Author Topic: svchost.exe can not get rid of  (Read 5380 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
svchost.exe can not get rid of
« on: July 03, 2015, 09:56:01 PM »
4 to 5 days ago I was on my drawing program drawing with my normal webpages open (Yahoo email, Google+ drive) (and  mangago my normal page on my tablet for I rarely have it open on my laptop, I think I got hit from mangago) when my Avast popped up screaming at me of a high level threat detected. Avast did it's thing on the startup rebot which took 6 hours. I then got back onto my laptop and THAT IS WHEN THIS svchost thing started.

I now get non stop pop-up blocked warnings from Avast with this: (I included a screen capture)

Object: http://wpad.browserudatecheck.in/wpad.dat
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

I have tried everything to get rid of it
-Avast
-Malwarebytes Anti-mal
-ESET Powelliks cleaner
-HitmanPro (did get rid of 2 Trojans and 400 cookies)
-RougeKiller
-Emisisoft Emergency kit
-RKill
-TSDSKiller
-AdwCleaner
-Malwarebytes Anti-Rootkit
-ESET NOD32 ANTIVIRUS 8
 but nothing can find it!! It is as if it is not even there but I still keep getting that warning pop-up so I know it is there.

I am at my wits end with this virus.... I just want to get rid of it so I can use my laptop again for I have things I need to do.

Can someone PLEASE HELP ME!!!

« Last Edit: July 03, 2015, 09:58:05 PM by katherinejaggers »

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: svchost.exe can not get rid of
« Reply #1 on: July 03, 2015, 09:58:47 PM »
Hello katherinejaggers and welcome to avast!. I will be working on your Malware issues. 

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper



---     ---     ---     ---     ---




Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:
  • Type browserudatecheck.in;wpad.dat into the Search: field in FRST then click the Search Registry button.
  • FRST will search your computer for registry and when finished it will produce a log Search.txt in the same directory the tool is run.
  • Please attach it to your reply.

REDACTED

  • Guest
Re: svchost.exe can not get rid of
« Reply #2 on: July 03, 2015, 10:55:16 PM »
here are the 3

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: svchost.exe can not get rid of
« Reply #3 on: July 03, 2015, 11:15:57 PM »
notice to self: unicode dir.


Ok, let's start ...




Step#1

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system



Quote
Start
CreateRestorePoint:
Reg: reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\mountpoints2 /f
Reg: reg delete "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg delete "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
CMD: bitsadmin /reset /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /flushdns
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset

CloseProcesses:
HKLM-x32\...\Run: [] => [X]
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKU\.DEFAULT -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\.DEFAULT -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-4043493293-2585772767-1967288729-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Extension: No Name - C:\Users\Katherine\AppData\Roaming\Mozilla\Firefox\Profiles\fqws5s3z.default\extensions\crossriderapp12832@crossrider.com [not found]
FF Extension: No Name - C:\Users\Katherine\AppData\Roaming\Mozilla\Firefox\Profiles\fqws5s3z.default\extensions\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi [not found]
FF Extension: No Name - C:\Users\Katherine\AppData\Roaming\Mozilla\Firefox\Profiles\fqws5s3z.default\extensions\c99f2e2c-e43b-45cb-a50f-b10bac2f33c1@a4314fc7-1c01-4fda-8022-f0e9bd0cb09f.com [not found]
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [not found]
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - https://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eeafbffkmccheohnooflcnppngmobeoe] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ellbonkjdmgdghkojcjmomekmjpdffde] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fllgpcmelbfhcligbphaaplminjpbiad] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hpjocjloojeicikiokfiekcdpojgfefc] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jmnkgjdfgnjhmnopgmkcpigenfhgajdj] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [kfbhfniohjdklgcmbmemnpaimpdaikea] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [manaobgbdfpjjjnheogfghmjbikhjnlf] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [oaobejgaaiojgggjojlcpbembaoajbmc] - https://clients2.google.com/service/update2/crx

AlternateDataStreams: C:\Windows:nlsPreferences

Hosts:
C:\Program Files\PC Optimizer Pro
C:\Program Files (x86)\GUT15C8.tmp
C:\Program Files (x86)\GUT1B9C.tmp
C:\Program Files (x86)\GUT3690.tmp

RemoveDirectory: C:\zoek_backup
RemoveDirectory: C:\malwarebtes anti-rootkit
RemoveDirectory: C:\Users\Katherine\mbar
RemoveDirectory: C:\AdwCleaner

RemoveProxy:
Task: {C4855FB8-1A92-4B62-8448-C5FFC4D4C0A4} - System32\Tasks\PC Optimizer Pro64 startups => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION
Task: C:\Windows\Tasks\PC Optimizer Pro64 startups.job => C:\Program Files\PC Optimizer Pro\StartApps.exe <==== ATTENTION
IE trusted site: HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\...\clonewarsadventures.com -> clonewarsadventures.com
IE trusted site: HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\...\freerealms.com -> freerealms.com
IE trusted site: HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\...\scottsdalecc.edu -> hxxps://myscc.scottsdalecc.edu
IE trusted site: HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\...\soe.com -> soe.com
IE trusted site: HKU\S-1-5-21-4043493293-2585772767-1967288729-1001\...\sony.com -> sony.com

EmptyTemp:
End



2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.








Step#2



Download the following file (Tcpip.reg) and save it to your Desktop. Run the file and allow it to merge to registry and make changes. Again, reboot your PC.
http://download.bleepingcomputer.com/win-services/7/Tcpip.reg

NOTICE: This reg file was written specifically for this OS, for use on that particular machine. Running this on another machine may cause damage to the operating system





Post me the results and tell me is alearts still occours?
« Last Edit: July 03, 2015, 11:19:33 PM by magna86 »

REDACTED

  • Guest
Re: svchost.exe can not get rid of
« Reply #4 on: July 03, 2015, 11:59:15 PM »
DAMN  NO GOOD!!!

It is STILL ON MY LAPTOP!!!!

It just keeps changing where it is hiding.
It was going crazy with running and the changing of the name when i did the fixlist.
.....i don't think this is good.....is it......


Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: svchost.exe can not get rid of
« Reply #5 on: July 04, 2015, 12:27:23 AM »
@katherinejaggers,

As I wrote clearly, follow my instructions. You didn't post me the FixLog.txt and you didn't tell have you executed the Tcpip.reg as it must be?

Bdw, this I don't understand;
Quote
It was going crazy with running and the changing of the name when i did the fixlist.

Changing what names?

REDACTED

  • Guest
Re: svchost.exe can not get rid of
« Reply #6 on: July 04, 2015, 12:50:09 AM »
sorry didn't see that one part.. i attached the fixlog

I will retry the Tcpip.reg

as for the changing did you see the images i attached?
Now when I get non stop pop-up blocked warnings from Avast the Object and Infection stays the same but the "Process:" name keeps changing now... it no longer keeps saying the same old

"Process: C:\Windows\System32\svchost.exe"

but now stuf like C:\Program Files\...\iexplore.exe
or
C:\Program Files (x86)\...\Skype.exe
and others.....

it is really freaking me out..... it is like it is jumping round hiding or something...

REDACTED

  • Guest
Re: svchost.exe can not get rid of
« Reply #7 on: July 04, 2015, 12:57:57 AM »
Redid the tcpip to make sure I didn't miss it..
Just says....
"The keys and values contained in F:\Downloads\Tcpip.reg have been successfully added to  the registry.
Also restarted my laptop.

It is still poping up..

I followed all the steps... Did I do something wrong?

Sorry I am not good when it comes to this kind of stuff...
« Last Edit: July 04, 2015, 01:11:33 AM by katherinejaggers »

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: svchost.exe can not get rid of
« Reply #8 on: July 04, 2015, 12:02:46 PM »
Hello katherinejaggers,

After these fixes, things should be fixed. So, we need to hunt this thing again.


Step#1

Run FRST tool again and post me fresh FRST.txt and Addition.txt for re-analysis.



Step#2


Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:
  • Type browserudatecheck;wpad into the Search: field in FRST then click the Search Registry button.
  • FRST will search your computer for registry and when finished it will produce a log Search.txt in the same directory the tool is run.
  • Please attach it to your reply.
Step#3


Download ZHPDiag to your desktop.

Take action to disable your antivirus and antispyware programs, as they may conflict with ZHPDiag
>> Info on how to disable your security applications > http://www.bleepingcomputer.com/forums/topic114351.html

Installing ZHPDiag
  • Double-click zhpdiag.exe to start the installation.
  • Windows Vista, 7 and 8 users right-click the file and select: Run as Administrator.
  • Click multiple times "Suivant" in the installation process.
  • Click "Installer" when asked and "Terminer" once the installation is complete.
Running ZHPDiag
  • Double-click the shortcut ZHPDiag on your desktop.
  • The user interface will appear, now select "Configureren".
  • If the tools default language isn't set to English, click in the bottom right corner on the icon "Sélectionner une langue" and choose "Anglais".
  • Next, click on the icon in the bottom left "Diagnostic Options".
  • ZHPDiag is now scanning your computer. Please wait patiently until the scan is finished.
[thumb]http://hijackthis.nl/smeenk/ZHPDiag.PNG[/thumb]

The ZHPDiag.txt logfile
  • When finished, a logfile named "ZHPDiag.txt" will appear on your desktop.
  • Please post the logfile for further review in your next comment.

REDACTED

  • Guest
Re: svchost.exe can not get rid of
« Reply #9 on: July 04, 2015, 06:15:34 PM »
Step 1 complete

REDACTED

  • Guest
Re: svchost.exe can not get rid of
« Reply #10 on: July 04, 2015, 06:30:58 PM »
Step 2 complete

REDACTED

  • Guest
Re: svchost.exe can not get rid of
« Reply #11 on: July 04, 2015, 06:50:49 PM »
Step 3 complete

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: svchost.exe can not get rid of
« Reply #12 on: July 04, 2015, 09:09:08 PM »
This fix should fix the things now.




1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
Start
CreateRestorePoint:
Reg: reg delete "HKEY_USERS\S-1-5-21-4043493293-2585772767-1967288729-1001\Software\Microsoft\Internet Explorer\TypedURLs" /v "url2" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-4043493293-2585772767-1967288729-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg add "HKEY_USERS\S-1-5-21-4043493293-2585772767-1967288729-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f
Reg: reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E30ED111-BD63-48C2-A6CB-AB3C9FFFB07C}" /f
Reg: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E30ED111-BD63-48C2-A6CB-AB3C9FFFB07C}" /f
Reg: reg delete "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110111281132}" /f
Reg: reg delete "HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110111281132}" /f

CloseProcesses:
HKLM-x32\...\Run: [HF_G_Jul] => "C:\Program Files (x86)\AVG Secure Search\HF_G_Jul.exe"  /DoAction

Hosts:
C:\Program Files (x86)\AVG Secure Search
C:\Program Files (x86)\*.tmp
End



2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

REDACTED

  • Guest
Re: svchost.exe can not get rid of
« Reply #13 on: July 04, 2015, 09:30:43 PM »
Here is the fixlog

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: svchost.exe can not get rid of
« Reply #14 on: July 04, 2015, 10:18:29 PM »
And? How are the things now? All looks good to me now.