\\globalroot\systemroot\svchost.exe Constant Malicious Url Blocked

[calmstorm]

Hi, I am having constant malicious url block for a 2 days, all from this process: \\.\globalroot\systemroot\svchost.exe

I don't know if this is relevant or will help, but I had a BSOD to the point where I couldn't run my computer in safe mode without it restarting over and over again.  I had my laptop re installed with windows 7, everything was deleted.  However I now get messages of low disk space, when I thought everything was started from fresh.  I started to get the BSOD again, downloaded avast, and now everything is fine, except for the malicious url blocked message appearing.

Thanks for your time and any help if greatly appreciated 

[essexboy]

Hi you have posted the extras twice  Could you post the main OTL log after running this programme

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application
  
  
  
• Then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
• Click the Start Scan button.
   
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
• Get the report by selecting Reports

 

• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

Please copy and paste its contents on your next reply.

[calmstorm]

Thank you for the quick reply and sorry about posting the extras twice

So dowloaded the tdsskiller, but this message appears:
The version of this file is not compatible with the version of Windows you're running.  Check your computer's system information to see whether you need an x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.

I checked the system type, it says 64-bit operating system

[essexboy]

OK that is naughty of the malware stopping my programmes so....

• Download RogueKiller  and save it on your desktop. 
  
• Quit all programs
• Start RogueKiller.exe.
  
• Wait until Prescan has finished ... 
•     Click on Scan

   
 

• Wait for the end of the scan. 
• The report has been created on the desktop. 
• Click on the Delete button.

     

• The report has been created on the desktop.

• Next click on the ShortcutsFix   
  
  
• The report has been created on the desktop.

Please post:    All RKreport.txt text files located on your desktop.

[calmstorm]

Attached are the reports

[calmstorm]

And I do not see the malicious block up anymore, thank you so much! 

[essexboy]

Still there, could you now retry TDSSKiller please.  If it fails then

 Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[calmstorm]

Okay TDSSkiller worked this time, here is the report


15:35:13.0759 2924  TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
15:35:14.0118 2924  ============================================================
15:35:14.0118 2924  Current date / time: 2012/09/01 15:35:14.0118
15:35:14.0118 2924  SystemInfo:
15:35:14.0118 2924 
15:35:14.0118 2924  OS Version: 6.1.7601 ServicePack: 1.0
15:35:14.0118 2924  Product type: Workstation
15:35:14.0118 2924  ComputerName: BEENA-PC
15:35:14.0118 2924  UserName: Beena
15:35:14.0118 2924  Windows directory: C:\Windows
15:35:14.0118 2924  System windows directory: C:\Windows
15:35:14.0118 2924  Running under WOW64
15:35:14.0118 2924  Processor architecture: Intel x64
15:35:14.0118 2924  Number of processors: 2
15:35:14.0118 2924  Page size: 0x1000
15:35:14.0118 2924  Boot type: Normal boot
15:35:14.0118 2924  ============================================================
15:35:17.0097 2924  BG loaded
15:35:18.0798 2924  Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
15:35:18.0876 2924  ============================================================
15:35:18.0876 2924  \Device\Harddisk0\DR0:
15:35:18.0891 2924  MBR partitions:
15:35:18.0891 2924  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x1D4C000
15:35:18.0891 2924  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1D60000, BlocksNum 0x1B465170
15:35:18.0891 2924  ============================================================
15:35:19.0110 2924  C: <-> \Device\Harddisk0\DR0\Partition1
15:35:19.0110 2924  ============================================================
15:35:19.0110 2924  Initialize success
15:35:19.0110 2924  ============================================================

[calmstorm]

Sorry I forgot to say that after the reboot, a window came up saying: windows created a temporary paging file on your computer because of a problem that occurred with your paging file configuration when you started your computer.  The total paging file size for all disk drives may be somewhat larger than the size you specified.

And then goes to performance options window with processor scheduling and Virtual Memory

And thanks again for your help

[essexboy]

There should be a TDSSKiller log at C:\TDSSkiller date time

Could you attach that

[calmstorm]

Yes here they are attached

[essexboy]

OK lets get the last bit

Re-run TDSSKiller and when you see the following select delete:

\Device\Harddisk0\DR0 ( TDSS File System )

As soon as TDSSKiller starts moving it Avast will start screaming but ignore it

Once done could you let me know of any remaining problems

[calmstorm]

Yes, I did what you said and deleted it, I attached the log report in case

It seems like everything is working well

[calmstorm]

I am not sure if this is related, but the only problem that remains is that the local disk drive space is very low, up to 6.14 MB free of 14.6 GB...but I had this problem originally right after I had to re-install windows 7 again.

Again, I appreciate all your help with this

[essexboy]

OK could you now attach the original OTL log please