstallers-removal-tools-for-all-popular-anti-virus-software/







---     ---     ---     ---     ---     ---     ---     ---     
ComboFix's CFScript
---     ---


1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.

2. Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

KillAll::

FCopy::
c:\windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll|c:\windows\system32\rpcss.dll

File::
C:\windows\SysNative\exiyfhi.pxj
C:\windows\SysNative\kcwpysn.zhr
C:\windows\SysNative\nipt.lrq
C:\windows\SysNative\qogpnl.glb


Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.

- Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
- Also, attach the C:\Qoobox\ComboFix-quarantined-files.txt

[KingRobKoopa]

Here is the next log. Also. where do I find the C:\Qoobox\ComboFix-quarantined-files.txt?

S\rry for the delay in response. Work and whatnot

[magna86]

Hi,

Also. where do I find the C:\Qoobox\ComboFix-quarantined-files.txt?

In C:\Qoobox. But you may ignore that, malware has been removed.
> Now just to check is there any remained leftover in system. So, run OTL again, hit the QuickScan and post me the fresh OTL.txt logreprot.



Also, I just wanna to check your system on RootKits. We shall use TDSSKiller to do that.
Download TDSSKiller  and save it to your desktop

• Execute TDSSKiller.exe by doubleclicking on it and click on Change parametres.
  
• Under Additional options check the boxes next to:
  - Verify Driver Digital Signature;
  - Detect TDLFS file system
  - Use KSN to scan objects
  
• Click OK, and then click Start Scan button.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• Click the Report button and attach the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

[KingRobKoopa]

Here are the new logs

[magna86]

Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]

:FILES
C:\windows\*.tmp
C:\windows\SysNative\exiyfhi.pxj
C:\windows\SysNative\kcwpysn.zhr
C:\windows\SysNative\nipt.lrq
C:\windows\SysNative\qogpnl.glb

:COMMANDS
[Reboot]


• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log


-----------------------------------------


> Re-run OTL and post me fresh OTL.txt logreprot. And tell me how's the computer running now?

[KingRobKoopa]

Here are the logs and it is running much better.

[magna86]

Hi,

Last posed OTL log looks clean. Now I would like to remove used tools. 







It is necessary to uninstall ComboFix :

• Click Start (or ) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.




> Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.




Btw, use MCShield as USB protect moduls.
http://forum.avast.com/index.php?topic=53253.0

[KingRobKoopa]

Done and done. Thank you for all your help. I appreciate it