svchost.exe malware

[aunthattie]

Hello All!
I have a windows xp machine and receive the following error about every 2 minutes from Avast:

Infection Details
URL: "hxtp://ololoshaface.com/x/"
Process: "C:\WINDOWS\System32\svchost.exe"
Infection: "URL:Mal"

Any clue on how to remove/edit/fix this? Your time is very much appreciated.

[Asyn]

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

[DavidR]

I have a windows xp machine and receive the following error about every 2 minutes from Avast:

Infection Details
URL: "hXXp://ololoshaface.com/x/"
Process: "C:\WINDOWS\System32\svchost.exe"
Infection: "URL:Mal"

Please 'modify' your post change the URL from http to hXXp, as in the quoted text above to break the link and avoid accidental exposure to suspect sites, thanks.

[aunthattie]

Thanks for the help. I followed the instructions on http://forum.avast.com/index.php?topic=53253.0 and attached are 3 log files. One from MBAM and the other 2 from OTC.
I look forward to hearing from you. 

[Baldylocks13]

Several sites have been getting malware blocks from Avast!, I had a local real estate site blocked and several of us Avast! users were locked out. The Tech team at the site confirmed that Avast! had recently upgraded their files and included that site on the blacklist (erroneously). The site is working with Avast! to fix the problem, meanwhile to go to the  site I have to disable my web and network shields when going to that site. Hope this helps!

[DavidR]

@ Baldylocks13
I'm not sure the purpose of your post (to try to help or seek help) as it appears unrelated to this topic.

There is a problem on aunthattie's system that is using/misusing svchost.exe to connect to what avast considers a malicious site. So in essence it matters not so much what the site (but what is on her system misusing svchost.exe), but I somehow doubt the site you are talking about is the same as this one.

So if you are seeking help about another site then please start your own new topic.

[essexboy]

Hi lets stop the alerts and tidy you up

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  O16 - DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
  [2011/07/24 20:47:27 | 000,013,778 | -HS- | C] () -- C:\Documents and Settings\standard\Local Settings\Application Data\05a3a062i5h21hn5r14r184j8402x6866h8
  [2011/07/24 20:47:27 | 000,013,778 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\05a3a062i5h21hn5r14r184j8402x6866h8
  
  :Reg
  
  :Files
  ipconfig /flushdns /c
  C:\WINDOWS\Installer\{d1684070-74ef-3588-c350-6663b2683dbc}
  C:\Documents and Settings\NetworkService\Local Settings\Application Data\{d1684070-74ef-3588-c350-6663b2683dbc}
  C:\Documents and Settings\LocalService\Local Settings\Application Data\{d1684070-74ef-3588-c350-6663b2683dbc}
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks
• Allow the installation of the recovery console

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[aunthattie]

Thanks for all your help! 
I ran OTL then Combofix as instructed. Attached are the logs.
After I ran Combofix I tried to shut down my computer via the windows start > turn off computer option. My computer "hung" (I waited a few minutes) and it wouldn't shut down. Holding the power button on the front of my Dell didn't work either so I was forced to unplug the computer from the back. I waited 1 minute then turned the computer back on. Windows started loading normally then I got the Blue Screen of Death. It said,
"Plug and Play detected an error most likely caused by a faulty driver" Tech. Info
STOP: 0x000000CA (Ox000000d,0x8A9A5030, 0x0000000, 0x00000000)
I am now in Safe Mode so I can post this forum post.
Any suggestions would be greatly appreciated. :-)

[essexboy]

Combofix created a restore point prior to running so from safe mode select that restore point and restore the system

Combofix usually shuts down the system when it has finished...  Did combofix finish up to stage 0 ?

Once done could you run a fresh OTL scan please