So I recently got the live security platinum trojan, and removed it, but now it seems that avast keeps blocking svchost because it keeps trying to access weird sites.

I’ve tried a lot of different things, safe mode, tdsskiller, MBAM and others.

Every time I scan, a single file is found and removed but then when I restart the host process avast blocks changes between svchost(mal:url) and something else(sirfef is mentioned.)

Please help, never had such a stubborn virus before, thanks.

EDIT: Win7 32bit

malware removers are notified: It may take sveral hours before one arrive so be patient

Hi JoeJoshJenkins, welcome to the forum.

To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

There are quite a few services missing. We’ll worry about them after we get this cleaned up a bit.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Right click on ComboFix.exe, click Run as Administrator & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. If after running combofix you recieve an message “Illegal operation attempted on a registery key that has been marked for deletion” or similar reboot the computer.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty [u]and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Thanks

Well I ran combofix with Avast running accidentily. It disinfecting services.exe then rebooted. (This is Log.txt)

I ran it after reboot again and it detected nothing. (this is ComboFix.txt)

Hi JoeJoshJenkins,

Please follow all previous instructions regarding security programs.

Open a new Notepad session
[*]Click the Start button, click run
[*]in the run box type notepad
[*]click ok
[*]In the notepad, Click “Format” and be certain that Word Wrap is not checked.

[*]Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

File::
C:\Windows\Installer\{eba8ee08-54ef-838d-f99a-d7dbbadfc171}\U
C:\Users\Admin\AppData\Local\{eba8ee08-54ef-838d-f99a-d7dbbadfc171}\@

Folder::
C:\Windows\Installer\{eba8ee08-54ef-838d-f99a-d7dbbadfc171}\U
C:\Windows\Installer\{eba8ee08-54ef-838d-f99a-d7dbbadfc171}
C:\Users\Admin\AppData\Local\{eba8ee08-54ef-838d-f99a-d7dbbadfc171}

In the notepad
[*]Click File, Save as…, and set the Save in to your Desktop
[*]In the filename box, type (including quotation marks) as the filename: “CFScript.txt”
[*]Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Please post back with the combofix log.

How’s the computer?

I can’t drag and drop the text file onto ComboFix, or open anything. It says a registry value has been marked for deletion.

Hi JoeJoshJenkins,

Reboot your computer and that problem will resolve itself.

Seems to be working a lot better, heres the new log.

Said it failed to delete C:\windows\erdnet\hiv-backup

Thanks.

EDIT: I’m not sure if this is relevant, but I’m currently dual-booting Linux with Win7, I have not touched Linux since before the infection and was wondering whether or not it would be infected.

EDIT2: Every time I use Google now Avast will block a connection from Firefox?

Hi JoeJoshJenkins,

Your Linux partition should be all right.

Any particular sites being showed as blocked?

Please naviget to this folder C:\Qoobox. Locate this file add-remove.txt and post it’s contents.

Next, Double click on OTL.exe
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :

:Services

:Files
ipconfig /flushdns /c

:Commands
[emptytemp]
[createrestorepoint]

Then click the Run Fix button at the top

[*]Let the program run unhindered
[*]Please save the resulting log to be posted in your next reply.
Please post the OTL fix log and the add-remove.txt.

Redirects still happening?

The specific url that keeps getting blocked seems to be hxxp://26.advertising5new.com/2feed?type

Accidentally deleted the add-remove.txt :-[

Hi JoeJoshJenkins,

That’s ok, we’ll get one this way.

Next

Please open OTL.

[*]Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, click the None button near the top (it may looked greyed out)

[*]In the Extra Registry section change it to All
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window, OTL.Txt there won’t be much in so no need to post it. The Extra.txt should appear minimized on your task bar. Please post this log.

Alrighty then.

Hi JoeJoshJenkins

Is FireFox still redirecting or being blocked?

Try starting firefox in it’s Safe Mode (this is not windows Safe Mode)
[*]Click the start button
[*]Copy and paste the following line into the search box and hit enter (close Firefox before hitting enter)

firefox -safe-mode

[*]Click Continue in Safe Mode
This will temporarily disable any extensions and themes or toolbar customizations. Use the browser as you would normally. Still redirecting or being blocked?

To exit Safe mode
[*]Click the FireFox icon at the top left
[*]Click Exit

I don’t think I have access to safe mode firefox, nothing changes when firefox comes up.

Malicious url still being blocked every time I search online(Service:firefox.exe).

EDIT: Eastlink search doesn’t cause avast to pop-up.

Hi JoeJoshJenkins,

It may be one of your addons that’s causing the problem. Let’s see if this will get you into FireFox’s safe mode.

• click FireFox in the upper left corner
  In the right hand panel highlight help
  Click restart with addons disabled

Safe-mode achieved and no avast warnings.

Hi JoeJoshJenkins,

I think it may be this one, Mozilla Safe Browsing. You should be able to do this in FireFox normal mode

• click Firefox
  click addons
  click extensions
  Locate Mozilla Safe Browsing
  click on it and click disable at the top of the screen

Try using FireFox. Problem still there?[/list]

Yes, avast no longer pops up during a search.

Hi JoeJoshJenkins,

Good. Not sure if the site is particularly malicious or Avast just dosen’t like it. You may want to ask in the General Forum after we are finiished.

One more scan to check our handiwork.

As a Vista/Win7 user you will need to right click your browser icon and select “Run as Administrator” in order to run this scan.
[]Do not use this instance of your browser for anything besides doing this scan
[]When the scan is complete and the results saved, close that instance of your browser
[*]Open a new one the usual way and post the results in this topic.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Go here to run an online scannner from
ESET

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

[*]Tick the box next to YES, I accept the Terms of Use.
[*]Click Start
[*]When asked, allow the activex control to install
[*]Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
[*]Click Start
[*]Make sure that the option “Remove found threats” is Unchecked, and the option “Scan unwanted applications” is Checked.
[*]Click Scan.
[*]Wait for the scan to finish.
[*]When the scan completes, click List of found threats
[*]click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
[*]Include the contents of this report in your next reply

Note - when ESET doesn’t find any threats, no report will be created.

[*]Push the back button.
[*]Push Finish
[*]Re-enable your Antivirus software.

I’m starting to think I may have to reinstall windows

You can ignore the files in stuff%DLL%\ they’re harmless.