New OS, Avast spamming URL blocked from C:\Windows\SysWOW64\svchost.exe

Hello, I’m in the process of fixing my siblings computer, and I’ve re-installed Windows 7 on their computer, it’s a fresh OS, not sure if the iso was infected, or not. The link I got it from is : http://msft.digitalrivercontent.net/win/X17-58997.iso . It was posted on the microsoft website answer forums, so I’m doubting it. Every time I start up, Avast spams the computer with over 20 “Threat detected” “Malicious URL Blocked” or something else in that process… This then proceeds to blue screen the computer making it very hard to use. Here’s an image:

http://i.imgur.com/6bLc5u4.png
.

I have no idea if this is a virus. The only thing’s I’ve downloaded are the drivers from a website. I doubt one was a virus…but mabye. Any help would be amazing as I’ve been dealing with this for 3 painful days. Thank you a bunch. I’m currently trying to install malewarebytes to do a scan also.

attach (not copy and paste) the requested logs, then a removal expert will check tomorrow
http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

Here are all my scan logs. Thanks a ton…

I didn’t have any more attachment space, so heres the extras.txt
http://pastebin.com/f4ePK4PU
Thanks a ton.

Hi,

Step#1

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.


Step#2

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.


Step#3

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



filesrcm;
startupall;
firefoxlook;
chromelook;


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

I’m sorry it took me so long! Here are the logs you’ve requested…

Hi,

[*]Re-run TDSSKiller.exe and click on Change parametres.
[*]Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
[*]Click on Start Scan.
[*]If an infected file is detected, the default action will be Cure, click on Continue.
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and attach the contents of it into your next reply
Note:It will also create a log in the [b]C:[/b] directory.


Re-run zoek.exe as you did before but use this script:

svchost.exe;z

Click on RunScript button and attach here fresh zoek log.

Hello, Thank you so very much for helping me. Here are those two logs attached to this reply.

Hi,

You have interrupted TDSSKiller scan.

06:11:04.0362 2420 Scan interrupted by user!
06:11:04.0362 2420 ================ Scan global ===============================
06:11:04.0362 2420 Scan interrupted by user!
06:11:04.0362 2420 ================ Scan MBR ==================================
06:11:04.0362 2420 Scan interrupted by user!
06:11:04.0362 2420 ================ Scan VBR ==================================
06:11:04.0362 2420 Scan interrupted by user!

Re-run TDSSKiller as you did before with Changed parametres and if you see this entry:

[b]\Device\Harddisk0\DR0 ( TDSS File System )[/b]

Use Delete options for that.


How’s your computer running now?

Hello, I re-ran the scan and used the delete option for what you said. Then I re-scan and nothing was found. Is my computer fully cured now? If so, could you possibly inform me on what type of virus this was? Thanks
Also, Avast is not detecting anything or spamming anymore.

Hi,

You had an powerfull TDL4 rootkit variant know to us as Pihar rootkit. They are also know as MBR Rootkits. It lives outside of operating system, creating his own file system and do peyload into system.

http://en.wikipedia.org/wiki/Rootkit

Rootkit has been removed. Your system looks clean.

It is necessary to remove used tool for an some post-cleaning.

Download “Delfix by Xplode”
Run the tool … Check the boxes …

[] Remove disinfection tools
[
] Purge System Restore
[*] Reset system settings

Click on “Run” button.

I don’t need DelFix log report.

I recommended to keep Malwarebytes AntiMalware and to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Alright. I thank you very much in the aid of removing this rootkit. You’re very kind. :slight_smile: I used that removal tool. Again, thank you very much for your help.