Repeating Avast Web Shield blocked a harmful webpage or file

[REDACTED]

Avast window pops up and displays sereral sites, every 10 to twenty seconds, in a never ending loop.
http://kar-gen-pl1.net/b/opt/xxxxxxxxxxxxxxxx (where x is a changing number)
http://oto-kar1.net/b/opt/xxxxxxxxxxxxxx
http://summer-watr1.biz/b/opt/xxxxxxxxxxxxxxx

All are displayed as an Infection: URL:MAL and Process: C:\WINDOWS\Explorer.EXE

I have attached the files described in the "Topic: Logs to assist in cleaning malware "  posting.

Thanks for any help you may render.

[essexboy]

Could you let me know if this stops the alerts

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-1044272327-3890023630-4042175641-1009\...\Run: [CDDB Update] => regsvr32.exe "C:\Documents and Settings\L-3\Local Settings\Application Data\CDDB\EP0NH4J3.DLL"
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
URLSearchHook: HKU\S-1-5-21-1044272327-3890023630-4042175641-1009 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
2015-04-25 03:00 - 2015-04-25 03:00 - 00000000 ____D () C:\257a568577d13e68e74fd4c26064
C:\Documents and Settings\L-3\Local Settings\Application Data\CDDB
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

No it did not stop the alerts. However, after the reboot that was required a RootKit Found message window displayed "MBR:\\.PHYSICAL DRIVE0\Boot MBR:Cidox-D [Rtk]". On prior occasions I have seen this message and have tried deleting as the pop up window suggests. I did not do so this time.

[REDACTED]

Here is the log you requested.

[Eddy]

For EssexBoy, this is what I came up with for the fixlist:

Start
CreateRestorePoint:
Closeprocesses:
Emptytemp:
HKLM\...\Run: [] => [X]
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKU\S-1-5-21-1044272327-3890023630-4042175641-1009\...\Run: [CDDB Update] => regsvr32.exe "C:\Documents and Settings\L-3\Local Settings\Application Data\CDDB\EP0NH4J3.DLL"
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
CHR StartupUrls: Default -> "hxxp://www.google.com/"
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
2015-04-25 03:00 - 2015-04-25 03:00 - 00000000 ____D () C:\257a568577d13e68e74fd4c26064
URLSearchHook: HKU\S-1-5-21-1044272327-3890023630-4042175641-1009 - (No Name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} -  No File
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO: Google Dictionary Compression sdch -> {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} -> C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll No File
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll No File
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204
DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: ipconfig /flushdns
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh winsock reset catalog
CMD: bitsadmin /reset /allusers
End

[REDACTED]

So I ran FRST with the new fixlist but the alerts have not stopped. Attached is the latest fixlog file.

[essexboy]

Somehow I did not feel it would

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[REDACTED]

ComboFix got past step 50 then started deleteting some files and then I got a blue screen. The think the message stated that mbr.sys driver was halted with items in que. I used BlueScreenView to View the following message.

"Mini042515-03.dmp   4/25/2015 10:11:37 AM   SYSTEM_SCAN_AT_RAISED_IRQL_CAUGHT_IMPROPER_DRIVER_UNLOAD   0x100000d4   0xb2add61e   0x00000002   0x00000001   0x806e7a16   hal.dll   hal.dll+2a16   Hardware Abstraction Layer DLL   Microsoft® Windows® Operating System   Microsoft Corporation   5.1.2600.5512 (xpsp.080413-2111)   32-bit   hal.dll+2a16   ntoskrnl.exe+154f93   ntoskrnl.exe+fae95   ntoskrnl.exe+fb232      C:\WINDOWS\Minidump\Mini042515-03.dmp   4   15   2600   90,112   4/25/2015 10:13:42 AM"

   

[essexboy]

Did the sytem reboot OK ?

Is there a log at c:\combofix.txt

[REDACTED]

Yes the system rebooted OK but blue screened again later. I have attached the Combofix.txt file.

[essexboy]

Does the blue screen reference a driver ?

Are the alerts still present

[REDACTED]

Yes the alarts are still occuring. I attached the blue screen crash list. I'm not very familar with the BlueScreen program so let me know if I provided the wronge info.

[REDACTED]

Here is the BlueScreen dump file.

[REDACTED]

Just to be clear, the Blue screen data I have sent you pertains to only the most recent crash. There are 41 crashes listed.

[essexboy]

Could you re-run combofix please, allow it to update if it asks