Author Topic: SVCHOST Malicious url keeps popping up  (Read 36134 times)

0 Members and 1 Guest are viewing this topic.

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #15 on: May 31, 2012, 11:09:02 AM »
Hi Jeff,

I'd like to remove AVG and Keep AVAST.

Here is ESET log results and attached is Malwarebytes log:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=b8bc8138c1354e489eaa6e8952d536b7
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-05-31 03:11:47
# local_time=2012-05-31 12:11:47 (-0400, Atlantic Daylight Time)
# country="Canada"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1280 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776574 33 85 23941150 89969199 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=553467
# found=11
# cleaned=0
# scan_time=8157
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarApp.dll   a variant of Win32/Toolbar.Babylon application (unable to clean)   00000000000000000000000000000000   I
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarEng.dll   Win32/Toolbar.Babylon application (unable to clean)   00000000000000000000000000000000   I
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarsrv.exe   probably a variant of Win32/Toolbar.Babylon application (unable to clean)   00000000000000000000000000000000   I
C:\Program Files (x86)\Bookmarkwiz\bookmarkwiz.exe   a variant of Win32/Packed.PrivateexeProtector.F application (unable to clean)   00000000000000000000000000000000   I
C:\Users\Karen\AppData\Local\dplayx.dll   a variant of Win32/Kryptik.AEKJ trojan (unable to clean)   00000000000000000000000000000000   I
C:\Users\Karen\Documents\hosts2.txt   Win32/Qhost trojan (unable to clean)   00000000000000000000000000000000   I
C:\Users\Karen\Downloads\cnet2_revosetup_exe.exe   a variant of Win32/InstallCore.D application (unable to clean)   00000000000000000000000000000000   I
C:\Windows\Installer\{2cc33ef4-4271-9c44-d303-7ad6c65ccd93}\n   Win64/Sirefef.W trojan (unable to clean)   00000000000000000000000000000000   I
C:\Windows\Installer\{2cc33ef4-4271-9c44-d303-7ad6c65ccd93}\U\80000000.@   Win64/Sirefef.AE trojan (unable to clean)   00000000000000000000000000000000   I
C:\_OTL\MovedFiles\05302012_140604\C_Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarTlbr.dll   Win32/Toolbar.Babylon application (unable to clean)   00000000000000000000000000000000   I
C:\_OTL\MovedFiles\05302012_140604\C_Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\bh\BabylonToolbar.dll   Win32/Toolbar.Babylon application (unable to clean)   00000000000000000000000000000000   I



jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #16 on: May 31, 2012, 01:55:39 PM »
Hi,

Ok...thanks for letting me know about the antivirus you would like to remove.

The ESET log is interesting....  please do the following...

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    When finished, it will produce a report for you. 
  • Please post the C:\ComboFix.txt for further review.

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #17 on: May 31, 2012, 11:56:58 PM »
Hi,

Ok...thanks for letting me know about the antivirus you would like to remove.

The ESET log is interesting....  please do the following...

Download Combofix from either of the links below, and save it to your desktop. 
Link 1
Link 2

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    When finished, it will produce a report for you. 
  • Please post the C:\ComboFix.txt for further review.

Hi Jeff,

I did as instructed, but when I ran (as Administrator) the ComboFix.exe on my desktop, what happened was a window appeared (black background, bright green text) and several lines scrolled by then all of a sudden nothing. All my desktop icons disappeared, I waited, after a minute they all came back, but my Chrome browser was shut down. I tested this 3 times and same results. Plus there is no ComboFix.txt file that gets created. But what is odd is during that scrolling green text it said it was making something (dir or whatever) and it IS on my C:\ when I open Windows Explorer. It is called 32788R22FWJFW and when I click on that it then appears NOT to be a folder, but instead shows me my drives (same thing I see if I click on "Computer"). Very strange!

Not sure what to do...

Thank you,
Karen

jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #18 on: June 01, 2012, 12:21:53 AM »
Hi,

Go ahead and run ComboFix in Safe Mode and see if it will run through.  If so please attach the log that is made.  :)

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #19 on: June 01, 2012, 03:29:16 AM »
Hi,

Go ahead and run ComboFix in Safe Mode and see if it will run through.  If so please attach the log that is made.  :)

Did this (twice, once Safe mode w/ Networking, once Safe mode without). Still didn't act any differently.

Except this time that funny numeric folder I described, is actually a folder with a bunch of files in it (executables, .dat, .inf, etc). Very odd.

But still no ComboFix.txt file anywhere.

New problem though, cannot load into Windows at all. I reboot in normal mode and Windows is loading, asks me for my password, and then I just get the spinning circle and "Welcome" but my desktop NEVER loads. Do you know how to fix this? I'm freaking out a bit here.. Right now I'm typing this on a different machine (mac).

Please please hope you can help.. I will try rebooting and seeing if I can get in with Safe mode. Have to head to sleep shortly.

Thank you,
Karen

jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #20 on: June 01, 2012, 03:32:35 AM »
Hi,

Let's do this...

Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Right-click and Run as Administrator GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

    • Save it where you can easily find it, such as your desktop, and attach it in your reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
    .
    ----------

    kishtara

    • Guest
    Re: SVCHOST Malicious url keeps popping up
    « Reply #21 on: June 01, 2012, 12:07:06 PM »
    Hi Jeff

    The only way I could get into Windows was Safe Mode With Networking. Did this, and got GMER, run as administrator, cannot proceed w/ your instructions because bunch of stuff is greyed out pls see attached image.


    My *main concern* right now is How can I possibly load into Windows (not Safe mode)? I have deadlines to meet and not being able to get on my PC is panicking to say the least! :(

    Thank you!
    Karen


    kishtara

    • Guest
    Re: SVCHOST Malicious url keeps popping up
    « Reply #22 on: June 01, 2012, 12:24:16 PM »
    Hi Jeff,

    Actually was able to get Windows loaded normally but it is running Verrrrry slowly. I open up windows explorer and right-click on gmer.exe and it's taking Forrrever (spinning circle, Not Responding). Very abnormal. Finally after about 3 minutes the right-click menu presents itself and I choose 'run as administrator'.

    Nothing will open.. Gmer won't open... Task Manager won't open... Chrome won't open...

    At a loss here :(

    jeffce

    • Guest
    Re: SVCHOST Malicious url keeps popping up
    « Reply #23 on: June 01, 2012, 02:32:16 PM »
    Hi,

    Sorry to see so many problems with your system.  I was looking over your logs and believe that along with all the illegal software that CKScanner picked up I believe that the ZeroAccess rootkit came aboard with some of that software as well.  Just so you know that infection is the real deal.

    Since you are only able to boot to Safe Mode please do the following...

    Please download TDSSKiller.zip
    • Extract it to your desktop
    • Double click TDSSKiller.exe
    • when the window opens, click on Change Parameters
    • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
    • click OK
    • Press Start Scan
      • Only if Malicious objects are found then ensure Cure is selected
      • Then click Continue > Reboot now
    • Attach the log in your next reply
      • A copy of the log will be saved automatically to the root of the drive (typically C:\)
    ----------


    kishtara

    • Guest
    Re: SVCHOST Malicious url keeps popping up
    « Reply #24 on: June 01, 2012, 02:50:07 PM »
    Hi Jeff - I am currently running a full scan Malwarebytes on my pc in safe mode - do you want me to cancel that and do the following or wait until it is complete?

    Thank you,
    Karen

    Hi,

    Sorry to see so many problems with your system.  I was looking over your logs and believe that along with all the illegal software that CKScanner picked up I believe that the ZeroAccess rootkit came aboard with some of that software as well.  Just so you know that infection is the real deal.

    Since you are only able to boot to Safe Mode please do the following...

    Please download TDSSKiller.zip
    • Extract it to your desktop
    • Double click TDSSKiller.exe
    • when the window opens, click on Change Parameters
    • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
    • click OK
    • Press Start Scan
      • Only if Malicious objects are found then ensure Cure is selected
      • Then click Continue > Reboot now
    • Attach the log in your next reply
      • A copy of the log will be saved automatically to the root of the drive (typically C:\)
    ----------

    jeffce

    • Guest
    Re: SVCHOST Malicious url keeps popping up
    « Reply #25 on: June 01, 2012, 03:03:33 PM »
    You can wait until it is complete.  Then run TDSSKiller and attach both of the logs then.  :)

    kishtara

    • Guest
    Re: SVCHOST Malicious url keeps popping up
    « Reply #26 on: June 01, 2012, 05:11:49 PM »
    Hi Jeff

    Attached are the logs from Malwarebytes and TDSSKiller.

    Thank you,
    Karen

    jeffce

    • Guest
    Re: SVCHOST Malicious url keeps popping up
    « Reply #27 on: June 01, 2012, 05:18:49 PM »
    Download

    FIXTDSS

    Launch it.  It may ask for restart.  Reboot the PC

    On reboot let me know what it finds

    kishtara

    • Guest
    Re: SVCHOST Malicious url keeps popping up
    « Reply #28 on: June 01, 2012, 05:20:08 PM »
    Download

    FIXTDSS

    Launch it.  It may ask for restart.  Reboot the PC

    On reboot let me know what it finds

    Reboot in safe mode w/ Networking? Or try Normal mode this time?

    jeffce

    • Guest
    Re: SVCHOST Malicious url keeps popping up
    « Reply #29 on: June 01, 2012, 05:30:02 PM »
    Hi,

    Try in Normal Mode...if it won't work give it a try in Safe Mode with Networking.  :)