Avast WEBforum

Other => Viruses and worms => Topic started by: REDACTED on July 03, 2015, 06:03:42 AM

Title: C:\Windows\System32\svchost.exe malware removal help
Post by: REDACTED on July 03, 2015, 06:03:42 AM

Hello. I keep getting a bunch of messages that Avast! is blocking multiple threats (10+ notifications) from svchost.exe calling a bunch of malicious URLs even when I am not in a webpage. Scans I've done on my own prior to the ones I did for this topic yielded no results from neither Avast!, Malwarebytes or SuperAntiSpyware, which I found odd. I followed the instructions posted on this thread (https://forum.avast.com/index.php?topic=53253.0) and I've attached the requested logs from the scans to this post. If anyone can please help me resolve this issue that would be great. Thank you in advance for your assistance.

Title: Re: C:\Windows\System32\svchost.exe malware removal help
Post by: TwinHeadedEagle on July 03, 2015, 07:06:37 AM

Hello,


(https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png) Scan with ZOEK

Please download ZOEK (http://hijackthis.nl/smeenk/) by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here (http://www.bleepingcomputer.com/forums/topic114351.html).

• Right-click on (https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png) icon and select (https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg) Run as Administrator to start the tool.
  
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:

Code: [Select]

createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b

• Make sure that Scan All Users option is checked.
  
• Push Run Script and wait patiently. The scan may take a couple of minutes.
  
• When the scan completes, a zoek-results logfile should open in notepad.
  
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

Title: Re: C:\Windows\System32\svchost.exe malware removal help
Post by: REDACTED on July 03, 2015, 07:51:47 PM

Hello,


Here are the results of the ZOEK scan:

Code: [Select]

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Nelsyda on Fri 07/03/2015 at 13:00:34.64.
Microsoft Windows 8.1 6.3.9600  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Nelsyda\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

7/3/2015 1:03:08 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\AGEIA Technologies deleted successfully
C:\PROGRA~3\Alias deleted successfully
C:\PROGRA~3\Pinnacle Studio Plus deleted successfully
C:\Users\Nelsyda\AppData\Roaming\PTC Download deleted successfully
C:\Users\Nelsyda\AppData\Roaming\Publish Providers deleted successfully
C:\Users\Nelsyda\AppData\Roaming\Samsung deleted successfully
C:\Users\Nelsyda\AppData\Local\softthinks deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\PROGRA~2\AGEIA Technologies not found
C:\PROGRA~2\COMMON~1\DVDVideoSoft\bin deleted
C:\install.exe deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Nelsyda\AppData\Local\CrashRpt deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\WINDOWS\wininit.ini deleted
C:\WINDOWS\SysWow64\AI_RecycleBin deleted
C:\Users\Nelsyda\AppData\Roaming\Mozilla\Firefox\Profiles\alwo8emv.default-1432319824985\jetpack deleted
C:\Users\Nelsyda\AppData\Roaming\Mozilla\Firefox\Profiles\alwo8emv.default-1432319824985\extensions\youtubeunblocker@unblocker.yt deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\Nelsyda\AppData\Roaming\Mozilla\Firefox\Profiles\alwo8emv.default-1432319824985
user_pref("browser.search.defaultenginename.US", "Google");

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [05/20/2015 09:12 PM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\Nelsyda\AppData\Roaming\Mozilla\Firefox\Profiles\alwo8emv.default-1432319824985
- Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\Nelsyda\AppData\Roaming\Mozilla\Firefox\Profiles\alwo8emv.default-1432319824985
2820FF3A306D6AEB8BFBBB753BD83EBE - C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_194.dll - Shockwave Flash
69318E50CA85CD345392AA268C0C7305 - C:\Users\Nelsyda\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll - Unity Player
77B6DD23DCA19A217D5A4C4CAF962895 - C:\Users\Nelsyda\AppData\Roaming\Visan\plugins\npRLSecurePluginLayer.dll - RocketLife Secure Plug-In Layer
4174499E49FE276D9BDCE13364559080 - C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_160.dll - Shockwave Flash


==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[03/20/2015 06:53 PM]
ihenkjeihefokohmemphikjnjbmegdik - \C:\Program Files (x86)\Sony\Media Go\MediaGoDetector.crx\[]

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{FFD2AE29-D7D5-40DC-9182-915A47227280}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR"
{FFD2AE29-D7D5-40DC-9182-915A47227280} Google  Url="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}"

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\ihenkjeihefokohmemphikjnjbmegdik deleted successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Nelsyda\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Nelsyda\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Nelsyda\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Nelsyda\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Nelsyda\AppData\Local\Mozilla\Firefox\Profiles\alwo8emv.default-1432319824985\cache2 emptied successfully

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=150 folders=76 29745226 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Nelsyda\AppData\Local\Temp will be emptied at reboot
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\Nelsyda\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on Fri 07/03/2015 at 13:44:21.65 ======================

Thank you so much for your help.

Title: Re: C:\Windows\System32\svchost.exe malware removal help
Post by: TwinHeadedEagle on July 03, 2015, 10:20:44 PM

How is the situation now?

Title: Re: C:\Windows\System32\svchost.exe malware removal help
Post by: REDACTED on July 04, 2015, 12:36:34 AM

I had my computer sleeping for a bit because I had to go do something and then the blocked threat notifications started popping up, as shown in the attached screenshot. All of the URL malware threats mentioned in the notifications are still being called by svchost.exe.

Title: Re: C:\Windows\System32\svchost.exe malware removal help
Post by: TwinHeadedEagle on July 04, 2015, 07:02:34 AM

(https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif) Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on (https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif) icon and select (https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg) Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
  
• Make sure that Addition option is checked.
  
• Press Scan button and wait.
  
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
  

Please include their content into your next reply.

Title: Re: C:\Windows\System32\svchost.exe malware removal help
Post by: REDACTED on July 04, 2015, 07:30:04 PM

I've attached the requested logs.

Title: Re: C:\Windows\System32\svchost.exe malware removal help
Post by: TwinHeadedEagle on July 04, 2015, 08:39:01 PM

(https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif) Fix with Farbar Recovery Scan Tool

(https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif) This fix was created for this user for use on that particular machine. (https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif)
(https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif) Running it on another one may cause damage and render the system unstable. (https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif)

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on (https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif) icon and select (https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg) Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
  
• Press the Fix button just once and wait.
  
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.
  

Please attach it to your reply.

Title: Re: C:\Windows\System32\svchost.exe malware removal help
Post by: REDACTED on July 05, 2015, 01:40:13 AM

Here's the fix log.

Title: Re: C:\Windows\System32\svchost.exe malware removal help
Post by: TwinHeadedEagle on July 05, 2015, 08:47:25 AM

How is your PC behaving now?

Title: Re: C:\Windows\System32\svchost.exe malware removal help
Post by: REDACTED on July 05, 2015, 05:33:08 PM

The pop-up notifications have stopped. I think my PC is okay now. Thank you so much!

Title: Re: C:\Windows\System32\svchost.exe malware removal help
Post by: TwinHeadedEagle on July 05, 2015, 09:38:17 PM

Post-cleanup procedures:

Download DelFix (http://www.bleepingcomputer.com/download/delfix/) by Xplode and save it to your desktop.

• Run the tool by right click on the (http://www.imgdumper.nl/uploads6/51a5ce45267c1/51a5ce45263de-delfix.png) icon and Run as administrator option.
  
• Make sure that these ones are checked:
• Remove disinfection tools
• Purge system restore
• Reset system settings
• Push Run and wait until the tool completes his work.
  
• All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)
  

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Title: Re: C:\Windows\System32\svchost.exe malware removal help
Post by: REDACTED on July 05, 2015, 11:26:55 PM

Done! Thanks again. :)