Kaspersky Malicious URL Blocked -- Windows Explorer Shuts Down

[evilfantasy]

Thank you.

How is the computer doing now?

[Peter Jordan]

Exactly the same -- url warnings followed by WE shut down and restart.

Very frustrating...

What else could it be?

[evilfantasy]

Download the MBR Rootkit Detector to your desktop.
* Doubleclick mbr.exe and follow prompts.
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log file to your next reply.

[Peter Jordan]

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: Hitachi_HTS543225L9A300 rev.FBEOC40C -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[evilfantasy]

I'm really not sure what is going on.

Is Kaspersky updated?

[Peter Jordan]

Yes, in fact I just do another manual update to be sure and then a full scan, which took nearly 6 hrs to complete. Still no change.

[evilfantasy]

Apparently you have something installed that is trying to connect to 76.191.112.2.

You are not using any cracked software are you?

[Peter Jordan]

No cracked software installed.

 

[evilfantasy]

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan



On completion of the scan click save log, save it to your desktop and post in your next reply

[Peter Jordan]

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-02 08:04:08
-----------------------------
08:04:08.477    OS Version: Windows 6.1.7601 Service Pack 1
08:04:08.477    Number of processors: 2 586 0x301
08:04:08.477    ComputerName: PETER-PC  UserName: Peter
08:04:10.397    Initialize success
08:04:22.661    AVAST engine defs: 12060200
08:04:48.198    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
08:04:48.214    Disk 0 Vendor: Hitachi_HTS543225L9A300 FBEOC40C Size: 238475MB BusType: 11
08:04:48.260    Disk 0 MBR read successfully
08:04:48.260    Disk 0 MBR scan
08:04:48.276    Disk 0 unknown MBR code
08:04:48.292    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        12000 MB offset 2048
08:04:48.307    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 24578048
08:04:48.323    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       226373 MB offset 24782848
08:04:48.338    Disk 0 scanning sectors +488395120
08:04:48.416    Disk 0 scanning C:\Windows\system32\drivers
08:05:04.796    Service scanning
08:05:52.408    Modules scanning
08:06:08.351    Disk 0 trace - called modules:
08:06:08.897    ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
08:06:08.913    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x863dc648]
08:06:08.928    3 CLASSPNP.SYS[8afae59e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8639f908]
08:06:09.942    AVAST engine scan C:\Windows
08:06:15.326    AVAST engine scan C:\Windows\system32
08:13:05.941    AVAST engine scan C:\Windows\system32\drivers
08:13:25.207    AVAST engine scan C:\Users\Peter
08:32:25.864    AVAST engine scan C:\ProgramData
08:42:24.304    Scan finished successfully
09:04:08.333    Disk 0 MBR has been saved successfully to "C:\Users\Peter\Documents\MBR.dat"
09:04:08.349    The log file has been saved successfully to "C:\Users\Peter\Documents\aswMBR6212.txt"
 

[Peter Jordan]

I'm not sure what significance this has but the malicious URL warning and WE shut-down occurs only when I use Firefox -- but not IE.

Any idea why that would be?


Thanks for your continued help and advice.

Peter

[evilfantasy]

Can you start Firefox in Safe Mode?

Hold down the shift key while starting Firefox.

Does it give the warning then?

[evilfantasy]

Edit: Just got some more information from SuperDave.

We need to fix the Master Boot Record using aswMBR now.

• Double click aswMBR.exe to run it like before
  
• Once the scan finishes click FixMBR to remove the infection as illustrated below
  

• Once the scan finishes click Save log to save the log to your Desktop
  
  
  
  
• Copy and paste the contents of aswMBR.txt back here for review
  

.

[Peter Jordan]

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-02 16:00:33
-----------------------------
16:00:33.618    OS Version: Windows 6.1.7601 Service Pack 1
16:00:33.618    Number of processors: 2 586 0x301
16:00:33.621    ComputerName: PETER-PC  UserName: Peter
16:00:34.839    Initialize success
16:00:43.947    AVAST engine defs: 12060200
16:00:52.810    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
16:00:52.814    Disk 0 Vendor: Hitachi_HTS543225L9A300 FBEOC40C Size: 238475MB BusType: 11
16:00:52.837    Disk 0 MBR read successfully
16:00:52.841    Disk 0 MBR scan
16:00:52.875    Disk 0 unknown MBR code
16:00:52.881    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        12000 MB offset 2048
16:00:52.910    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 24578048
16:00:52.936    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS       226373 MB offset 24782848
16:00:52.953    Disk 0 scanning sectors +488395120
16:00:53.022    Disk 0 scanning C:\Windows\system32\drivers
16:01:28.311    Service scanning
16:02:34.396    Modules scanning
16:02:46.690    Disk 0 trace - called modules:
16:02:47.073    ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
16:02:47.087    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x863a93b8]
16:02:47.103    3 CLASSPNP.SYS[8adbf59e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8639f908]
16:02:48.210    AVAST engine scan C:\Windows
16:02:55.353    AVAST engine scan C:\Windows\system32
16:11:36.090    AVAST engine scan C:\Windows\system32\drivers
16:12:14.140    AVAST engine scan C:\Users\Peter
16:41:39.043    AVAST engine scan C:\ProgramData
16:55:51.118    Scan finished successfully
17:10:02.603    Verifying
17:10:12.626    Disk 0 Windows 601 MBR fixed successfully
17:10:29.696    Disk 0 MBR has been saved successfully to "C:\Users\Peter\Documents\MBR.dat"
17:10:29.706    The log file has been saved successfully to "C:\Users\Peter\Documents\aswMBR.txt"
 

[evilfantasy]

Hopefully you will see an improvement in how the computer is running now?

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

•Double-click on MBRCheck.exe to run it.

•It will open a black window...please do not fix anything (if it gives you an option).

•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.

•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
•Please copy and paste the contents of that log in your next reply.