MALICIOUS URL BLOCKED! dances.us??? What is going on???

[MumtazG38]

Almost every link I click when doing a search on google.com for something gets blocked by avast. I understand avast is trying to protect my system, what I don't understand however is what the heck could possibly be causing avast to think each and every site (even about.com pages and ezinearticles etc.) is malicious?

I have searched the forums for some info on the subject and found a very useful post about attempting to resolve such issues using MBAM here: http://forum.avast.com/index.php?topic=53253.0.

I tried this, step by step. Even found and deleted something. Here is the log:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7045

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/8/2011 12:54:32 AM
mbam-log-2011-07-08 (00-54-32).txt

Scan type: Quick scan
Objects scanned: 178901
Time elapsed: 9 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

IP: 64.111.211.158
url: hxxp://64.111.211.158/c.php?s=eNodTtuuokAA-yCT4wwDDDycB0HkjoKAwMuG24jITQQEwsevu2nSpk3TtNwogGhqozGAm3W8r8bN6dLaL83y8LuBH0BB_E8Q_BYhBBhwACIGgi2l_DILtCoShXccCFOKvl7mR1Wep_BG_26EJoiPAZ2zEOU4gQnP8TDJ45glDCY8-gNwQigIEi5GMEsRx_EMYLPkeygFNKLxBr_IrdZ_esPUrodDceGsCrw0hRHlKp596n6MLsbHCg_nXW-KNZP7B2lW1QnhLnKdtT5zH2_v8Dw1MoH2NGIR5sBWxXSpE2-IjX4sdgR7T0SqQzJMihQ3Cpcboia8sHMk0Mss5dSHZXO91i6e9EmP9IaPbVxGxj0LqewamINxl8tTq-Rax5GgW3qJ5Z7X8hB2mmr6SWy_45cXzq-ljXpcKZd-z7Tv0HOEnaW007uZyehgHsuC8VSErvOBsVQRX9jKZL-n_HOks_r4qhutngADQq8aPtV58tR2EDmaXd4RySXXB7keBOAwyLp_mC9qCOsetDvdf4q7x9iPFMuFi5HuxFGV3nJhkrOT24tjWa7HMiaW9IGRrdhrUOML-PgSikexztFBUKCl3CLVMGg50YCfyXUbFIxfijVP0jUaL0C_R_kaStNJn8kgT5ccWQqDr8e5WTFNwKVQ1c4MZbfma87q0vbhkIa-pnuKNWuMsJmWdwk-eT04i6lt2-phfqswaSqmevr7feXAqHfS-mYK0TFoOjHUemmeCNpdb8v-Df2Ft6jkhsbdmixgcrsiOw5L25jsyXMkNuHkKVP7h2svBYXJ6zqt7AUV-mc-TeeFd1FIDGVah1krOUutrXxV8yAOrjn3WT6GfJal_Z3YQi8s99_fjeV-aPADv7xtPPsDKfwDmX8Bu4FtozYHzBf7wWjuMxxtwFsGtE429K-OZ_euVNkutHwbOhf3MZguOJ2Nz3cU_MeGtgxlyKitNgzsMZOLKqT4Oqr9KpZ5mFLe-PXDxqQkZjHJWcRRVJrmkMsgSzgqyQnDMHm8fTMaAkKyhNCQTWLIs3FG04DOmBSQDP8FOLNFkg

After restarting my system I attempted to open the links again from google.com but avast keeps doing it. I've noticed however that when/if avast doesn't block the sites the url changes to dances.us and then it asks me to download something. It says something like "Search from google.com" asking for me to download it. I always click cancel and hit the back button, or close the tab and do the search over again, and it either blocks, or does the download search thing again. What can I do to stop this, I want to stop this thing whatever it is and get it the heck out of my computer as soon as possible before it goes rogue or something so please somebody, anybody help me! :'(

Oh and btw, this doesn't happen when I type url's into my browser. Only seems to happen when I use google search (haven't tried yahoo, msn or any other). And almost forgot, sometimes when I click a link in google search it takes me to one of those "this domain not taken" type sites with search results for what I searched for on google.  

......reason for edit, happened again:
Ok this time the redirect is another site, besides the old dances.us one. Now it redirects to http://w w w.chat.thecoffeehouse.c o m/. Which shows up as the usual blank page just as with dances.us. Here is the info from the download popup:
Opening search
You have chosen to open
search
which is a: application/json
from: http://www.google.com
What should firefox do with this file....etc etc.

[com155]

ok,need ots log for analysis so:


Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
  
• Select All Users
  
• Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.

[MumtazG38]

Ok, so did the scan and got the log, but having some strange issues saving/viewing it. I can't see the log file on my desktop even though when I try to re-save it with the same name it says a file exists already with the same name, strange thing is I can't see it there on my desktop, I've searched for it and my computer says it doesn't exist. I tried to save it with another name and I can't see or find that file either, I even made a new file with different text in it and named it apple, nothing. So I had to copy and paste the log into notepad++ and save it from there. That's why the name is different and not ots.txt. Weird huh? Oh, and I just opened a new notepad after closing the log and seems to be working fine now, saved a text file and can see it on my desktop and everything....

anyways, the log is attached and I hope I can get this resolved soon since I can't search for ANYTHING anymore! It's really killing meh! :'( I just don't want this to get worse, to where I wake up one morning and my computer is a brick! . I just died at the thought!

BTW, thanks for helping!

[MumtazG38]

Okay, it seems to be getting worse now as every google search link I click is getting blocked by avast! 

[essexboy]

Hi there - lets run this to start with

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Registry - Safe List]
< 64bit-BHO's [HKEY_LOCAL_MACHINE] > -> 64bit-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> [Java(tm) Plug-In 2 SSV Helper]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> MRI_DISABLED [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  ~38985464 -> C:\ProgramData\~38985464
NY ->  ~38985464r -> C:\ProgramData\~38985464r
NY ->  38985464 -> C:\ProgramData\38985464
[Files - No Company Name]
NY ->  ~38985464 -> C:\ProgramData\~38985464
NY ->  ~38985464r -> C:\ProgramData\~38985464r
NY ->  38985464 -> C:\ProgramData\38985464
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan
 
 
On completion of the scan click save log, save it to your desktop and post in your next reply

[MumtazG38]

Okay, so I performed the ots fix but it never created a log for me, it just asked me to reboot so I did since it didn't give me any other option. Sorry about that, but it didn't feel like giving me a log for that....

Performed the aswMBR scan and the log is attached! Lots of red stuff during the scan! Wonder what that is. Hope it means I can fully get rid of this stuff and have my computer back to normal again asap!

[MumtazG38]

Okay, it seems to be getting worse by the minute. About 8 out of 10 of ANY links I click are being redirected now....this really sucks to say the least!!!!

[com155]

ok now try this:

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
  
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
  
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  
  

[MumtazG38]

Okay, so I did the tdsskiller scan and it found nothing.....

Report attached....this virus seems cleverer than I thought.

[com155]

this was just a try essexboy will guide u further i dont want to come in between when he is on the job.

[MumtazG38]

oh...okay. So how long till you think he'll be on?

[com155]

He will be late by 8 to 10 today night according to UK time.

[MumtazG38]

 , aww that's a good long while!

[Asyn]

, aww that's a good long while!

As it's weekend, he may be here earlier.

[MumtazG38]

YAY HOPE!