SVCHOST Malicious url keeps popping up

[kishtara]

Popups? No... (posting this with my Mac).

I'm running the 2nd OTL scan now .. should be done soon...

What did you expect to pop up?

(OR are you talking about the Avast popup for malicious url?) I'm in safe mode again, and not using my PC, so no.. no popups right now.

[kishtara]

Here is the 2nd OTL log attached

And actually I left it "hanging" on the "Welcome" screen on this reboot and it actually booted 'normally' to Windows. The thing is, everything was *extremely* slow and I had to hard-shutdown again and reboot into safe mode w/ Networking.


Thanks
Karen

[jeffce]

Hi,

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

Code: [Select]

HKLM\...\Run: [napsn] rundll32.exe "C:\Users\Karen\AppData\Local\Temp\napsn.dll",SteamAPI_Init
HKU\Karen\...\Run: [WinRemote] C:\Users\Karen\AppData\Roaming\Roaming\Microsoft\Protect\csrs
HKU\Karen\...\Run: [WinHoster] C:\Users\Karen\AppData\Roaming\Microsoft\service.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system[/color]

On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please attach it to your reply.

[kishtara]

Hi Jeff,

Here you go, fix log attached (and also copied and pasted here for convenience):

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 03-06-2012
Ran by SYSTEM at 2012-06-05 20:53:11 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\napsn Value deleted successfully.
HKEY_USERS\Karen\Software\Microsoft\Windows\CurrentVersion\Run\\WinRemote Value deleted successfully.
HKEY_USERS\Karen\Software\Microsoft\Windows\CurrentVersion\Run\\WinHoster Value deleted successfully.

==== End of Fixlog ====


Thank you!
Karen

[jeffce]

Hi,

Good job getting that ran.  How is your system behaving? 

[kishtara]

Hi Jeff,

Well ... not good, because I'm still in safe mode.

Avast hasn't even been running.. I'll start it up now.

(EDIT)
Just started up Avast and it says Manual scans available in safe mode but real time protection is not. So I cannot even test whether or not this malicious url issue has gone away, because I'm still in safe mode.

Thank you,
Karen

[DavidR]

If you are able to boot into normal mode do so ?

As that is the only way you can effectively test how your system is running.

[kishtara]

If you are able to boot into normal mode do so ?

As that is the only way you can effectively test how your system is running.

Hi David,

Just tried booting to normal mode and it just hangs at the "Welcome" screen. Had to hard-shutdown again and reboot in safe mode w/ networking.

I understand what you are saying but isn't it more critical that we figure out why my system won't run in anything but safe mode first? I mean, in my eyes, that is what is important because something I've done in these actions the last few days has caused my pc to no longer function properly.

Thank you,
Karen

[DavidR]

Yes it is critical that you can't run in normal mode, but as Jeff had asked how your system is running, essentially that is for normal mode.  I think it was hoped that after the previous fix it may have had a positive effect.

Clearly there is more work to be done to see if a resolution can be found, however, I will have to leave that to Jeff.

Hopefully he will be able to get back to the topic soon.

[jeffce]

Hi,

Sorry for your distress.  So you understand what we are dealing with I will try to explain it for you.  With the amount of unauthorized software you had on your computer there was a lot to remove, but when you gave me the first ESET scan I found what were thought to be traces of the ZeroAccess Rootkit; unfortunately, what I have now found is that it actually is a new variant of the ZeroAccess Rootkit.  That is the reason we are having such a hard time with this.  I do appreciate your patience with this though.  Please read the following...

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

I assure you I will return as quickly as I can. 

[jeffce]

Hi,

Hopefully you read my previous post... 

Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.

Disable your AntiVirus and AntiSpyware applications.

Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
---------

[kishtara]

Well holy crap... this is way worse than I realized. Question though.. I use LastPass to store all my passwords (online banking etc), is that BAD or GOOD?? At least I *think* in this case must be GOOD since that means those passwords are not stored anywhere on my PC. I will definitely change my LastPass password right away though. Is it really necessary to contact my bank? I'm just concerned what kind of "LOCK DOWN" do they do if you tell them you could be a victim of identify theft?
 
And Jeff definitely NO need for you to apologize, I am truly forever grateful for ALL of your hard work in trying to help me, please, continue to do so and I will try to do everything you ask me to.

Going to run the combo thing will reply again shortly.

Thank you,
Karen

Hi,

Sorry for your distress.  So you understand what we are dealing with I will try to explain it for you.  With the amount of unauthorized software you had on your computer there was a lot to remove, but when you gave me the first ESET scan I found what were thought to be traces of the ZeroAccess Rootkit; unfortunately, what I have now found is that it actually is a new variant of the ZeroAccess Rootkit.  That is the reason we are having such a hard time with this.  I do appreciate your patience with this though.  Please read the following...

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

I assure you I will return as quickly as I can. 

[kishtara]

Wow got some interesting stuff for you now Jeff...

When I ran ComboFix the other day, I remember telling you it does not create the file c:\ComboFix.txt. In fact it creates a new folder on my C drive. It did the same thing today. The WEIRD thing is when you click on that folder, it shows your PC contents AGAIN (all your drives etc - see images combo1.jpg, combo2.jpg and combo3.jpg). I also went into cmd to see if I could see this strange numerical folder and you CANNOT. This proven if you look at the directory contents I saved in out.txt.

I also right-clicked on this numerical folder and chose Properties, see image combo4.jpg.

So I decided to right-click on the folder itself and choose copy, and I pasted it onto my desktop (so copied from c:\ to desktop). What I found in the folder at that point was a TON of files that I have NO clue where they came from. So I took a directory listing and the contents are listed in out2.txt. I think you might find this out2.txt very interesting!

(Might have to attach some of this on another reply)

Thank you,
Karen

Hi,

Hopefully you read my previous post... 

Please delete the current version of Combofix.exe from your desktop and download a new version from here to your desktop.

Disable your AntiVirus and AntiSpyware applications.

Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
---------

[kishtara]

Posting the out.txt and the out2.txt

[kishtara]

Hi Jeff,

Please see my 3 replies above (had some questions up there) plus do you think it would make sense to run something such as free McAfee Labs tool RootkitRemover?

Thank you,
Karen