I swapped back to Avast Thursday march 13 and I started having “avast web shield has blocked a harmful site… 26714.t.c.adlinker.net URL:Mal CL\windows\SysWOW64\svchost.exe” when I open task manger svchost.exe*32 runs when im online. when im offline its not there. please help thank you in advance.
this indicate possible infection…something is trying to phone home…
follow instructions and attach requested logs http://forum.avast.com/index.php?topic=53253.0
Here are the requested logs. I also would like to point out the avast has blocked the virus over 1000 times.
Could you attach a screenshot of the Avast alert please
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:Commands
[CREATERESTOREPOINT]
:OTL
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {515E00D2-AB7E-4888-AFF7-D10CB48EA41E}
IE:64bit: - HKLM\..\SearchScopes\{515E00D2-AB7E-4888-AFF7-D10CB48EA41E}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzuzzyEzz0FyCzy0ByCtCyBtA0FyDtC0DtBtN0D0Tzu0CtByCyCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1709006655
IE - HKLM\..\SearchScopes\{515E00D2-AB7E-4888-AFF7-D10CB48EA41E}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzuzzyEzz0FyCzy0ByCtCyBtA0FyDtC0DtBtN0D0Tzu0CtByCyCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1709006655
IE - HKU\S-1-5-21-1287920735-2949706776-3067447304-1001\..\SearchScopes,Backup.Old.DefaultScope = {515E00D2-AB7E-4888-AFF7-D10CB48EA41E}
IE - HKU\S-1-5-21-1287920735-2949706776-3067447304-1001\..\SearchScopes\{515E00D2-AB7E-4888-AFF7-D10CB48EA41E}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1QzuzzyEzz0FyCzy0ByCtCyBtA0FyDtC0DtBtN0D0Tzu0CtByCyCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1709006655
IE - HKU\S-1-5-21-1287920735-2949706776-3067447304-1001\..\SearchScopes\{BED51965-FB02-4D72-99C4-35E672D48E76}: "URL" = http://www.mysearchresults.com/search?&c=2638&t=03&q={searchTerms}
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}: C:\Program Files (x86)\PriceGong\2.5.3\FF
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {26D675AC-D925-4bbf-A720-62C2AA4A81EB} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
[2014/03/17 09:38:24 | 000,000,066 | ---- | M] () -- C:\Windows\SysNative\ywhypl.zdx
[2014/03/13 16:48:06 | 000,000,028 | ---- | M] () -- C:\Windows\SysWow64\u
[2014/03/13 16:46:36 | 000,000,064 | ---- | M] () -- C:\Windows\SysNative\enve.xea
[2014/03/13 16:46:36 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\njnqu.zst
[2014/03/13 16:33:41 | 000,230,284 | --S- | M] () -- C:\Windows\SysNative\xpbeo.oli
[2014/03/16 12:26:16 | 000,000,000 | ---D | M] -- C:\Users\Jacob\AppData\Roaming\Funmoods
:Files
C:\Users\Jacob\AppData\Local\Google\Chrome\User Data\Default\Extensions\kincjchfokkeneeofpeefomkikfkiedl
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Please download Malwarebytes AntiRootkit and save it to your desktop.
Full instructions how to use MBAR
Please note: This is a beta version so please be sure to read the disclaimer and note of it.
• Unzip/unrar MBAR in a folder to your Desktop and MBAM shall run …
• Click on Next > then on Update button to download fresh definitions.
https://dl.dropboxusercontent.com/u/73555776/mbar_update.JPG
• When database updates click Next
• In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”
https://dl.dropboxusercontent.com/u/73555776/mbarscan.JPG
• If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should be kept, just untick them. A list of infected files will be listed.
• The Clean up procedure will be Scheduled for process.
• When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
Please attach the two following logs from the mbar folder:
system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.
Here are the next logs. I am waiting for the avast warning sign. since I reconnected to the internet to check the post I have not seen the avast warning. I will post if it comes up again.
Here is the amount of memory the svchost.exe*32 uses. curious as to if it is normal. this is also only when connected online.
Any further alerts yet ?
Svchost is the workhorse of your computer as you can see I have a few running as well
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
The warning has come up after I was about to post.
I would like to update, MBAM has told me it blocked something and it gave the numbers 72.21.215.133
OK lets look from a different angle
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
I’m stuck. I disabled avast completely but combo fix says the real time scanners are active.
Allow it to run anyway as Avast is aware of combofix and should not block it
After it runs can I put avast back on?
Yes please
Popup still coming up. the computer startup was a little slower than usual. here is the combofix log.
I am surprised that MBAR did not pick this up
-
Close any open browsers.
-
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-
Open notepad and copy/paste the text in the quotebox below into it:
FCopy:: c:\windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll|c:\windows\system32\rpcss.dll
Save this as CFScript.txt, in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Next log of ComboFix. computer started up fine. I noticed Windows defender was on. will that affect the log?
That should have killed the alerts … Could you confirm that please
So far its good news. No popup has occurred and my laptop’s fans are not running loud when im on the internet. I am currently in college, and when I first connected my laptop to the school network I noticed the fans buzzing. I also currently notice that in task manager specifically svchost.exe*32 is not open anymore when I am connected to the internet. The 10 or 12 svchost.exe are still running, they don’t have “*32”. I am curious what exactly was it that infected my laptop? I truly appreciate your help.
It appeared to be a new variant of Blackbeard, now normally this is detected by both Avast and MBAR but due to some changes they appear not to be able to detect this one http://blog.avast.com/?s=blackbeard
Could you zip the combofix quarantine folder please (C:\Qoobox) and upload to a file sharing site for me to collect and pass on to Avast
Are you experiencing any further problems