Avast Free help

[KMT4977]

Starting just today I have been getting pop-ups from Avast Free about blocking Mal URLs;
1--
    201407db0a.eamia.net/get2.php/(long sequence or characters follows here), process listed as explorer.exe

2--
    95.143.193.171, longtrip-todayz.com, lkckclcklili.com these 3 are listed as process svchost.exe

The only things I changed to day was look for some no-cd patches for some of my old games that i have installed but haven't played in years, for one it was just a simple file swap the other was a patcher utility but it was downloaded from a reputable site that I have used many time in the past without problems.

I made sure Avast is up to date and ran scans, I used CCleaner and Spy-bot to scan also.

Avast is blocking them but I can' figure out how to find them and remove the problems. Any help is greatly appreciated, Thank you

[Probzzie]

Hey I suggest you run an Malware bytes ANTI Malware scan find it at this link and post log when complete

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html Is malwarebytes.

Malware bytes is a Scanner, but since its the free version its an on-demand scanner and not real-time scanner therefor it is fine to install with no conflicts with Avast.

Secondly, Avast does not need to be disabled, just let it run, and if Avast finds anything during the scan move it to chest and proceed with MBAM scan.

CD-patches are often looked for by people pirating the game and you will experience mass numbers of "no-cd patch downloads" that are suspicious being the "no cd" process is usually illegal


 lo ngtrip-todayz.  com, lkckcl cklili.  com both came back as infected links.

[KMT4977]

Thanks I will try that. I don't want to do anything to Avast, been a long time user. It is that the pop-ups tell me Avast blocked the URLs but that is it, no info or any kind of action to take against them.

[Probzzie]

It is blocking something malicious from accessing those sites. Meaning there is most probably something infected causing this to happen. Malwarebytes will more than likely find it.

UPDATE: Which version of Windows are you using?

[KMT4977]

Windows XP

[Probzzie]

I also need the service pack level for XP to do this just follow the following and it should be easy to retrieve this information.

Press the start Icon, Right click "My Computer" on the right side near the top and scroll down to "properties". The service pack should be shown in the information the "General" tab shows  Also knowing whether its Windows XP Home, Professional or etc.  would be good information as well. The above will only work providing that you have two columns of programs when you open your start menu, otherwise right click my computer on your desktop and follow the above as mentioned.

How did the scan go? Did you just do a quick or full scan?

[KMT4977]

Windows XP Pro Service Pack 3

MalwareBytes did detect and elimanate some items but still haveing the URL:MAL pop-ups. I tried both a quick and full scan and double checked to make sure it was up to date.

[Zyndstoff (aka Steven Gail)]

Download aswMBR.exe ( 511KB ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply

[KMT4977]

Ok here is the aswMBR scan log -

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-17 01:52:27
-----------------------------
01:52:27.670    OS Version: Windows 5.1.2600 Service Pack 3
01:52:27.670    Number of processors: 1 586 0x402
01:52:27.670    ComputerName: KRIS-9D594FBFC9  UserName: Kris
01:52:29.853    Initialize success
01:56:11.362    The log file has been saved successfully to "C:\Documents and Settings\Kris\Desktop\aswMBR.txt"

And here is the results from the MalWareBytes scans, first is a quick second is a full -

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6580

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/14/2011 9:58:20 PM
mbam-log-2011-05-14 (21-58-01).txt

Scan type: Quick scan
Objects scanned: 136759
Time elapsed: 9 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\msvbdl.dll (Trojan.Hiloti) -> No action taken.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} (Adware.Gamevance) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ED403E8-470A-4a8a-85A4-D7688CFE39A3} (Adware.Gamevance) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (Adware.GameVance) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jsijeboqutuna (Trojan.Hiloti) -> Value: Jsijeboqutuna -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\msvbdl.dll (Trojan.Hiloti) -> No action taken.
c:\downloads\webfettisetup2.3.67.1.zkfox000.exe (Adware.MyWebSearch) -> No action taken.
c:\downloads\zwinkysetup2.3.67.1.zjfox000.exe (Adware.MyWebSearch) -> No action taken.
c:\documents and settings\Kris\local settings\Temp\aecxomwsrn.tmp (Trojan.Hiloti) -> No action taken.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6580

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/14/2011 11:10:49 PM
mbam-log-2011-05-14 (23-10-40).txt

Scan type: Full scan (C:\|)
Objects scanned: 198212
Time elapsed: 46 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\daemon tools pro\daemon.tools.pro.patch.exe (Trojan.Agent) -> No action taken.

I have no idea why it says 'No Action Taken' they were all quarenteened.

[Zyndstoff (aka Steven Gail)]

Ok here is the aswMBR scan log -

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-17 01:52:27
-----------------------------
01:52:27.670    OS Version: Windows 5.1.2600 Service Pack 3
01:52:27.670    Number of processors: 1 586 0x402
01:52:27.670    ComputerName: KRIS-9D594FBFC9  UserName: Kris
01:52:29.853    Initialize success
01:56:11.362    The log file has been saved successfully to "C:\Documents and Settings\Kris\Desktop\aswMBR.txt"

That is not the log... the log can be found here: "C:\Documents and Settings\Kris\Desktop\aswMBR.txt"
Use the "additional Options" to attach the file to the post. (see screenshot)

[SafeSurf]

@ KMT4977,

Update MBAM again. 

Check your settings in MBAM:
o   General: Automatically Save File After Scan Completes is checked off
o   Scanner Settings:  Check all boxes
o   Updater: Download and install update if available is checked off
·   Once the program has loaded, select "Perform Quick Scan", then click Scan.
·   The scan may take some time to finish, so please be patient.
·   When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
·   Click the “remove selected” button to quarantine anything found.  You will find the infection details under the Quarantine tab.
·   The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
·   Copy & Paste the entire report in your next reply.

Follow the directions regarding the aswMBR scan log that Zyndstoff posted and you can post that in your next post with your MBAM log as well.  Thank you.

[KMT4977]

Ok here is the aswMBR log -

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-17 01:52:27
-----------------------------
01:52:27.670    OS Version: Windows 5.1.2600 Service Pack 3
01:52:27.670    Number of processors: 1 586 0x402
01:52:27.670    ComputerName: KRIS-9D594FBFC9  UserName: Kris
01:52:29.853    Initialize success
01:56:11.362    The log file has been saved successfully to "C:\Documents and Settings\Kris\Desktop\aswMBR.txt"


aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-18 04:38:45
-----------------------------
04:38:45.253    OS Version: Windows 5.1.2600 Service Pack 3
04:38:45.253    Number of processors: 1 586 0x402
04:38:45.253    ComputerName: KRIS-9D594FBFC9  UserName: Kris
04:38:46.365    Initialize success
04:38:59.704    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
04:38:59.714    Disk 0 Vendor: WDC_WD800JB-00JJA0 05.01C05 Size: 76319MB BusType: 3
04:38:59.714    Device \Driver\atapi -> DriverStartIo 822b053b
04:38:59.714    Disk 0 MBR read error 0
04:38:59.714    Disk 0 MBR scan
04:38:59.714    Disk 0 unknown MBR code
04:38:59.714    MBR BIOS signature not found 0
04:38:59.724    Disk 0 scanning sectors +156280320
04:38:59.724    Disk 0 scanning C:\WINDOWS\system32\drivers
04:39:04.601    Service scanning
04:39:06.103    Disk 0 trace - called modules:
04:39:06.113    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x822b06f0]<<
04:39:06.113    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x823cfab8]
04:39:06.113    3 CLASSPNP.SYS[f8576fd7] -> nt!IofCallDriver -> \Device\0000005e[0x823b0030]
04:39:06.464    5 ACPI.sys[f83eb620] -> nt!IofCallDriver -> [0x823edd98]
04:39:06.464    \Driver\atapi[0x822655c0] -> IRP_MJ_CREATE -> 0x822b06f0
04:39:06.474    Scan finished successfully
04:39:27.905    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Kris\Desktop\MBR.dat"
04:39:27.915    The log file has been saved successfully to "C:\Documents and Settings\Kris\Desktop\aswMBR.txt"

------------------------------------------------------------------------------------------
When I tried to run Malware I got these messages -
vbAccelerator SGrid II con...
Run-time error '0'

MalwareBytes' Anti-Malware
Run-time error '440'
Automation Error

I tried uninstalling it and reinstalling it and that didn't help.
I appreciate all the help you are offering but this is maddening, I am about ready to just find out when my buddy will have time to reinstall Windows and just format my HD.

[SafeSurf]

So that I can see what is going on in your machine, check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0. 

Follow the directions for obtaining the OTS logs (save them as ANSI and not Unicode).  Post the OTS log as an attachment (Additional Options > Attach > Post). 

I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.

***Please do not make any further changes to your machine after you have provided the logs.***

IMPORTANT: If you are on a home network, disconnect the affected machine from the network.  Do not share a USB/flash drive with this affected machine.  Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, sync your phone, etc. if possible.

Let me know if you have any questions.  Thank you.

[KMT4977]

OK will run that now. Not sure if disconnecting will do any good since this has been going on for a few days and my fiances and my computers are just plugged into our router, no actually network  set up ( not sure if that would make a differance ). I'll post the log when done.

[KMT4977]

I am posting this from my fiance's computer, Whenever I try to post a reply from my computer I get a screen saying that the connection has been reset almost immediatly. My internet is still connected so I could attach the log file, I can browse the web as normal.

UPDATE- My computer won't upload the OTS log file, not even to attach it to an email to send to myself. :'(