svchost.exe attempts to connect to a malicious URL

[Stewiee]

I have tried to fix this issue with AVAST, Malwarebytes, Combofix, and TDSSKiller but have not been able to fix this error.

Here is a screenshot of what pops up every 5-10 minutes :

http://i.imgur.com/8CR7N2W.jpg

[TwinHeadedEagle]

Hi,


Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[Stewiee]

Hey, thanks for the fast response.

Here is a link of my logs : http://pastebin.com/Yg5DL7aU

[Pondus]

logs can be attached here....see below the txt box you write in.   attachment and other options

[Stewiee]

Heres the attached logs

[Stewiee]

Hey, thanks for the fast response.

Here is a link of my logs : http://pastebin.com/Yg5DL7aU

Did you get it?

[TwinHeadedEagle]

Download attached fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.




1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

• Right click on the avast! system tray icon () in the lower right corner of the screen and scroll up to avast! shield controls;
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.

[Stewiee]

Here are both the log reports. Thanks for your help so far!

[TwinHeadedEagle]

Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

FCopy::
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll|C:\Windows\system32\rpcss.dll

ClearJavaCache::
Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

[Stewiee]

Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

FCopy::
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll|C:\Windows\system32\rpcss.dll

ClearJavaCache::
Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

Heres the log

[TwinHeadedEagle]

How is the situation now?

[Stewiee]

-Redacted- See next post

[Stewiee]

Nevermind... it still pops up. 

[TwinHeadedEagle]

Tell me how popups manifest?



Download TDSSKiller  and save it to your desktop

  Execute TDSSKiller.exe by doubleclicking on it.
Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.

•   Press Start Scan
  
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
  
•   If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.

[Stewiee]

Well actually as it turns out it isnt popping up anymore. I think it has been fixed!! Thanks so much for your help!

I will (hopefully not) be back if it comes back.