Url:Mal pop-ups from seemly sound sources

[jeffce]

Hi,

Do you recognize any of these folders??

C:\Windows\AxInstSV
C:\Windows\SysWow64\1033
C:\Windows\W7SBC

Run a new scan with TDSSKiller and attach the new log.

[Sprey]

Did a scan with TDSKiller using the same settings as last time...

With regards to the folders:

-AxInstSV is empty EDIT: this folder was created on the 28th May this year, the day after my first post in this thread.
-1033 looks like something to do with sql, it just has a .rll file and a help file in it.
-S7SBC is something to do with windows 7 start orb changer, which I've used for ages (since I first got this laptop last august-ish)

Therefore I trust all three, though I don't know what the first one ever held.

[jeffce]

Thanks.

Please open OTL.
In the Custom Scans/Fixes put the following

c:\windows\installer\@ /s
c:\windows\installer\*.@ /s

Press Quick Scan and then attach the new log created.

[Sprey]

Ok, log is attached. Do you reckon we're getting any closer to finding the problem?

[jeffce]

Do you reckon we're getting any closer to finding the problem?

It's hard to say.  I think we may be dealing with a new variant of a rootkit infection that is hard to detect.   

Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.

Disable your AntiVirus and AntiSpyware applications.

Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
---------

[Sprey]

I think we may be dealing with a new variant of a rootkit infection that is hard to detect.

Ok, but how come the links that are being blocked appear to be sound sources, to quote the topic name

Also, attached is the log.

[jeffce]

Hi,

Ok I need to regroup....What browsers are experiencing problems in?  Are you using a wireless browser?  What exactly is going on with your system that is not right?  The logs look fine and that is why I am asking.  Hopefully we can get some light shed on this. 

[Sprey]

Ok, I have internet explorer installed, but I never use it. I'm using Chrome instead. I've got a wired internet connection. However, I get popups randomly from avast network shield saying that a malicious URL has been blocked: it is not related to what site I go on (or so it appears) and is normally caused by chrome.exe, svchost.exe or zune.exe. The zune one is whenever it tries to automatically log me in upon opening the program. The svchost.exe URLs are mainly related to when certificates are attempted to be accessed online (as discussed previously) and the chrome.exe URLs are normally inane sites like bt.yahoo.com or facebook.com, but safebrowsing.clients.google.com comes up a lot and I'm not quite sure what it is, though I'm assuming that it is pretty sound given that it is a google site.

EDIT: Also, as noted earlier, call of duty modern warfare 3 is also running slower than before the supposed virus began firing off popups on the network shield. Though I cannot say for definite whether or not this is related to the supposed virus, I know that slowness of a computer can be a sign of a virus, it's just that I cannot see this effect in any other software / overall so I am not so sure that this is related or not.

[jeffce]

Hi,

Let's take Zune out of your startup.  There is really no reason for it to be there on startup....you can do that when you want it.

Go to Start >> in the Start Search bar type msconfig >> when it populates above right-click and Run as Admin... >> in the Startup tab remove any Zune entry >>  press Apply >>  reboot your system. 
-----------

Save any information you might want from Google Chrome.  Once you have what you want, I want you to uninstall Google Chrome completely and then reinstall a fresh copy.  Don't install any add-ons or extensions for Chrome yet.

Once you have that finished please let me know if the popups are still there.

[Sprey]

Well Zune isn't in start up as it is, by what I said earlier I mean that the program is set to log me in when I choose to open it. And I'm not sure that Google Chrome re installation will make a difference, it didn't seem to last time... do you still think I should do it? Also, do you think re-installing avast is worth a try?

[jeffce]

Do you have Zune in your exceptions list for Avast?

[Sprey]

I've just added it now (does going to File System Shield > Expert Settings > Exclusions and then adding C:\Program Files\Zune\* to the list add it to the "exceptions list"?)

Also, the thing is is that Zune is being weird lately anyway... it keeps telling me that I need an update which I already have, but again, I'm not sure if that's anything to do with this supposed virus or not...

[jeffce]

I've just added it now (does going to File System Shield > Expert Settings > Exclusions and then adding C:\Program Files\Zune\* to the list add it to the "exceptions list"?)

yes that should work. 

[Sprey]

yes that should work.

well earlier a popup still came from zune.exe despite me doing that yesterday... what to do next?! I am so confused, mainly by the fact that all the URLs that are being blocked are normal websites, yet they are still obviously irritating avast for some reason...

[DavidR]

Whilst exclusion will stop avast scanning the files in the zune folder, it won't exclude its activity from scans.

If this alert was the same as the popup3.png in your first post replicated here, then there is no alert on content in the zune folder by the file system shield. The alert is by the Network Shield (not effected by File System Shield exclusion) as it believes the site that zune.exe is attempting to connect to is malicious.

So given your user name in the forum and the location in the image, this is legit activity of you connecting to your zune UK account. Is that correct ?

If so I suspect this instance could possibly be a false positive detection on the site, as http://www.urlvoid.com/scan/socialapi.zune.net/ finds it clear, but that is a reputational rather than actual scan.

However, I get it to do a scan on the members area by another scanner and I get an indication that the site is infected, http://sitecheck.sucuri.net/results/socialapi.zune.net/members/ so it would appear that avast could be legitimately blocking access to the site.

Other than the alert on the zune site are the others still popping up ?