Another URL MAL in svc

[REDACTED]

I've been trying to get rid of an URL Mal alert for a couple of days now with no success. Its seems to be a dll injected into svc.

Hoping you guys can review my logs and help.

Thanks

[TwinHeadedEagle]

Hello,


Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
  
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:

Code: [Select]

createsrpoint;
autoclean;
emptyalltemp;
bitsadmin /allusers /reset;b
ipconfig /flushdns;b

• Make sure that Scan All Users option is checked.
  
• Push Run Script and wait patiently. The scan may take a couple of minutes.
  
• When the scan completes, a zoek-results logfile should open in notepad.
  
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

[REDACTED]

Thank you for the quick reply. I've attached the zoek results. After the pc rebooted, i received my usual litany of "threat detected" messages for various sites coming from svchost.exe.

[TwinHeadedEagle]

Okay, we will run one Zoek fix. Tell me how is your PC performing after this step:


Fix with ZOEK

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on icon and select Run as Administrator to start the tool.
  
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:

Code: [Select]

createsrpoint;
chrdefaults;


• Make sure that Scan All Users option is checked.
  
• Push Run Script and wait patiently. The scan may take a couple of minutes.
  
• When the scan completes, a zoek-results logfile should open in notepad.
  
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

[REDACTED]

Ran the fix. Here is the log.

Thanks again for the speedy reply.



Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Ben h on Wed 06/03/2015 at 17:51:21.65.
Microsoft Windows 8.1 6.3.9600  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Ben h\Desktop\zoek.exe [Scan all users] [Script inserted]

==== Older Logs ======================

C:\zoek-results2015-06-03-214139.log   12496 bytes

==== System Restore Info ======================

6/3/2015 5:52:23 PM Zoek.exe System Restore Point Created Successfully.

==== Reset Google Chrome ======================

C:\Users\Ben h\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Ben h\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\Ben h\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\Ben h\AppData\Local\Google\Chrome\User Data\Default\Web Data.tmp was reset successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=8283 folders=215 558732733 bytes)

==== EOF on Wed 06/03/2015 at 17:52:53.11 ======================

[TwinHeadedEagle]

Good. How is your PC behaving now?

[REDACTED]

Several minutes after a restart Avast detected 14 instances of URL Mal originating from svchost.

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
  
• Make sure that Addition option is checked.
  
• Press Scan button and wait.
  
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
  

Please include their content into your next reply.

[REDACTED]

Here are the two files. Thanks again for your help!

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
  
• Press the Fix button just once and wait.
  
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.
  

Please attach it to your reply.

[REDACTED]

Thanks again for the quick reply. Here is the fixlog.

So far I haven't received the URL Mal messages.

Thanks!

[TwinHeadedEagle]

Fine. Keep me updated in hour or so.

[REDACTED]

So far so good!

Thanks for the help. Do I need to do any cleaning after the fix?

Thanks again!

[TwinHeadedEagle]

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

[REDACTED]

Just ran Delfix. Thanks again for all your help!