SVCHOST Malicious url keeps popping up

[kishtara]

Download

FIXTDSS

Launch it.  It may ask for restart.  Reboot the PC

On reboot let me know what it finds

Hi Jeff,

Restarted in normal mode, it didn't find anything. But my PC is back to "working" like normal, i.e. not running slow.

Not sure about the original problem yet though, since I need to wait and see if that pops up again with Avast.

What now?

Karen

[kishtara]

Okay, original problem still exists.. still Malicious URL blocked issue..

[jeffce]

Hi,

Do you know how to take a screen shot?  If you are, please take a screenshot of the popup the next time that it happens.  We may just be dealing with a False Positive (FP).

[kishtara]

Yes I will take a screenshot. Every day it's a new url though... but always svchost.exe

Thank you,
Karen

[jeffce]

Ok great!  That might shed more light. 

[kishtara]

Hi Jeff,

Here is the screen shot attached

Thank you
Karen

[jeffce]

Hi,

Ok...

OTL

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check.
  
• In Custom Scans/Fixes put the following:

netsvcs
/md5start
consrv.dll
/md5stop

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
    

[kishtara]

Hi Jeff,

Did what you said but it only created OTL.txt and that file is way too large to put in a post so I've attached it here.
(post maximum characters is 10000)

Thank you,
Karen

[jeffce]

Just attach all logs. 

[kishtara]

I did, the only log it created was OTL.txt which I attached in my prior post.

[jeffce]

Sorry....missed that. 

[jeffce]

Hi,

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {2F5142BF-B9C2-452F-9080-D801203552D5}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{2F5142BF-B9C2-452F-9080-D801203552D5}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {85FD7698-3808-4492-8FCB-06D657E668D5}
IE - HKLM\..\SearchScopes\{85FD7698-3808-4492-8FCB-06D657E668D5}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?lang=en-ca&OCID=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-CA
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BE E7 C6 76 C7 3E CD 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={A1A6A39F-D0DD-4071-A7D3-2EEFF12CB5BA}&mid=b0f3881399f747d098bb55626d584e12-9892d0231abdf0e5babc2f6b12d87f4943c4456f&lang=en&ds=AVG&pr=fr&d=&v=11.0.0.9&sap=dsp&q={searchTerms}
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKCU..\Run: [AdobeBridge]  File not found
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\setup.exe -- [2009/07/14 06:29:38 | 000,106,760 | R--- | M] (Microsoft Corporation)
[2012/05/30 18:28:35 | 000,000,000 | ---D | C] -- C:\Users\Karen\AppData\Local\blekkotb_031
[2012/05/25 16:07:08 | 000,041,952 | -HS- | M] () -- C:\Users\Karen\AppData\Local\dplayx.dll

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[kishtara]

Hi Jeff,

Ok I did what you said but in the middle of the OTL scan my whole computer froze up. So I had to hard-shutdown, then problems began after that. Windows wouldn't load at all. Then I went in with Safe Mode and restored my registry that I had backed up with ERUNT. Then still Windows wouldn't load. So now I am back in with Safe mode not sure what to do next.

So I ran another OTL scan for you, without checkmarking those Purity etc, and log is attached.

I will try rebooting again to see if Windows will load now.

(I have rebooted a few times, it keeps getting hung up on the "Welcome" with the circle spinning.. so then I have to hard-shutdown and then boot up in Safe mode).

Help!


Thank you,
Karen

[jeffce]

Hi,

Lets try something new...

FRST

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
  
• Select US as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[/list]

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[kishtara]

Hi Jeff,

Attached the FRST64 log because it's too large to copy and paste here.

Still in safe mode just waiting to hear what to do next.

Thank you,
Karen