Avast web sheild non stop blocking from process svchost.exe

Viruses and worms
1

I have brought the computer to my home to fix it, so not connected to a network. When it was connected, there were many Pop-ups saying The avast Web Shield has blocked harmful webpage or file. One example of this is:
Object: http://rfargoost6.in/task/35/
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

I attached logs per the instructions at: forum.avast.com/index.php?topic=53253.0

THank you in advance!

2

Malware experts are notified… it may take some hours before they are online

3

Hi I think I know what this is

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select both shortcut and additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach all 3 logs generated.

4

Thank you essexboy, I have attached the Farbar logs.

5

I see you have run Combofix, I will need you to run it again but download a fresh copy. Please do not use Hitmanpro until I have finished as I will need to repair a system file and HMP would probably try to delete it

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

6

Attached Combofix log.

I have not put this machine on my network yet. It is someone else’s machine that I am fixing. In order for pop-ups to occur, it must be connected to the network. It has a static IP address, so if I put it on my network, I will have to change to DHCP. Do you want me to do that?

7

OK I can confirm the problem but I need to locate a spare copy of RPCSS as you do not have one in your dllcache. Hopefully OTL will find a spare in the service packs that I can use

No requirement to connect

Run OTL

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[]Under the Custom Scan box paste this in


/md5start
rpcss.*
/md5stop

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open one notepad windows. [b]OTL.Txt.
[*]Attach this log and ensure that it is saved as ASNI

8

Attached OTL.txt in ANSI format.

What is this Malware called?

9

It is a variant on the blackbeard/zero access Trojan Avast can block its affect however, the file is subtly altered so that no AV detects it

After this the alerts should cease could you let me know please

  1. Close any open browsers.

  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  3. Open notepad and copy/paste the text in the quotebox below into it:

Fcopy:: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll|c:\windows\system32\rpcss.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

10

As soon as I changed adapter to DHCP and plugged in the network cable, I got pop-ups.

One of them was:

Object: http://rtortern3.biz/task/35/
Infection:Mal
Process: C:\Windows \System32\svchost.exe

Attached Combofix.txt

11

OK now I need to kill the payload files

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
[2014/05/29 15:10:06 | 000,000,064 | ---- | M] () -- C:\Windows\SysNative\rgmv.iil
[2014/05/29 15:10:06 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\wxlk.iux
[2014/05/29 14:54:13 | 000,310,760 | --S- | M] () -- C:\Windows\SysNative\iaqk.gvy

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

12

Results of QuickScan attached.

What is your best guess as to how this PC got infected? I would like to tell the user if it was a certain type of website they went to…

13

This is usually received via e-mail and/or torrented movies/cracked programmes

Could you now reboot and let me know how the computer is behaving

14

The PC appears to be running well. Avast updated it’s definitions and no pop-ups.

This has been the worst Malware I have seen. A very time consuming removal as well, for you and me, both! I assume we are done, unless you want me to do anything else? If so, thank you for taking the time to help me, I appreciate it!

Julie

15

No problem, this one is complex as if you remove the files in the wrong order then you have a nice little door stop to play with. However, Avast blocked it from calling home so the system was safe

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

16

Thank you, essexboy! I am following your final directions now! I, again, appreciate your time in helping me!

Julie

17

No problem, my pleasure :slight_smile: