Malicious URL Blocked Pop-up won't stop showing

[mgjaime]

The red avast pop-up won't stop popping for some URL blocked

[DavidR]

Please post the details of the alert or using the 'Attachments and other options' in the Reply window to attach a screenshot of (just) the avast! alert window.

- This will probably need further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

This may take a little time due to various time zones as it is almost 2am in the UK, hopefully one of the malware removal specialist in a closer time zone can run with this.

[mgjaime]

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.31.14

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User :: GAP-2010 [administrator]

Protection: Enabled

3/31/2012 5:21:38 PM
mbam-log-2012-03-31 (17-21-38).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 239514
Time elapsed: 1 hour(s), 1 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\WINDOWS\system32\a016mdm.dll (RootKit.0Access.H) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\WINDOWS\system32\a016mdm.dll (RootKit.0Access.H) -> Delete on reboot.
C:\Documents and Settings\User\My Documents\Downloads\oi_ccsetup300.exe (PUP.BundleInstaller.OI) -> Quarantined and deleted successfully.

(end)

[mgjaime]

I am unable to post an image of the pop-ups.
It gives me this link:http://www.avast.com/en-us/lp-security-information-pp?utm_campaign=Virus_alert&utm_source=prg_ise_70_3&utm_medium=prg_systray&utm_content=en-us_virus-alert&p_vir=URL:Mal&p_prc=C:\WINDOWS\System32\ping.exe&p_obj=http://63.223.106.17/5vE06xKP6z6QcIC3Y2xrPTQuOCZiaWQ9ODY1NDFkM2QzOGZkMDgzMzhkZTFmYzAyMDg0NmRhOTI5NzJjNmIzNCZhaWQ9MzA0MjEmc2lkPTImcmQ9MCZ4ODY9MzImdHA9MCZmbD0x18A&p_pro=2&p_vep=7&p_ves=0&p_lqa=0&p_lsu=0&p_lst=3&p_lex=30&p_lng=en&p_lid=en-us&p_elm=7&p_vbd=1426

Infection: URL:Mal
Process: C:\WINDOWS\System32\ping.exe

[mgjaime]

Will the pop-ups stop?

[jeffce]

Hi,

Let me look these over and I will return shortly. 

[jeffce]

Ok...

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system.  It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself.  As a warning, during the cleaning  you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.
----------

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------

[mgjaime]

I did not know what to post, so I posted it all.

[mgjaime]

Is there a reason why now I have to use Inernet Explorer as my browser, when I was previously using Firfox?

[DavidR]

The default browser settings may have been changed, if you open firefox it should ask if you want it to be the default browser.

If it doesn't, open the firefox Options, Advanced, System Defaults and use the Check Now button, that should allow you to change it.

[mgjaime]

okay it let me open Firefox but the pop-ups won't stop.

[jeffce]

Hi,

Go here >> C:\ComboFix.txt and post the log that should have been created and automatically saved here.