unable to find and remove url malware

[bbreiholz]

windows 7 64bit
avast alerts to url malware in windows\system32\svchost.exe when click more info it shows as h_www_freeresultsguide_com__?dn for url i have tryed many malware programs none seem be able find this program i have also tried finding and removing it in safe mode but have yet to rid my self of this so i assuming its more then just malware, any help would be greatly appreciated

[magna86]

Hello,
We'll run system diagnostics with these two powerful tools. That will allow us to quickly ascertain whether or not malware may be running on your machine.



=> Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

---    ---    ---    ---    ---    ---


=> Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

• Wait for initial scan to finish - if there is any query, click No;
  
• Click [ Scan ] button and wait until the full scan is complete;
  
• Click [ Save ... ]- save the report to the Desktop (named ARK );
  
  
• Then click the >>> button and select Autostart card;
  
• Click [ Scan ] button;
  
• After quick scan, click Copy button;
  
• Open notepad and Paste text. Save report to the Desktop (named autostart )
  

[bbreiholz]

upload of txt files that were requested

[bbreiholz]

txt documents ( my bad it didnt show post first time i posted )

[magna86]

Hi bbreiholz,

FRST tell me that you have in past used Zoek & OTL tool.
09-04-2014 21:00:55 zoek.exe restore point
10-04-2014 02:38:47 OTL Restore Point - 4/9/2014 9:38:43 PM
Are you aware of the consequences? Can you tell me more?


Also, I didn't tell you to check box for 'List BCD' and 'Drivers MD5' as there is no need for that. In future follow the instructions that are given only to you, NOT the instructions of someone else for someone else.


...     ...     ...     ...     ...     ...     ...     ...     ...     ...     ...     ...     


GMER shows the unknown MBR code. Cause can be the OEM license.

---- Disk sectors - GMER 2.1 ----

Disk      \Device\Harddisk0\DR0             unknown MBR code


Please confirm, is your PC a laptop with pre-installed (origin) Windows?



...     ...     ...     ...     ...     ...     ...     ...     ...     ...     ...     ...



Let's start with the fix. This FixList shall tell FRST to target the bad stuff ...



1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: No Name - {6C8DB2EC-499B-4897-A784-0E3186C97E9D} -  No File
BHO: No Name - {DBC80044-A445-435b-BC74-9C25C1C588A9} -  No File
Toolbar: HKLM - avast! WebRep - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
FF Extension: DownloadTerms - C:\Program Files (x86)\Mozilla Firefox\extensions\kgcngo@xmmomglptujvwxntife.org [2014-02-15]
C:\Program Files (x86)\Mozilla Firefox\extensions\kgcngo@xmmomglptujvwxntife.org
S3 X6va003; \??\C:\Users\Breiholz\AppData\Local\Temp\00360A7.tmp [X]
C:\Users\Breiholz\jagex_cl_loginapplet_LIVE.dat
C:\Users\Breiholz\jagex_cl_runescape_LIVE.dat
C:\Users\Breiholz\jagex_runescape_preferences.dat
C:\Users\Breiholz\jagex_runescape_preferences2.dat
C:\Users\Breiholz\jagex__preferences3.dat
C:\Users\Breiholz\random.dat
AlternateDataStreams: C:\ProgramData\Temp:A27AB160
CMD: type C:\zoek-results.log
CMD: DEL %TEMP%\*.* /F /S /Q

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

[SirMatthew]

windows 7 64bit
avast alerts to url malware in windows\system32\svchost.exe when click more info it shows as h_www_freeresultsguide_com__?dn for url i have tryed many malware programs none seem be able find this program i have also tried finding and removing it in safe mode but have yet to rid my self of this so i assuming its more then just malware, any help would be greatly appreciated

I have the EXACT same thing! I don't know WHERE it is coming from.  I went through the OTL and Aswar and it didn't get rid of it.  I had a VERY nice person helping me.  The alert just popped up again a few minutes ago. 

[magna86]

Hi SirMatthew,

You are resiving help in this topic. 
http://forum.avast.com/index.php?topic=148745.msg1080913#msg1080913


Cheers,

[SirMatthew]

Hi SirMatthew,

You are resiving help in this topic. 
http://forum.avast.com/index.php?topic=148745.msg1080913#msg1080913


Cheers,

Thanks, I just thought it might be important to know that I'm having the same thing pop up.  Didn't know if it would help to know, but thought I'd throw it out there.