Malware - gloabalroot\systemroot\svchost

Greetings, This computer virus novice could use some advice/direction. I have completed a boot scan and several other things recommended by the Avast team but I am still having same issues. I keep getting repated messages that Malicious URL blocked - avast Network shield has blocked a harmful site. Whatever is going on has caused my computer to have a blue screen more than once. Can anyone direct me to the type of tool that would assist with correcting this issue? Do you recommend me bringing the computer into a professional or is this something I should be able to work through?

Thanks in advance for everyone’s assistance.

constant popup indicate that you have a infection

Follow this guide and attach the logs here in this topic…not copy and paste http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done the removal specialists will be notified and help you. it may take hours before one arrive so be patient

Thank you for your assistance. Please find attached the logs from the instructions. Thanks.

Hi,

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

[*]Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
[*] Double click dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt

http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbr-1.jpg
Please download aswMBR to your desktop.

[*]Double click the aswMBR icon to run it.
[*]Click the Scan button to start scan.
[]If you are asked to update the Avast Virus database please allow it to do so.
[
]When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.


http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbrscan.jpg

Click the image to enlarge it

Here are the requested logs. Do i need to delete these later? Can anyone use the logs I have been attaching to access my computer? Thanks for all your help.

Hi,

Do i need to delete these later? Can anyone use the logs I have been attaching to access my computer?
We will remove all of these later. No need to worry about the logs we have here....there is nothing there that people can use. --------------

ComboFix

Download Combofix from the link below, and save it to your desktop.
Link

Note: It is important that it is saved directly to your desktop
If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.


IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here


Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.


here is combofix log. Again many thanks for your help.

Good…how is your system behaving? :slight_smile:

The pop-up has quit but I did get a blue screen again after putting the computer into hibernate.

Let’s take a different look…

http://i1224.photobucket.com/albums/ee380/jeffce74/TDSK.jpg
Please download TDSSKiller

[*]Double click TDSSKiller.exe
[*]Press Start Scan
[*]If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
[]Do Not Attempt To Fix Anything Now. We just need to look over the report and be sure we are removing the correct items.
[
]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)


Here is the TDSSKiller log

Hi,

That is what I thought…

WARNINGUnfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

If you would like to format and reinstall your Operating System please let me know and I can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. :slight_smile:

Run TDSSKiller again. When you see \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) be sure to select Cure this time and the attach the new log to your next reply.

I guess lets reinstall the OS. Argh!!! Will I be able to back-up photos, etc… or is there a risk this will be infected?

Will I be able to back-up photos, etc... or is there a risk this will be infected?
Oh yes you can do that. Any files, photos, music, videos or things like that are fine to save. You will just need to reinstall all the actual programs.

Are you sure you want to format your system? It’s not a problem to continue on my end. :slight_smile:

Based on you previous post it sounded like reformatting was the only I would be sure the issue was fixed. I use my computer all the time for financial type things, etc… I just am not sure about where the original disks are. I can try the cure but is there a way to know it worked for sure?

I can try the cure but is there a way to know it worked for sure?
I have had very good results with removing this type infection. I would never be able to give you a 100% guarantee no matter what the infection though. There is no harm in trying to fix it up though.

If you would like to continue…Run TDSSKiller again. When you see \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) be sure to select Cure this time and the attach the new log to your next reply.

Most recent log

Good job! :slight_smile:

ComboFix

Download Combofix from the link below, and save it to your desktop.
Link

Note: It is important that it is saved directly to your desktop
If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.


IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here


Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.


Here is the combofix log

How is your system running now? :slight_smile: