SVCHOST Malicious url keeps popping up

[kishtara]

Hi Jeff,

I hope everything is okay, I haven't heard from you today. I'm debating whether or not it's come time to have to reformat and reinstall Windows. I hope not though

Eagerly awaiting your reply!
Karen

[jeffce]

Hi Karen,

Sorry for any delay...I have had a pretty busy day and haven't been on much, but I am looking over your logs to see what I can find. 

[kishtara]

Thank you Jeff, I truly appreciate everything you have been doing to help.

I'm heading to bed now but will check first thing in the morning.

Thanks again,
Karen

[jeffce]

Hi,

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click  VirusTotal

Press Choose File and then browse to the following file: (one at a time if more than one file is listed)

C:\Users\Karen\AppData\Roaming\Microsoft\service.exe

Once you locate the file select it and press Open now press Scan it!.

Now Copy/Paste the link to the results showing in the web browser bar to your next reply so that I can take a look at the results.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------

[kishtara]

Hi Jeff,

No such file exists.. I do not have a Microsoft subfolder beneath my Roaming folder:

C:\Users\Karen\AppData\Roaming\Microsoft\service.exe

Thanks,
Karen

Hi,

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click  VirusTotal

Press Choose File and then browse to the following file: (one at a time if more than one file is listed)

C:\Users\Karen\AppData\Roaming\Microsoft\service.exe

Once you locate the file select it and press Open now press Scan it!.

Now Copy/Paste the link to the results showing in the web browser bar to your next reply so that I can take a look at the results.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------

[jeffce]

Hi,

Let's make sure it isn't hidden first...

Click on Control Panel
Click on Folder Options
Click on View Tab

Check:
Show hidden files,folders, or drives, press OK
======================================================

***NOTE: Be sure to re-hide hidden files and folders when mission is accomplished!

Did you find the file now? 

[kishtara]

Hi Jeff,

I had already enabled that in order to even see my AppData folder in the first place. But now I went back to the Folder Options in CP to look at the other view options, and also unchecked "Hide protected operating system files". Once I UNchecked that, I was then able to see the Microsoft subfolder. But still I do NOT see service.exe file at all.

Thanks,
Karen

Hi,

Let's make sure it isn't hidden first...

Click on Control Panel
Click on Folder Options
Click on View Tab

Check:
Show hidden files,folders, or drives, press OK
======================================================

***NOTE: Be sure to re-hide hidden files and folders when mission is accomplished!

Did you find the file now?

[jeffce]

Hi,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Right-click and Run as Administrator SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

Code: [Select]

:dir
C:\Users\Karen\AppData\Local\blekkotb_031 /s

:file
C:\Users\Karen\AppData\Local\dplayx.dll


• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[kishtara]

Hi Jeff,

The output is too large for the message, file is attached.

Thank you,
Karen

[jeffce]

Hi,

Run ERUNT and backup your registry and then do the following...

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BE E7 C6 76 C7 3E CD 01  [binary data]
O1 - Hosts: 93.113.196.146      www.google.com
O1 - Hosts: 93.113.196.147      www.bing.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 142.177.2.130
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2B15D14A-DAAC-4F68-9E5A-BA9E9720EF97}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F45D678C-713E-4E22-87A4-D16C5C1DEE98}: DhcpNameServer = 192.168.2.1 142.177.2.130
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\setup.exe -- [2009/07/14 06:29:38 | 000,106,760 | R--- | M] (Microsoft Corporation)

:Files
[2012/05/30 18:28:35 | 000,000,000 | ---D | C] -- C:\Users\Karen\AppData\Local\blekkotb_031
[2012/05/25 16:07:08 | 000,041,952 | -HS- | M] () -- C:\Users\Karen\AppData\Local\dplayx.dll
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered.  There will be a log created when it completes that I will need in your next reply.  Reboot when it is done.
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[kishtara]

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache_TIMESTAMP| /E : value set successfully!
93.113.196.146 www.google.com removed from HOSTS file successfully
93.113.196.147 www.bing.com removed from HOSTS file successfully
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer| /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2B15D14A-DAAC-4F68-9E5A-BA9E9720EF97}\\DhcpNameServer| /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F45D678C-713E-4E22-87A4-D16C5C1DEE98}\\DhcpNameServer| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ not found.
File D:\setup.exe not found.
========== FILES ==========
Invalid Switch: 30 18:28:35 | 000,000,000 | ---D | C] -- C:\Users\Karen\AppData\Local\blekkotb_031
Invalid Switch: 25 16:07:08 | 000,041,952 | -HS- | M] () -- C:\Users\Karen\AppData\Local\dplayx.dll
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Karen\Downloads\cmd.bat deleted successfully.
C:\Users\Karen\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Karen
->Temp folder emptied: 1070189 bytes
->Temporary Internet Files folder emptied: 4612970 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 382081169 bytes
->Flash cache emptied: 4567 bytes
 
User: Public
 
User: User
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 65015 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 77100387 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 3565 bytes
 
Total Files Cleaned = 443.00 mb
 
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
OTL by OldTimer - Version 3.2.44.0 log created on 06052012_155213

Files\Folders moved on Reboot...
File move failed. C:\Users\Karen\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
C:\Users\Karen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O59STKD8\virustotal_com[1].htm moved successfully.

Registry entries deleted on Reboot...

[kishtara]

Hi Jeff,

Reply above is the first output from OTL.  My PC rebooted but still was hanging at "Welcome" so I had to hard shutdown again and reboot in safe mode w/ Networking. Then I ran OTL again as instructed and attached is that log.

I really hope I can reboot in normal mode at some point, starting to get a bit nervous...

Thank you,
Karen

[jeffce]

Hi,

I understand how you can be nervous...I have been in your shoes before and know how you feel.  Try not to worry. 

Run ERUNT again to back up your registry and then do the following...

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:Files
C:\Users\Karen\AppData\Local\blekkotb_031
C:\Users\Karen\AppData\Local\dplayx.dll

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered.  There will be a log created when it completes that I will need in your next reply.  Reboot when it is done.
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[kishtara]

All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
C:\Users\Karen\AppData\Local\blekkotb_031\data folder moved successfully.
C:\Users\Karen\AppData\Local\blekkotb_031 folder moved successfully.
C:\Users\Karen\AppData\Local\dplayx.dll moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Karen
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 11091798 bytes
->Flash cache emptied: 343 bytes
 
User: Public
 
User: User
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 2937718 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 2908034 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 16.00 mb
 
 
OTL by OldTimer - Version 3.2.44.0 log created on 06052012_162237

Files\Folders moved on Reboot...
File move failed. C:\Users\Karen\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

[jeffce]

Ok..... any popups?