Avast Help

I’m getting spammed every 5 mins or so with about 9 random advertising weblinks that something is trying to access. Avast isn’t catching anything when I run it. I’ve ran the appropriate logs and am attaching them below. Thanks in advance for any and all help!

Logs attached below.

More logs.

your malwarebytes was not updated when you did the scan…always click update button before a scan
do a new quick scan…and if anything is detected, attach new log

Looks like something new

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Well, it did find about a dozen suspicious files as well as one critical one malicious one (Rootkit.Boot.Pihar.C). I rebooted as instructed. Unfortunately, on start up, it ran TDSSKiller again. I’m afraid this may have overwrote the logs. I am attaching them regardless. I’m going to run Malwarebytes again with the updated definitions and will keep track to see if Avast catches anything going on tonight. Thanks for all the help.

I wish I ran into your Anti-virus software earlier - I had been using Avira for a number of years…

18:42:42.0893 3472 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
18:42:43.0515 3472 ============================================================
18:42:43.0515 3472 Current date / time: 2012/12/17 18:42:43.0515
18:42:43.0515 3472 SystemInfo:
18:42:43.0515 3472
18:42:43.0515 3472 OS Version: 6.0.6002 ServicePack: 2.0
18:42:43.0515 3472 Product type: Workstation
18:42:43.0515 3472 ComputerName: KEVIN-PC
18:42:43.0515 3472 UserName: Kevin
18:42:43.0515 3472 Windows directory: C:\Windows
18:42:43.0515 3472 System windows directory: C:\Windows
18:42:43.0515 3472 Processor architecture: Intel x86
18:42:43.0515 3472 Number of processors: 2
18:42:43.0515 3472 Page size: 0x1000
18:42:43.0515 3472 Boot type: Normal boot
18:42:43.0515 3472 ============================================================
18:42:45.0533 3472 BG loaded
18:42:45.0895 3472 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘K0’, Flags 0x00000050
18:42:45.0895 3472 Drive \Device\Harddisk1\DR1 - Size: 0x15D50F66000 (1397.27 Gb), SectorSize: 0x200, Cylinders: 0x2C881, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘K0’, Flags 0x00000050
18:42:45.0898 3472 ============================================================
18:42:45.0898 3472 \Device\Harddisk0\DR0:
18:42:45.0910 3472 MBR partitions:
18:42:45.0910 3472 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x254297C1
18:42:45.0910 3472 \Device\Harddisk1\DR1:
18:42:45.0910 3472 MBR partitions:
18:42:45.0910 3472 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x3F00, BlocksNum 0xAEA82841
18:42:45.0910 3472 ============================================================
18:42:45.0965 3472 C: ↔ \Device\Harddisk0\DR0\Partition1
18:42:45.0966 3472 E: ↔ \Device\Harddisk1\DR1\Partition1
18:42:45.0966 3472 ============================================================
18:42:45.0966 3472 Initialize success
18:42:45.0966 3472 ============================================================

Here is the latest Malwarebytes log.

No random pop-ups from Avast tonight thus far.

The proper TDSSKiller log will be at C:\TDSSKiller date time and will be the larger of the two
If you could attach that please

I can’t attach the TDSSKiller file. It is .DTA which my computer doesn’t seem able to open.

Weird, but never mind how is the computer behaving now ?

Things seem to be running OK. There are no more notifications of blocked websites. I did find the file you were referencing - apparently I was looking under the TSSKiller folder and not the C: root directory. See attachment.

OK lets finish it off now
Re-run TDSSKiller with the same parameters
When this element appears select delete

\Device\Harddisk0\DR0 ( TDSS File System )

Avast may alert as the files are moved