Another SVChost.exe thread!

Web shield is popping up all day every day~ ‘blocked a harmful webpage or file’.

Object: Http: //greenpzone.net/task/2000/ , http: //rbrasboingz.info/task/2000/ , http: //zentallor17.com/task/2000/

to name a few. there are a ton of them, but they do seem to end in /task/2000/ consistently.

Process: C:\Windows\system32\svchost.exe

it’s trying to play audio commercials and suchlike. scanning SVChost directly reports that the file is fine. I’ve been trying to troubleshoot this for a couple days now and i’ve run a variety of things google pointed me towards in an attempt to clean this up with no luck. symptoms began around 7:00 am on the first. I’m including my first Mbam log as well as my my most recent, hope that’s enough information!

Hi,

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

======================================
Next…

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop and MBAR should run

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

Please make the links not clickable.

Avast is correctly blocking access to dangerous, and blacklisted sites.

Look those URL’s up in URL VOID or other site checkers, they are infected.

eddy, I reported his post to have the links removed

And then you went and repeated them in your quoted text (you have to do what you ask of others when quoting) ???

Sorry. I screwed up. My fault. Pondus told me to fix it…

No problem, but it is still there in your quoted text in Reply #4 (when I quoted the text, I modified the quoted urls). The original poster has modified his first post, but he can’t modify the text ‘you’ quoted. Change the http to hXXp

Hi,
I’m having the same issues as OP, and have tried the same methods (and then some) to remove this bugger. Avast is the first program that has actually been able to find or block anything. Do I need to create my own thread or can I find help here as well?

Yes, create your own thread and provide the log files

Here are the requested attachments! thanks for your help so far.

@Riumy

I did not tell you to run MBAR more then ones. The same goes for ComboFix.

Please in the future follow my instructions to the letter if you want my help.

=> Post me all "mbar-log-year-month-day (hour-minute-second).txt. " logs.
These are located in the MBAR folder


=> Post the contents of the following files

ComboFix-quarantined-files.txt ComboFix1.txt

These are located in the folder C:\Qoobox\

[u]note to myself:[/u] Check logs time

I had run combofix and mbar before posting for aid, so that’s probably the peculiarity you noticed… Was trying things i found in similar threads. Sorry. ^^; For some reason I don’t have a ComboFix1 in this folder, just ComboFix2, which i guess i’ll upload just in case.

Edit: added the rest of the files you asked for. x-x’

Open notepad and copy/paste the text present inside the code box below:

ClearJavaCache::

FileLook::
c:\windows\system32\drivers\xnacc.sys.bak
c:\windows\system32\drivers\watchdog.sys.bak
c:\windows\system32\drivers\tcpipreg.sys.bak
c:\windows\system32\drivers\scsiport.sys.bak

KillAll::

FCopy::
c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll|c:\windows\System32\rpcss.dll


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

==================================
Next …

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type rpcss.dll into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

it seems that after running the script through combofix, my computer restarted at some point and now boots to a black screen. =\

so yeah. i guess it’s time to figure out how i’m reinstalling windows. thanks for the effort.

Unfortunately, but we have documented cases in other forums where this happened.

Sometimes replacing the patched file with legit one can be tricky. But, wait with reinstalling, we should be able to fix it.
We’ll try to do diagnostics and fix outside the active windows, in Recovery Environment.

Do the the following:

Please download Farbar Recovery Scan Tool x86 and save it to a flash drive.

[*]Plug the flashdrive into the infected PC.
[*]Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
[*]Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.

[*] In the command window type in notepad and press Enter.
[*] When notepad opens, click File and select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter.

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run. When the tool opens click Yes to disclaimer.
[*]Press Scan button.

It will make a log (FRST.txt) on the flash drive.

NEXT …

[*]Type rpcss.dll into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*] Now you may close the FRST program.
[*]Please attach FRST.txt and Search.txt to your reply.

Please attach it to your reply.

i don’t know if this is going to be relevant, but just in case it is i recalled i had ubuntu on a disc and installed it without overwriting any windows things.

Sooort of figured my windows install was/is toast. ^^;

Good.

Please bump! your topic as I go offline right now.

I’ll give you my reply later/tomorow.

:wink:

bumping as requested. <3

Thanks for bumping.

Are you been helpen elsewhere? I seen some malware removal used tools which are a favorite of some helpers?

Anyway, we do not have healthy rpcss.dll on your system. FRST was unable to find good file even in the virtual boot drive. As I can see in logs, it is most likely the cause of a system crash. Instead to patch malicious file with a legitimate file using CF, we have been patched malicious file with another inactive malicious or bad file. We have to make it right.

First, I shall provide you with a clean copy of rpcss.dll. You need to download that file and save it next to FRST tool, in root of your USB memory device.

Note: FRST in RE has been run from "F:", therefore, file location must be the following: F:\rpcss.dll as I will use that loaction in FRSTSScript (FixList.txt).

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 05-01-2014 Ran by SYSTEM on MININT-BEG6ON2 on 06-01-2014 10:30:03 [b]Running from F:\[/b]

==================== Drives ================================
Drive f: (LUX) (Removable) (Total:1.86 GB) (Free:0.88 GB) FAT


Let’s begin …

  1. Download legit rpcss.dll file from link below and save it to your USB device (F:\rpcss.dll)
    http://www.mcshield.net/personal/magna86/temp/windows7/rpcss.dll

  2. Download FixList.txt from attachments.
    FixList.txt must be in the same location where FRST.exe tool is!

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.

Exit out of Recovery Environment and post me the log please.

  1. Try to boot into normal mode. Successfully?
    If is successfully, do nothing! Waiting for my instructions.