I keep getting popup messages from Avast saying these files have been blocked, but they keep changing
http://find-everything.biz/?query=debt
http://rghoncks.biz/task/2000
http://rotartost17x.me/task/2000
http://rtortern3.biz/task/2000
http://ryugroben6.in/task/2000
http://ryugrob6.in/task/2000
has blocked URL: MAL is same for all
process is the same for all C:\windows\system32\svchost.exe
I have run Malwarebytes and nothing shows up…
If Avast can block them and finds that a threat is detected, why can’t Avast clean them? Just wondering…
If you car breaks down, you will know it but it doesn’t mean you can fix it 
Hi you have something new… Prior to me cleaning it I would like you to do two small tasks 
Go to Virustotal
Click Choose File and navigate to C:\Windows\system32\Uvyt5itY.dll and select it
Then press scan it
Once it has completed could you copy the link and post it here
THEN
Open Avast and go to the Virus chest
Right click on the white area and click add
https://dl.dropboxusercontent.com/u/73555776/Virus%20chest.jpg
Navigate to C:\Windows\system32\Uvyt5itY.dll and select that file
It will now be added to the chest.
I will give instructions at the end how to send it to the virus labs
NOW TO CLEAN
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = CHR HomePage: Default -> hxxp://astromenda.com/?f=1&a=ast_secureddownload_14_37_ch&cd=2XzuyEtN2Y1L1QzutDtDtByEzz0CyD0AyC0EyEtByD0ByByDtN0D0Tzu0SzyzztAtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyEtDzy0B0D0DtCtG0DtCyEtCtGzyyE0FyEtGyCtCyB0AtGyBtC0CtAtAzy0F0FyCyDyC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyDzy0B0C0E0DtDtAtG0EzyyBtDtGyE0C0E0CtGzytAzy0BtGzz0CyBzy0AyC0C0CtB0E0FyB2Q&cr=874942010&ir= CHR StartupUrls: Default -> "https://www.yahoo.com/?fr=hp-avast&type=odc089", "https://www.yahoo.com/?fr=hp-avast&type=odc089", "hxxp://astromenda.com/?f=7&a=ast_secureddownload_14_37_ch&cd=2XzuyEtN2Y1L1QzutDtDtByEzz0CyD0AyC0EyEtByD0ByByDtN0D0Tzu0SzyzztAtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StCyEtDzy0B0D0DtCtG0DtCyEtCtGzyyE0FyEtGyCtCyB0AtGyBtC0CtAtAzy0F0FyCyDyC0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyDzy0B0C0E0DtDtAtG0EzyyBtDtGyE0C0E0CtGzytAzy0BtGzz0CyBzy0AyC0C0CtB0E0FyB2Q&cr=874942010&ir=", "https://www.yahoo.com?fr=hp-avast&type=odc089" NETSVC: pqn -> C:\Windows\system32\Uvyt5itY.dll (Microsoft Corporation) S2 pqn; C:\Windows\system32\Uvyt5itY.dll [103792 2015-01-13] (Microsoft Corporation) [File not signed] 2015-01-13 15:18 - 2015-01-13 15:18 - 00103792 _____ (Microsoft Corporation) C:\Windows\system32\Uvyt5itY.dll EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
TO UPLOAD TO Avast FROM THE VIRUS CHEST
Right click the suspect file
Select Submit to Virus lab
https://dl.dropboxusercontent.com/u/73555776/Virussubmit.jpg
A form will appear
In the dropdown box at the top select Potential malware
https://dl.dropboxusercontent.com/u/73555776/submitform.JPG
In the second box copy the link from this thread
Finaly tick the I know what I am doing box
Click submit and then manually update Avast to send it
I do not have the file c:\windows\system32\uvy5itY.dll
Could you go to control panel > folder options > view
Select show hidden files
If it already selected then proceed to the FRST fix
Here is new scan
I just wanted you to know I had 55 notifications of Avast blocking these files in the last minute.
OK that did not kill it, bigger hammer time
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Still getting popups…but here is log from the scan.
Let me know if this stops it
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
File:: c:\windows\system32\Uvyt5itY.dllNetSvc::
pqnDriver::
pqn
Save this as CFScript.txt, in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Here is the Combofix Log
One further run I am afraid
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
File:: c:\windows\system32\Uvyt5itY.dllNetSvc64::
pqnDriver::
pqn
Save this as CFScript.txt, in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Log completed at 3:50 pm today as requested
All the services are now dead but for some reason the file does not want to go. Have the alerts ceased now ?
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: c:\windows\system32\Uvyt5itY.dll EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
Frst Scan completed attached log file
BTW the popup on avast that tells me that a URL: Mal has been blocked has stopped for quite awhile now…Can you tell me how these Mal files were trying to attack my computer? How were they connecting to svchost.exe? What can I do to prevent an attack like this in the future? I know you have worked hard on this and I appreciate it…
OK it has finally gone
Can you tell me how these Mal files were trying to attack my computerThe intention of this file was to download additional malware as it was Avast stopped it from doing that
How were they connecting to svchost.exeBecause the file was running as a net service which is controlled by svchost
What can I do to prevent an attack like this in the futureHard to say as this is totally new, I don't suppose you can remember where it came from ?
How is the computer now ?