Reduled, Blackfight, Reddie, and Epictory + svchost.exe

[REDACTED]

For the past month, I've been randomly getting popups about the websites mentioned in the title attacking my svchost.exe file. Before following the instructions in this thread, I have ran scans with Avast and Malwarebytes and it says that my system has no threats.

Logs attached.

Q&A from this thread:
1. How was it detected? What was scanning, you yourself or the back-ground scanner?:
The background scanner.

Did the message come from the avast Network Shield or Webshield or were you alerted via an avast Webreputation alert?:
Avast Web Shield.

When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?:
The message occurs randomly, whether I'm playing a game, editing a Word document, or just have the computer running in idle with all windows closed.

A capture of the message screen as image can be helpful or what the message says and where the suspicious file was detected.:
hxxps://xxx.(imageshack).com/i/eydrFA0Fp
hxxps://xxx.(imageshack).com/i/p3LMtb5qp

2. What was the source of the file, where did the file come from?.: e.g. address, URL, source.:
hxxp://xxx.(reduled).info
hxxp://xxx.(blackfight).info
hxxp://xxx.(reddie).net
hxxp://xxx.(epictory).com

3. When was it downloaded or received?:
March 2015. I didn't log an exact date/time.

4. What is the exact file name with extension.:
svchost.exe

5. What was the exact wording of the message that the AV program came up with? This is important for later. Right click the asvast ball and left-click show last pop-up message!:
"Avast Web Shield has blocked a harmful webpage or file."

6. Now go back and do nothing yet. Scan the particular file once again with your AV product.
A. The message is in the same wording: maybe positive alert
B.  If the message is not in the same wording or the scan does not find  up anything this could be a  false positive.
I scanned the folder where the svchost.exe file was located and the AV said that it contained no threats. (hxxps://xxx.(imageshack).com/i/p8l4rgmtp)

7. Check with an on line scanner or update to Virustotal for a second opinion. VT resides at hxxp://xxx.virustotal.com/index.html
VT says that svchost.exe is not a threat. (hxxps://xxx.(virustotal).com/en/file/121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2/analysis/1429379002/)

[Michael (alan1998)]

Impressive, and insightful. You, sir just made our jobs 300% easier.

However, 1 small (Tiny) thing. Please edit your posts and break those links (Hxxp://xxx.(example).com)

I think Essex is looking at this PS.

Edit: Don't torrent please!

C:\Users\Admin\Downloads\Rise.of.the.Planet.of.the.Apes.2011.1080p.BluRay.x264.anoXmous
C:\Users\Admin\Downloads\treasure_chests_and_poshuns_by_valforwing-d3ipuhk.zip

[essexboy]

OK this will kill it

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

@Michael: The links in OP have been broken. The treasure chest zip file is actually a direct download from Deviantart.
@essexboy: Thank you, I'll write a reply in about 24 hours to notify if the fix has worked.

[Michael (alan1998)]

Did some research into this File:

https://www.virustotal.com/en/file/121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2/analysis/1429379002/

(The one you posted). If you go under Relationships > Execution parents.

Click the Tag (418b5abcc891418bdfc86efd6cc4519ead7d2783308c16fe1a1a929a9102a5fa). Completely and totally malicious in nature.

VirusTotal's Scanners are wrong. It is a M$ File, however, that file is also injected.

~Michael

[essexboy]

No it is that BITS use svchost to do its work

[REDACTED]

It's been a day and I have yet to receive the threat notification since using essex's fix. Thanks guys.

[essexboy]

Subject to no further problems   

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Remove tools

Download and run Delfix
Select the options as shown



: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select  Remove Java Runtime.  Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme 

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide  Best security practices Keep safe  :wave: