Author Topic: SVCHOST Malicious url keeps popping up  (Read 35433 times)

0 Members and 1 Guest are viewing this topic.

kishtara

  • Guest
SVCHOST Malicious url keeps popping up
« on: May 29, 2012, 02:00:37 PM »
Hi,

Much like another user just posted, I too keep getting this Avast popup:

I keep getting an Avast pop--up that says:
"Malicious URL Blocked."
It then shows the alleged URL that was blocked and states:
Infection: URL:Mal
Process: C:\Windows\system32\svchost.exe


I scanned with MBAM and got this.


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.29.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Karen :: KAREN-PC [administrator]

29/05/2012 7:21:41 AM
mbam-log-2012-05-29 (07-21-41).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219491
Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Karen\AppData\Local\Temp\tempfiles.exe (Trojan.Agent.H) -> Quarantined and deleted successfully.

(end)

Then I had to restart my computer so it could remove the Trojan. Note that since then Avast is still complaining about the malicious url with svchost.exe.

Then I downloaded OTL and ran it. Only attaching Extras log file here, and OTL log file will be in next reply (due to sizes).

Then I downloaded and ran aswMBR.exe, log will be attached in next reply since it is 2kb.

Thank you kindly,
Karen

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #1 on: May 29, 2012, 02:01:22 PM »
OTL Log file

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #2 on: May 29, 2012, 02:02:04 PM »
aswMBR.exe log file

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #3 on: May 29, 2012, 11:15:15 PM »
Hi,

I'm new here - is there anything else I'm supposed to provide and/or do?

Thank you!
Karen

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37504
  • Not a avast user
Re: SVCHOST Malicious url keeps popping up
« Reply #4 on: May 29, 2012, 11:42:38 PM »
Hi,

I'm new here - is there anything else I'm supposed to provide and/or do?

Thank you!
Karen
nope....now you wait... and it may take several hours

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: SVCHOST Malicious url keeps popping up
« Reply #5 on: May 29, 2012, 11:46:31 PM »
No, it is just that there aren't that many malware removal specialists (volunteers) to analyse the logs. I will try and get one to take a look at them.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #6 on: May 30, 2012, 12:08:20 PM »
Thank you all, I will check back in later today hopefully get some feedback.

Thanks again,
Karen

jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #7 on: May 30, 2012, 01:34:53 PM »
Hi,

Sorry for the delay....things have been pretty hectic as of late.  While I am reviewing your malware logs please do the following...

Download CKScanner by askey127 from Here & save it to your Desktop.
  • Right-click and Run as Administrator CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply
----------

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #8 on: May 30, 2012, 01:54:09 PM »
Hi Jeff,

Thank you:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\adobe\adobe premiere pro cs5.5\plug-ins\en_us\vstplugins\decrackler1.dll
c:\program files\adobe\adobe premiere pro cs5.5\plug-ins\en_us\vstplugins\decrackler2.dll
c:\program files\adobe\adobe premiere pro cs5.5\plug-ins\en_us\vstplugins\decrackler6.dll
c:\program files (x86)\adobe\adobe dreamweaver cs5.5\configuration\taglibraries\html\keygen.vtm
c:\program files (x86)\adobe\adobe flash catalyst cs5.5\plugins\com.adobe.thermo.core_1.5.0.308731\com\adobe\thermo\undo\thermoundosystem$undoabledocumentchangecracker.class
c:\program files (x86)\android\android-sdk\docs\reference\java\security\spec\rsakeygenparameterspec.html
c:\program files (x86)\android\android-sdk\docs\reference\javax\crypto\keygenerator.html
c:\program files (x86)\android\android-sdk\docs\reference\javax\crypto\keygeneratorspi.html
c:\program files (x86)\common files\adobe\adobe contribute cs5.1\app\configuration\browsers\mozilla run time libraries\dist\idl\nsikeygenthread.idl
c:\program files (x86)\common files\adobe\adobe contribute cs5.1\app\configuration\browsers\mozilla run time libraries\dist\include\nsikeygenthread.h
c:\program files (x86)\gimphoto 1.4.3\share\gimp\2.0\patterns\cracked.pat
c:\program files (x86)\git\bin\ssh-keygen.exe
c:\program files (x86)\inkscape\python\lib\site-packages\numpy\f2py\crackfortran.py
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\cmd.exe
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.coderush.common.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.data.v11.1.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.utils.v11.1.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\gacutil.exe
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\register.bat
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\sn.exe
c:\users\karen\downloads\iphone apps and games\pb_fantasies-v1.1.1805-cracked_by_trancewarp.ipa
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\d.o.c-howto-crack-a-game.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\how to crack cd protection.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\how to crack cd's.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\wolf-howto-crack-any-cdprotection.doc
c:\users\karen\downloads\marketing\web_content_studio_[software_(msi)_+_crack_(exe)_+_instructions(txt)].rar
c:\users\karen\downloads\pc games\9 - the dark side collector's edition - full precracked - foxy games\9 - the dark side collector's edition - full precracked - foxy games.exe
c:\users\karen\downloads\pc games\9 - the dark side collector's edition - full precracked - foxy games\torrent downloaded from demonoid.me.txt
c:\users\karen\scrapbooking\scrappingtable\theme sets\easter jubilee\eggcracked.scut2
c:\users\karen\scrapbooking\scrappingtable\theme sets\patriotic picnic\firecracker.scut2
c:\web content studio [software (msi) + crack (exe) + instructions(txt)]\crack\webcontentstudio.exe
scanner sequence 3.ZZ.11.XQNALM
 ----- EOF -----


Karen

jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #9 on: May 30, 2012, 02:08:53 PM »
Hi,

CKScanner has detected illegal software on your system. Besides being illegal, it's the number one way of infecting your system as all cracked/keygen software is infected. This forum, as well as all the other malware removal forums, do not support the use of illegal software except for their removal.  If I were to continue helping you with illegal software installed, it could be construed in the eyes of the law as aiding and abetting a crime.

This may or may not be related to your computer issues, however, if you wish me to continue helping you, then you must remove both the keygen and crack files as well as the related programs.  If you do not agree to this then this thread will be closed and no further help will be offered because I will never be able to tell you your malware logs are clean.  Please let me know if you wish to continue.

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #10 on: May 30, 2012, 02:16:31 PM »
Hi Jeff,

I definitely want you to continue to help me, what should I do? My son uses this computer also, I don't know what to delete that you are referring to? Just the files that showed up in the CK txt?

Thank you!
Karen

jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #11 on: May 30, 2012, 02:18:48 PM »
Ok...

Let me work up a fix to remove these and the rest of the items that I am seeing in the OTL logs.  :)  I will return as quickly as I can. 

jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #12 on: May 30, 2012, 04:20:21 PM »
Hi,

Please download ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
IE - HKU\S-1-5-21-900652906-1050274716-3256234461-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=CEF4FC3DC34809F10EFC994FC0AD9563&tbp=homepage
IE - HKU\S-1-5-21-900652906-1050274716-3256234461-1000\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKU\S-1-5-21-900652906-1050274716-3256234461-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100842&mntrId=eec62336000000000000001ee5df9879
IE - HKU\S-1-5-21-900652906-1050274716-3256234461-1000\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=CEF4FC3DC34809F10EFC994FC0AD9563&q={searchTerms}
O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\bh\BabylonToolbar.dll (Babylon BHO)
O2 - BHO: (blekko search bar) - {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files (x86)\blekkotb_031\blekkotb_019X.dll ()
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (blekko search bar) - {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files (x86)\blekkotb_031\blekkotb_019X.dll ()
O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarTlbr.dll (Babylon Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O33 - MountPoints2\{1b44f99a-8cc7-11e0-871c-842b2bbca7e1}\Shell - "" = AutoRun
O33 - MountPoints2\{1b44f99a-8cc7-11e0-871c-842b2bbca7e1}\Shell\AutoRun\command - "" = "J:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{ac3e5e40-3148-11e1-962e-842b2bbca7e1}\Shell - "" = AutoRun
O33 - MountPoints2\{ac3e5e40-3148-11e1-962e-842b2bbca7e1}\Shell\AutoRun\command - "" = J:\autorun.exe
O33 - MountPoints2\{ac3e5e40-3148-11e1-962e-842b2bbca7e1}\Shell\readme\command - "" = notepad readme.txt
O33 - MountPoints2\{ac3e5e40-3148-11e1-962e-842b2bbca7e1}\Shell\Setup\command - "" = J:\install.exe
[2012/05/26 07:16:57 | 000,000,000 | ---D | C] -- C:\Users\Karen\AppData\Local\blekkotb_031
[2012/05/26 07:16:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\blekkotb_031
[1 C:\Users\Karen\Documents\*.tmp files -> C:\Users\Karen\Documents\*.tmp -> ]
[2012/05/23 08:41:52 | 000,007,680 | ---- | M] () -- C:\Users\Karen\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/21 18:11:14 | 000,000,000 | ---D | M] -- C:\Users\Karen\AppData\Roaming\Babylon
@Alternate Data Stream - 60 bytes -> C:\Users\Karen\.DS_Store:AFP_AfpInfo
@Alternate Data Stream - 255 bytes -> C:\Users\Karen\Documents\invite_2.ai:com.apple.Preview.UIstate.v1
@Alternate Data Stream - 252 bytes -> C:\Users\Karen\Documents\80WebsitesToFindPopularTrends.pdf:com.apple.Preview.UIstate.v1
@Alternate Data Stream - 235 bytes -> C:\ProgramData\Temp:1A15E356
@Alternate Data Stream - 232 bytes -> C:\ProgramData\Temp:0BBF232A
@Alternate Data Stream - 229 bytes -> C:\ProgramData\Temp:F89F2593
@Alternate Data Stream - 229 bytes -> C:\ProgramData\Temp:737160C1
@Alternate Data Stream - 222 bytes -> C:\ProgramData\Temp:AECF4772
@Alternate Data Stream - 221 bytes -> C:\ProgramData\Temp:A02025CE
@Alternate Data Stream - 216 bytes -> C:\ProgramData\Temp:2D2461E7
@Alternate Data Stream - 214 bytes -> C:\ProgramData\Temp:512E1728
@Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:9BB8C675
@Alternate Data Stream - 141 bytes -> C:\ProgramData\Temp:491270B8
@Alternate Data Stream - 139 bytes -> C:\ProgramData\Temp:4D551822
@Alternate Data Stream - 139 bytes -> C:\ProgramData\Temp:14B2E0BD
@Alternate Data Stream - 136 bytes -> C:\ProgramData\Temp:24FECE50
@Alternate Data Stream - 134 bytes -> C:\ProgramData\Temp:905BCB57
@Alternate Data Stream - 132 bytes -> C:\ProgramData\Temp:9F3CEEE6
@Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:75798D9A
@Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:1B389835
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:430C6D84
@Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:5A2E8BBF
@Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:59465B40
@Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:CAC06C34
@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:9BAC4211
@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:8204AA35
@Alternate Data Stream - 117 bytes -> C:\ProgramData\Temp:B139DDF3
@Alternate Data Stream - 105 bytes -> C:\ProgramData\Temp:DFC5A2B2

:Files
c:\program files (x86)\adobe\adobe dreamweaver cs5.5\configuration\taglibraries\html\keygen.vtm
c:\program files (x86)\adobe\adobe flash catalyst cs5.5\plugins\com.adobe.thermo.core_1.5.0.308731\com\adobe\thermo\undo\thermoundosystem$undoabledocumentchangecracker.class
c:\program files (x86)\android\android-sdk\docs\reference\java\security\spec\rsakeygenparameterspec.html
c:\program files (x86)\android\android-sdk\docs\reference\javax\crypto\keygenerator.html
c:\program files (x86)\android\android-sdk\docs\reference\javax\crypto\keygeneratorspi.html
c:\program files (x86)\common files\adobe\adobe contribute cs5.1\app\configuration\browsers\mozilla run time libraries\dist\idl\nsikeygenthread.idl
c:\program files (x86)\common files\adobe\adobe contribute cs5.1\app\configuration\browsers\mozilla run time libraries\dist\include\nsikeygenthread.h
c:\program files (x86)\gimphoto 1.4.3\share\gimp\2.0\patterns\cracked.pat
c:\program files (x86)\git\bin\ssh-keygen.exe
c:\program files (x86)\inkscape\python\lib\site-packages\numpy\f2py\crackfortran.py
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\cmd.exe
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.coderush.common.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.data.v11.1.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.utils.v11.1.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\gacutil.exe
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\register.bat
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\sn.exe
c:\users\karen\downloads\iphone apps and games\pb_fantasies-v1.1.1805-cracked_by_trancewarp.ipa
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\d.o.c-howto-crack-a-game.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\how to crack cd protection.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\how to crack cd's.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\wolf-howto-crack-any-cdprotection.doc
c:\users\karen\downloads\marketing\web_content_studio_[software_(msi)_+_crack_(exe)_+_instructions(txt)].rar
c:\users\karen\downloads\pc games\9 - the dark side collector's edition - full precracked - foxy games\9 - the dark side collector's edition - full precracked - foxy games.exe
c:\users\karen\downloads\pc games\9 - the dark side collector's edition - full precracked - foxy games\torrent downloaded from demonoid.me.txt
c:\users\karen\scrapbooking\scrappingtable\theme sets\easter jubilee\eggcracked.scut2
c:\users\karen\scrapbooking\scrappingtable\theme sets\patriotic picnic\firecracker.scut2
c:\web content studio [software (msi) + crack (exe) + instructions(txt)]\crack\webcontentstudio.exe
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #13 on: May 31, 2012, 12:02:54 AM »
Hi Jeff,

I did as instructed, but when I went to run OTL the last time, I did uncheck LOP and Purity but when I clicked Quick Scan I looked and those 2 options got selected again.

Thank you,
Karen

jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #14 on: May 31, 2012, 02:43:40 AM »
Hi,

I see that you have both Avast and AVG on your system.  You should only run one antivirus program at a time as running more than one will cause system problems eventually.  Let me know which one you would like to remove.
-----------

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan[/i]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
----------

In your next reply please let me know which antivirus you want to remove and attach the logs to Malwarebytes and ESET online scanner.  :)