C:\Windows\system32\svchost.exe

[Makdaddy]

getting adds voice over popping up
Avast blocks web pages related to  C:\Windows\system32\svchost.exe

MAB  fixed one issue as stated in the log
here are the log files

Thanks in advance for the help
Greg

[magna86]

Hi,

You have download & run Malwarebytes Anti-Malware (MBAM) version 1.75. I would like you to download latest MBAM verion 2.0 with ARK and PUP settings and preform re-scan.

Then, run FRST tool to target any remnants:




---     ---     ---
=> MBAM2 Threat Scan
---     ---


Please download Malwarebytes Anti-Malware ver. 2.0 and install the application.

Double-click on mbam-setup.exe and follow the prompts to install the program. Upon installation, click Finish
Note: A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish..
On the first launch, you'll get an "Update" notification. Click the 'Update Now >>' link or button to complete update.

• Configure the scanner. On the Settings tab, Detection and Protection adjust the following options:
- subtab Detection Options, tick the box 'Scan for rootkits'.
- subtab Non-Malware Protection, for PUP detections, from 'Warn user abaut detecion' select 'Threat detections as malware'.

• Preform the Scan. Click on the Scan tab, then click on Scan Now >> for Threat Scan.
If an update is available, click the 'Update Now' button, then continue to Scan.
Note: only with some infections, you may see this message box 'Could not load DDA driver'
In this case, click 'Yes' to this message, to allow the driver to load after a restart.
Allow the computer to restart. Continue with the rest of these instructions.

When the scan is complete, click Apply Actions. Wait for the prompt to restart the computer to appear, then click on Yes.

• Post the logs. Click on the History tab > Application Logs. Double click on the Scan Log which shows the date and time of just performed scan.
- Click Export button at the bottom, and then select the 'Text file (*.txt)'
- In the Save File dialog box which appears, click on Desktop.
- In the File name: box type "mbam" (without quotes) for your scan log name and click Save.
- A message box "Your file has been successfully exported" should appear, click Ok and close the windows.


Please attach the exported/saved log named as mbam.txt to your next reply.







---     ---     ---
=> FRST Scan
---     ---

Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[Makdaddy]

Round 2
Thanks for the help

[magna86]

Hi Makdaddy,

For some unknown reason, Chrome section isn't good sorted.

Would you please delete FRST.exe icon (drag&drop into recyclen) and download fresh FRST.exe from link above and re-run the tool by pressing Scan.
Post here fresh created FRST.txt logreprot.

[magna86]

Khm ... you have been run ComboFix. Who told you tu run ComboFix?



Please post here  C:\ComboFix.txt and C:\Qoobox\ComboFix-quarantined-files.txt logfiles after reading this note:

sUBs himself;
http://www.techsupportforum.com/1829551-post6.html

Official warning & directions:
http://www.bleepingcomputer.com/forums/topic273628.html

[Makdaddy]

Good day
I ran combofix on my own, out of frustration on trying to fix this on my own
The file you refer to is not in that directory "C:\Qoobox\ComboFix-quarantined-files.txt"

here is the new file you requested
Greg

[magna86]

C:\Combofix.txt log?

[magna86]

And another question: Why you did not download the latest verzion of FRST tool from the link I gave you above?

Your FRST tool is 122 days out of date.

To continue, I'll need the ComboFix.txt logreport as well as latest FRST log (download fresh copy of tool and run the tool).
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

[Makdaddy]

When I go to the link you provided
The link is redirected in Mozilla and I get no option to download?
I was able to get around that and get it downloaded from that site.

Here is the new results for FRST

I did not find a file named ComboFix.txt anywhere on the computer?

[magna86]

Hm...in that case I'll need one more check before I am able to write fix for you.


Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

• Type rpcss.dll into the Search: field in FRST then click the Search File(s) button.
  
• FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  
• Please attach it to your reply.

[Makdaddy]

Will do
But the system is 32 bit
I dont think I have a FRST64 file?

[magna86]

This is my default canned. Just run FRST (latest copy you have) and follow the instructions for runniing and searching the above file ...

 

[Makdaddy]

here is the updated file while doing just the search

[magna86]

Hi,

This FixList shall tell FRST to disinfectant malware and to target the malware loading points plus some adware/PUP leftovers ...

1. Close any open program, browsers, disable security etc ...

2. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Start
File: C:\prefs.js
C:\Windows\system32\zylp.wkb
C:\Windows\system32\kjtzy.ugl
C:\Windows\system32\wkat.iaf
C:\Windows\system32\emoq.wao
REPLACE: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll C:\Windows\system32\rpcss.dll
C:\Users\Michelle\AppData\Local\Temp\*.dll
C:\Users\Michelle\AppData\Local\Temp\*.exe
HKLM\...\Run: [NPSStartup] - [X]
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securedsearch2.lavasoft.com/index.php?pr=vmn&id=adawaretb&v=3_8&idate=2014-03-25&ent=hp&u=3DD5AD0D650B142358079A5331B7E4D2
SearchScopes: HKLM - {274daec0-c4e8-4f30-9e5c-9424990769b9} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=0Dxdm175YYus&ptnrS=0Dxdm175YYus&si=CLrwk9HphrECFWQDQAod8WnKEA&ptb=D7418721-F05A-4281-8493-170CC754E152&ind=2012070701&n=77edc32d&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKCU - {274daec0-c4e8-4f30-9e5c-9424990769b9} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=0Dxdm175YYus&ptnrS=0Dxdm175YYus&si=CLrwk9HphrECFWQDQAod8WnKEA&ptb=D7418721-F05A-4281-8493-170CC754E152&ind=2012070701&n=77edc32d&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKCU - {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E} URL = http://securedsearch2.lavasoft.com/results.php?pr=vmn&id=adawaretb&v=3_8&idate=2014-03-25&hsimp=yhs-lavasoft&ent=ch&q={searchTerms}
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
C:\ProgramData\Search Protection
End

3. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


4. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

[Makdaddy]

Here are the results

Thanks for the help
Greg