Avast detects the following threat over and over. I have involuntary website redirects to bogus websites randomly. I’ve run malwarebytes with no luck. Here is the pop up from avast
Malicious URL Blocked
Object: 83.133.121.222/SVf04cp8g7m3no0NDQ3fGRvd25sb2FkfDZjY2YxYzd
Infection: URL:Mal
Action: Blocked
Process: C:\Windows\system32\svchost.exe
Essexboy is notified and will look at your log`s when he arrive
he is usually in here late UK time…
Hi Pike,
Windows svchost.exe it should be exist on your system, but sometime malware can take an advantage from this services and create a fake svchost.exe on your systems.
According to your MBAM log, your system is look safety and nothing infection happened. And normally avast warned the visited site and will automatically block or ignore the malware connection from the site.
But to make sure, as Pondus referenced we can wait for essexboys analysis.
Here is very informative for us about svchost.exe : hxxp://www.processlibrary.com/directory/files/svchost/24778/
cheers,
@ pike_mazter
These alerts are in many cases associated with an MBR Rootkit. So whilst waiting for essexboy to get on the forums later today you can check if you have an MBR rootkit using this tool:
I would concur with David as nothing is readilly apparent in the log
Please post the aswMBR log
19:13:02.699 OS Version: Windows 6.1.7600
19:13:02.699 Number of processors: 2 586 0x170A
19:13:02.699 ComputerName: AMY-PC UserName: Amy
19:13:07.597 AVAST engine 5.0.677 defs: 11061601
19:13:07.597 Initialize success
19:13:18.315 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
19:13:18.315 Disk 0 Vendor: TOSHIBA_ FG00 Size: 238475MB BusType: 3
19:13:18.564 Disk 0 MBR read successfully
19:13:18.580 Disk 0 MBR scan
19:13:18.580 Disk 0 Alureon-G@mbr [Rtk]
19:13:18.595 Disk 0 TDL4@MBR code has been found
19:13:18.595 Disk 0 Windows 7 default MBR code found via API
19:13:18.595 Disk 0 MBR hidden
19:13:18.595 Disk 0 MBR [TDL4] ROOTKIT
19:13:18.611 Disk 0 trace - called modules:
19:13:18.611 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86ea56f0]<<
19:13:18.611 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86e872e8]
19:13:18.627 3 CLASSPNP.SYS[8b78d59e] → nt!IofCallDriver → [0x8719a6a8]
19:13:18.658 \Driver\iaStor[0x85796070] → IRP_MJ_CREATE → 0x86ea56f0
19:13:18.658 AVAST engine scan C:\Windows\system32
19:22:03.224 Scan finished successfully
19:22:43.925 Disk 0 MBR has been saved successfully to “C:\Users\Amy\Desktop\MBR.dat”
19:22:43.925 The log file has been saved successfully to “C:\Users\Amy\Desktop\aswMBR.txt”
In this case - [TDL4] ROOTKIT found:
http://public.avast.com/~gmerek/aswMBR3.png
21:24:14.274 OS Version: Windows 6.1.7600
21:24:14.274 Number of processors: 2 586 0x170A
21:24:14.290 ComputerName: AMY-PC UserName: Amy
21:24:15.881 AVAST engine 5.0.677 defs: 11061601
21:24:15.881 Initialize success
21:24:20.077 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
21:24:20.077 Disk 0 Vendor: TOSHIBA_ FG00 Size: 238475MB BusType: 3
21:24:20.093 Disk 0 MBR read successfully
21:24:20.093 Disk 0 MBR scan
21:24:20.093 Disk 0 Windows 7 default MBR code
21:24:20.108 Disk 0 scanning sectors +488395120
21:24:20.140 Disk 0 scanning C:\Windows\system32\drivers
21:24:30.748 Service scanning
21:24:34.554 Disk 0 trace - called modules:
21:24:34.616 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys halmacpi.dll
21:24:34.616 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86a89610]
21:24:34.632 3 CLASSPNP.SYS[8b20459e] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x8534d028]
21:24:34.632 AVAST engine scan C:\Windows\system32
21:28:46.947 Scan finished successfully
21:29:29.753 Disk 0 MBR has been saved successfully to “C:\Users\Amy\Desktop\MBR.dat”
21:29:29.769 The log file has been saved successfully to “C:\Users\Amy\Desktop\aswMBR.txt”
OK, that looks much better.
Are you getting any Malicious URL Blocked alerts now ?
I must admit I didn’t notice that you have a very old version of avast “AVAST engine 5.0.677,” this dates from 2010-09-07.
The latest version of avast is 6.0.1125, is there any particular reason why you have been avoiding the update ?
Running perfect now!
Looks like I’ll need to update to the latest version.
Thanks for everyone’s help.
You’re welcome.
Hi,
I am really frustrated by the virus alert message of avast. Here it is:
Object: 83.133.121.222
Infection: URL:Mal
Action:Block
Process: C:\WINDOWS\System32\svchost.exe
I have scanned many times from MBAM, avast(version 6.0.1125), doctor spyware. Result is always the same: no virus found. I even tried doing with aswMBR. Same thing, it doesn’t show anything about TDL rootkit. After click on fix and rebooting Windows again same warning message by shown by avast. What the hell is happening, which malicious url is it actually blocking. Here is the log:
22:51:46.515 OS Version: Windows 5.1.2600 Service Pack 2
22:51:46.515 Number of processors: 2 586 0x170A
22:51:46.531 ComputerName: ISHA UserName:
22:51:47.265 AVAST engine 6.0.1125 defs: 11061900
22:51:47.265 Initialize success
22:52:03.625 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdePort0
22:52:03.625 Disk 0 Vendor: WDC_WD3200BEVT-75ZCT2 11.01A11 Size: 305245MB BusType: 3
22:52:03.640 Device \Device\Ide\IdeDeviceP0T0L0-3 → ??\IDE#DiskWDC_WD3200BEVT-75ZCT2___________________11.01A11#5&28a921ed&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
22:52:03.640 Device \Driver\atapi → DriverStartIo 8ac6d27f
22:52:03.640 Disk 0 MBR read error 0
22:52:03.640 Disk 0 MBR scan
22:52:03.640 Disk 0 unknown MBR code
22:52:03.640 MBR BIOS signature not found 0
22:52:03.640 Disk 0 scanning sectors +625121280
22:52:03.640 Disk 0 scanning C:\WINDOWS\system32\drivers
22:52:10.984 Service scanning
22:52:12.000 Disk 0 trace - called modules:
22:52:12.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8ac6d439]<<
22:52:12.343 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8ac27ab8]
22:52:12.343 3 CLASSPNP.SYS[ba0e905b] → nt!IofCallDriver → [0x8abbcb98]
22:52:12.359 \Driver\atapi[0x8ac39758] → IRP_MJ_CREATE → 0x8ac6d439
22:52:12.359 AVAST engine scan C:\WINDOWS\system32
22:53:33.500 Scan finished successfully
22:56:24.203 Disk 0 MBR fix error
22:56:41.187 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\welcome\Desktop\MBR.dat”
22:56:41.203 The log file has been saved successfully to “C:\Documents and Settings\welcome\Desktop\aswMBR.txt”
NEED HELP, PLEASE SUGGEST HOW TO SOLVE THIS ISSUE. :‘( :’( 
Yes this does look like it is a rootkit, this entry:
22:52:12.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8ac6d439]<<
Avast is preventing it making connections to malicious sites to download malware, etc.
First you are doing yourself no favours by still having XP SP2, once this is resolved you should install XP SP3 and get your OS up to date as it closes many security vulnerabilities. MS support for SP2 ended almost two years ago, so you can’t get security updates.
riley (at) avast (dot) com Avast Third-party Support Manager, has requested info about iYogi, so if you have time to recount your experience (copy and paste your post, etc.), give the link to this topic.
On with the next tool: