C:\Windows\system32\svchost.exe

getting adds voice over popping up
Avast blocks web pages related to C:\Windows\system32\svchost.exe

MAB fixed one issue as stated in the log
here are the log files

Thanks in advance for the help
Greg

Hi,

You have download & run Malwarebytes Anti-Malware (MBAM) version 1.75. I would like you to download latest MBAM verion 2.0 with ARK and PUP settings and preform re-scan.

Then, run FRST tool to target any remnants:


=> MBAM2 Threat Scan


Please download Malwarebytes Anti-Malware ver. 2.0 and install the application.

Double-click on mbam-setup.exe and follow the prompts to install the program. Upon installation, click Finish
Note: A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish…
On the first launch, you’ll get an “Update” notification. Click the ‘Update Now >>’ link or button to complete update.

• Configure the scanner. On the Settings tab, Detection and Protection adjust the following options:

  • subtab Detection Options, tick the box ‘Scan for rootkits’.
  • subtab Non-Malware Protection, for PUP detections, from ‘Warn user abaut detecion’ select ‘Threat detections as malware’.

• Preform the Scan. Click on the Scan tab, then click on Scan Now >> for Threat Scan.
If an update is available, click the ‘Update Now’ button, then continue to Scan.
Note: only with some infections, you may see this message box ‘Could not load DDA driver’
In this case, click ‘Yes’ to this message, to allow the driver to load after a restart.
Allow the computer to restart. Continue with the rest of these instructions.

When the scan is complete, click Apply Actions. Wait for the prompt to restart the computer to appear, then click on Yes.

• Post the logs. Click on the History tab > Application Logs. Double click on the Scan Log which shows the date and time of just performed scan.

  • Click Export button at the bottom, and then select the ‘Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type “mbam” (without quotes) for your scan log name and click Save.
  • A message box “Your file has been successfully exported” should appear, click Ok and close the windows.

Please attach the exported/saved log named as mbam.txt to your next reply.


=> FRST Scan


Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Round 2
Thanks for the help

Hi Makdaddy,

For some unknown reason, Chrome section isn’t good sorted.

Would you please delete FRST.exe icon (drag&drop into recyclen) and download fresh FRST.exe from link above and re-run the tool by pressing Scan.
Post here fresh created FRST.txt logreprot.

Khm … you have been run ComboFix. Who told you tu run ComboFix?

Please post here C:\ComboFix.txt and C:\Qoobox\ComboFix-quarantined-files.txt logfiles after reading this note:

sUBs himself;
http://www.techsupportforum.com/1829551-post6.html

Official warning & directions:
http://www.bleepingcomputer.com/forums/topic273628.html

Good day
I ran combofix on my own, out of frustration on trying to fix this on my own
The file you refer to is not in that directory “C:\Qoobox\ComboFix-quarantined-files.txt”

here is the new file you requested
Greg

C:\Combofix.txt log?

And another question: Why you did not download the latest verzion of FRST tool from the link I gave you above?

Your FRST tool is 122 days out of date.

To continue, I’ll need the ComboFix.txt logreport as well as latest FRST log (download fresh copy of tool and run the tool).
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

When I go to the link you provided
The link is redirected in Mozilla and I get no option to download?
I was able to get around that and get it downloaded from that site.

Here is the new results for FRST

I did not find a file named ComboFix.txt anywhere on the computer?

Hm…in that case I’ll need one more check before I am able to write fix for you.

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type rpcss.dll into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

Will do
But the system is 32 bit
I dont think I have a FRST64 file?

This is my default canned. Just run FRST (latest copy you have) and follow the instructions for runniing and searching the above file …

:wink:

here is the updated file while doing just the search

Hi,

This FixList shall tell FRST to disinfectant malware and to target the malware loading points plus some adware/PUP leftovers …

  1. Close any open program, browsers, disable security etc …

2. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
File: C:\prefs.js
C:\Windows\system32\zylp.wkb
C:\Windows\system32\kjtzy.ugl
C:\Windows\system32\wkat.iaf
C:\Windows\system32\emoq.wao
REPLACE: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll C:\Windows\system32\rpcss.dll
C:\Users\Michelle\AppData\Local\Temp\*.dll
C:\Users\Michelle\AppData\Local\Temp\*.exe
HKLM\...\Run: [NPSStartup] - [X]
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securedsearch2.lavasoft.com/index.php?pr=vmn&id=adawaretb&v=3_8&idate=2014-03-25&ent=hp&u=3DD5AD0D650B142358079A5331B7E4D2
SearchScopes: HKLM - {274daec0-c4e8-4f30-9e5c-9424990769b9} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=0Dxdm175YYus&ptnrS=0Dxdm175YYus&si=CLrwk9HphrECFWQDQAod8WnKEA&ptb=D7418721-F05A-4281-8493-170CC754E152&ind=2012070701&n=77edc32d&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKCU - {274daec0-c4e8-4f30-9e5c-9424990769b9} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=0Dxdm175YYus&ptnrS=0Dxdm175YYus&si=CLrwk9HphrECFWQDQAod8WnKEA&ptb=D7418721-F05A-4281-8493-170CC754E152&ind=2012070701&n=77edc32d&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKCU - {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E} URL = http://securedsearch2.lavasoft.com/results.php?pr=vmn&id=adawaretb&v=3_8&idate=2014-03-25&hsimp=yhs-lavasoft&ent=ch&q={searchTerms}
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
C:\ProgramData\Search Protection
End

3. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

4. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Here are the results

Thanks for the help
Greg

Hi,

According by logs, malware is neutralized and removed.

Now as we stayed to ComboFix mystery, we need that log. First we will re-run ComboFix using these instructions.
When CF finish his scan, re-run FRST, tick box for Addition.txt and run the scan.

Post here created CFLog and both fresh created FRST logs. In my time zone it’s too late, we will continue tomorrow, you just post the logs.


ComboFix


  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.
    ComboFix shall also create addition log. Please attach it to your reply.
    C:\Qoobox[b]ComboFix-quarantined-files.txt[/b]

FRST’s Re-check


Re-run FRST as you did before …

[*]Double-click to run it.
[*]Under Optional Scan ensure “Addition.txt” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]Tool shall create another log (Addition.txt). Please attach it to your reply as well.

Good Nite

here are the results

Greg

bump

Hi Makdaddy,

Logs are good. They don’t show active malware. I will remove used toos:

The following will implement some post-cleanup procedures:

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

[list]
Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.


Warning ! !

Multiple Antivirus Programs

You are running more than 1 Antivirus program!

AV: AVG Internet Security 2014 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Ad-Aware Antivirus (Disabled - Out of date) {D87B6541-12A1-DAEA-0033-9B8057AAB996}

Running - more than one - antivirus program is not recommended because:
[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc
I strongly suggest you uninstall one of them. Which one, is your decision.

Thanks magna86

all is well and cleaned up

Thanks again for the help
Greg