news-11-today.com / localpages.com and other popups

[dunebugg66]

Lately I have had 2 computers infected with something that will randomly give me popups to news-11-today.com, easyshoplocal.com, localpages.com, and lots more.  Also if I do a google search, and click on a link, it won't send me to that page, but other random pages.

Avast hasn't caught anything yet.  Can you help me make this thing go away?

[Pondus]

check your computer for malware with

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
after install click update so you have latest database before scan
run quick scan and click on the remove selected button to quarantine anything found
you may post the scan log here


Also try

Hitman Pro 3 - Second Opinion Malware Scanner http://www.surfright.nl/en/hitmanpro  30day free removal from register day

[Asyn]

Report    2010-06-25 20:22:58 (GMT 1)
Website    news-11-today.com
Domain Hash    c38355cae74da1130c96b5794612ffb3
IP Address    174.143.45.135 [SCAN]
IP Hostname    -
IP Country    US (United States)
AS Number    33070
AS Name    RMH-14 - Rackspace Hosting
Detections    2 / 19 (11 %)
Status    SUSPICIOUS
      
Scanning site with:    AMaDa    CLEAN
Scanning site with:    BrowserDefender    CLEAN
Scanning site with:    Finjan    CLEAN
Scanning site with:    Google Diagnostic    CLEAN
Scanning site with:    hpHosts    CLEAN
Scanning site with:    Malware Patrol    CLEAN
Scanning site with:    MalwareDomainList    CLEAN
Scanning site with:    McAfee SiteAdvisor    CLEAN
Scanning site with:    McAfee TrustedSource    CLEAN
Scanning site with:    MyWOT    DETECTED
Scanning site with:    Norton SafeWeb    CLEAN
Scanning site with:    ParetoLogic URL Clearing House    CLEAN
Scanning site with:    PhishTank    CLEAN
Scanning site with:    SURBL    CLEAN
Scanning site with:    Threat Log    CLEAN
Scanning site with:    TrendMicro Web Reputation    CLEAN
Scanning site with:    URIBL    CLEAN
Scanning site with:    Web Security Guard    DETECTED
Scanning site with:    ZeuS Tracker    CLEAN


Report    2010-06-25 20:27:09 (GMT 1)
Website    localpages.com
Domain Hash    6a632bab368bc7d3472c77724798438c
IP Address    64.74.172.200 [SCAN]
IP Hostname    localpages.com
IP Country    US (United States)
AS Number    10912
AS Name    INTERNAP-BLK - Internap Network Services Corp...
Detections    3 / 19 (16 %)
Status    DANGEROUS
      
Scanning site with:    AMaDa    CLEAN
Scanning site with:    BrowserDefender    CLEAN
Scanning site with:    Finjan    CLEAN
Scanning site with:    Google Diagnostic    CLEAN
Scanning site with:    hpHosts    DETECTED
Scanning site with:    Malware Patrol    CLEAN
Scanning site with:    MalwareDomainList    CLEAN
Scanning site with:    McAfee SiteAdvisor    CLEAN
Scanning site with:    McAfee TrustedSource    CLEAN
Scanning site with:    MyWOT    DETECTED
Scanning site with:    Norton SafeWeb    CLEAN
Scanning site with:    ParetoLogic URL Clearing House    CLEAN
Scanning site with:    PhishTank    CLEAN
Scanning site with:    SURBL    CLEAN
Scanning site with:    Threat Log    CLEAN
Scanning site with:    TrendMicro Web Reputation    CLEAN
Scanning site with:    URIBL    CLEAN
Scanning site with:    Web Security Guard    DETECTED
Scanning site with:    ZeuS Tracker    CLEAN

[nmb]

Essexboy is the guy you have to look for : http://forum.avast.com/index.php?action=profile;u=11091

I have sent him a PM. He will post shortly. He is a trained malware cleaner.

nmb

[essexboy]

As this is happening on two computers are they connecting via a router ? If so the router might be infected.  I will do one system at a time, would it be possible to keep the other disconnected from the net ?   

GMER Rootkit Scanner - Download - Homepage

• Download GMER
• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.

• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
  
  Click the image to enlarge it
  

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
  
• Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

THEN

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select Scan all users
  
• Under the Custom Scan box paste this in

netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach all logs