Author Topic: SVCHOST Malicious url keeps popping up  (Read 36320 times)

0 Members and 1 Guest are viewing this topic.

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #30 on: June 01, 2012, 05:37:09 PM »
Download

FIXTDSS

Launch it.  It may ask for restart.  Reboot the PC

On reboot let me know what it finds

Hi Jeff,

Restarted in normal mode, it didn't find anything. But my PC is back to "working" like normal, i.e. not running slow.

Not sure about the original problem yet though, since I need to wait and see if that pops up again with Avast.

What now? :)

Karen

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #31 on: June 01, 2012, 05:38:41 PM »
Okay, original problem still exists.. still Malicious URL blocked issue.. :(

jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #32 on: June 01, 2012, 05:49:37 PM »
Hi,

Do you know how to take a screen shot?  If you are, please take a screenshot of the popup the next time that it happens.  We may just be dealing with a False Positive (FP).

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #33 on: June 01, 2012, 05:55:41 PM »
Yes I will take a screenshot. Every day it's a new url though... but always svchost.exe

Thank you,
Karen

jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #34 on: June 01, 2012, 05:58:42 PM »
Ok great!  That might shed more light. 

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #35 on: June 01, 2012, 06:04:54 PM »
Hi Jeff,

Here is the screen shot attached

Thank you
Karen

jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #36 on: June 01, 2012, 07:14:34 PM »
Hi,

Ok...

OTL
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • In Custom Scans/Fixes put the following:
netsvcs
/md5start
consrv.dll
/md5stop

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #37 on: June 01, 2012, 08:51:37 PM »
Hi Jeff,

Did what you said but it only created OTL.txt and that file is way too large to put in a post so I've attached it here.
(post maximum characters is 10000)

Thank you,
Karen

jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #38 on: June 01, 2012, 08:59:40 PM »
Just attach all logs.  :)

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #39 on: June 01, 2012, 09:02:14 PM »
I did, the only log it created was OTL.txt which I attached in my prior post.

jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #40 on: June 01, 2012, 09:06:42 PM »
Sorry....missed that.  :)

jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #41 on: June 02, 2012, 09:30:29 PM »
Hi,

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {2F5142BF-B9C2-452F-9080-D801203552D5}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{2F5142BF-B9C2-452F-9080-D801203552D5}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {85FD7698-3808-4492-8FCB-06D657E668D5}
IE - HKLM\..\SearchScopes\{85FD7698-3808-4492-8FCB-06D657E668D5}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?lang=en-ca&OCID=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-CA
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BE E7 C6 76 C7 3E CD 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={A1A6A39F-D0DD-4071-A7D3-2EEFF12CB5BA}&mid=b0f3881399f747d098bb55626d584e12-9892d0231abdf0e5babc2f6b12d87f4943c4456f&lang=en&ds=AVG&pr=fr&d=&v=11.0.0.9&sap=dsp&q={searchTerms}
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKCU..\Run: [AdobeBridge]  File not found
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\setup.exe -- [2009/07/14 06:29:38 | 000,106,760 | R--- | M] (Microsoft Corporation)
[2012/05/30 18:28:35 | 000,000,000 | ---D | C] -- C:\Users\Karen\AppData\Local\blekkotb_031
[2012/05/25 16:07:08 | 000,041,952 | -HS- | M] () -- C:\Users\Karen\AppData\Local\dplayx.dll

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

kishtara

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #42 on: June 04, 2012, 12:20:40 AM »
Hi Jeff,

Ok I did what you said but in the middle of the OTL scan my whole computer froze up. So I had to hard-shutdown, then problems began after that. Windows wouldn't load at all. Then I went in with Safe Mode and restored my registry that I had backed up with ERUNT. Then still Windows wouldn't load. So now I am back in with Safe mode not sure what to do next.

So I ran another OTL scan for you, without checkmarking those Purity etc, and log is attached.

I will try rebooting again to see if Windows will load now.

(I have rebooted a few times, it keeps getting hung up on the "Welcome" with the circle spinning.. so then I have to hard-shutdown and then boot up in Safe mode).

Help! :(


Thank you,
Karen
« Last Edit: June 04, 2012, 12:38:28 AM by kishtara »

jeffce

  • Guest
Re: SVCHOST Malicious url keeps popping up
« Reply #43 on: June 04, 2012, 02:30:28 AM »
Hi,

Lets try something new...

FRST

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt
    [/list]
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    kishtara

    • Guest
    Re: SVCHOST Malicious url keeps popping up
    « Reply #44 on: June 04, 2012, 01:39:21 PM »
    Hi Jeff,

    Attached the FRST64 log because it's too large to copy and paste here.

    Still in safe mode just waiting to hear what to do next.

    Thank you,
    Karen