Frequent Avast alert for SysWow64\svchost.exe mal url

Viruses and worms
1

Hello, Avast is alerting me about every 10 minutes that it blocked a url, even when i’m not surfing the web:

http://i58.tinypic.com/2m5fqer.gif

Malwarebytes and Avast aren’t finding any malware or viruses. Sorry, I don’t have a “View detailed log” link on my MalwareBytes, but attached are the files I was able to get. Any ideas what to do? Thanks!

2

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

File: C:\Windows\system32\fglsqub.dll
File: C:\Windows\system32\ugygdc.dll
Folder: C:\Windows\System32\Tasks\{06DFBCDE-A29A-3EEF-B9CF-BA9B8ABDFC7D}
File: C:\Windows\system32\ugygdc.dll
Hosts:
HKLM-x32\...\Run: [] => [X]
SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
AlternateDataStreams: C:\Users\mycomp\Cookies:HkL3Lgl3KPMFFD8iFmxEzm
AlternateDataStreams: C:\Users\mycomp\AppData\Local\cGC4Dm8lH2:juN7BWnPjnx7DQoYEUY10E9A7k
AlternateDataStreams: C:\Users\mycomp\AppData\Local\nERHmoddRG:pQBZDm6Eup154jgfKFd3GlPHQyYJ7
AlternateDataStreams: C:\Users\mycomp\AppData\Local\T9sxo4YadJDaA:qDBoc4wzR0eNoCfYqa5qCZ
Reboot:
C:\Users\mycomp\AppData\Local\cGC4Dm8lH2
C:\Users\mycomp\AppData\Local\nERHmoddRG
C:\Users\mycomp\AppData\Local\T9sxo4YadJDaA
C:\Users\mycomp\AppData\Local\Temp\*.dll
C:\Users\mycomp\AppData\Local\Temp\*.exe

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

.

  1. Please download ComboFix by sUBs (
    http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
    ) from here and save it to your Desktop.
    [i]If you are unsure how ComboFix works, read this guide.
  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

  1. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
  • If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]
  1. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
    => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

3

Hi Magna86, thanks for your help, much appreciated. Attached is the fixlog. As for combofix, it wasn’t able to work. It ran fine but when it finished it gave an error. here’s the screenshot of what it said:

http://i58.tinypic.com/vpkyzo.gif

thanks again.

4

Ok, this time I want you to run this FixList and post me the fresh created FixLog.txt.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Reboot:
C:\Windows\system32\fglsqub.dll
C:\Windows\system32\ugygdc.dll
C:\Windows\System32\Tasks\{06DFBCDE-A29A-3EEF-B9CF-BA9B8ABDFC7D}

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

.

Now I would like you to re-try to run ComboFix. Delete the current copy of the ComboFix.exe (drag &drop into recycle bin) and download fresh one and try to re-run the scan.

.

In any case, I would like to preform a ARK (antirootkit) scan as well. So, deploy the following as well;

Please download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*]Under Additional options check the boxes next to:
- Verify Driver Digital Signature;
- Detect TDLFS file system
- Use KSN to scan objects
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

5

thanks again for your help. Same error with combofix, but here’s the other logs.

6

Ok, run FRST.exe again and post me the fresh FRST.txt report and tell me do you still getting the avast! alearts?

7

so far so good, no alerts this morning *knocks on wood. Thanks for all your help!

8

Good. Now we need to preform the ComboFix uninstall as I see his files droped on board.

Please download ComboFix’s standalone uninstall utilitys from one of the following link and execute it.
http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE
http://compendiate.net/sUBs/Beta/CF_UNINST.EXE
This shall remove the ComboFix and his related files and folders. Reboot may require…

Now I would like to peek into FRST’s Quarantine folder. Please seek the C:\FRST[b]Quarantine[/b], zip-it/rar-it and upload the Quarantine into one of free online sharing sites like this one here:

http://www.wikisend.com

Please send me the download link. I will peek into files and if they are malware, all AV vendor shall be notified. Thanks.