Hi, My parents computer I just purchased 2 years ago has been acting up for the past year or so after my father complaining it was slow and not working properly so I gave it a look at and did notice it was running slow, I did a system factory reset and as I was setting it back up after the reset I noticed it wouldn’t connect to Google.com but every other site I wen’t to worked fine, I called and spoke to Time Warner(my SP) techs to see if they could fix it and after almost 2 hours of being on the phone with 3 different people they still couldn’t figure it out. I tried everything, going through settings, LAN settings, all different network settings, still nothing worked. Their Tech specialist told me that I might have a virus and to try and run some Malaware programs, do another factory reset, or even reinstall windows 7. I did all of those except reinstall windows 7. I have downloaded and ran AVG, Norton, and Avast and combofix(not sure if I used it correctly); all didn’t find and solve the problem but when I had Avast protecting the computer I kept getting notifications saying it blocked “Globalroot/systemroot/svshost.exe”. Any help on how to find, fix, and remove this from my parent’s desktop would be appreciated. Thanks!

follow guide and attach the requested logs (not copy and paste) http://forum.avast.com/index.php?topic=53253.0

we need Malwarebytes / OTL / aswMBR

when done a malware expert will check the logs

Monitoring…

I’m having a problem posting the scan results on the infected computer. The Verification box isn’t appearing, I’m currently on my Macbook right now.

What do you mean by verification?

The Captcha where you have to put the numbers in the picture and box when you post or reply on here. I’m not sure if it’s my anti virus programs on my computer or the actual settings on the browsers but I tried using IE, Google chrome, and Mozzilla Firefox and the captcha didn’t appear for any of those. Is there any other way to post or show the scan logs?

The [b]Captcha[/b] where you have to put the numbers in the picture and box when you post or reply on here.

so click the Attachments and other options link you see below the box you write in here and attach the logs

This is the MBAM scan log.

These are the OTL scan logs.

This is the aswMBR scan log.

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

These are all the logs. The TDSSkiller seemed to find something and delete it on the reboot. The computer is running very good, haven’t had a single virus pop up from any of my antiviruses on the computer, and most importantly I can now access Google.com.

You’re running two antivirus products, that is bad idea for many reasons. Uninstall one of them…

We need to run TDSS Killer once more, but now with different options:

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*]Under Additional options check the boxes next to:
- Verify Driver Digital Signature;
- Detect TDLFS file system
- Use KSN to scan objects
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

Then…

1. Please download ComboFix by sUBs from here and save it to your Desktop.
   If you are unsure how ComboFix works please read this guide carefully.
   note: ComboFix must be downloaded to your Desktop.

2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
   If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

4. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
   Attach log reports ( ComboFix.txt) back to topic.

I deleted the Norton Security I had, So it should just be Avast on here now.
Here are the logs for TDDSSKiller and Combofix.

Re-run TDSSKiller with the same parameters as before
When this element appears select delete

\Device\Harddisk0\DR0 ( TDSS File System )

How are the things now?

This is the log of the last TDSSKiller scan. I deleted it and TDSSKiller quarantined about 10 or 12 items that I think were part of what I deleted.

Everything seems to be running perfectly fine.

Can you re-run TDSS Killer once more, latest report isn’t complete…

Here’s the TDSSKiller log.

Good, you’re clean now

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

Uninstall Adobe Reader, and download/install latest version.

Stay safe, cheers

You sir are a genius! Seriously, Thanks for all the help, I appreciate it.