Help: svchost.exe problem / URL:Mal

I do not know when this issue started, but I realized I had a memory leak recently while hosting a Minecraft server. Troubleshooting with avast confirmed the issue is with svchost.exe as the Shield utility will constantly block threats that read as such:

Object: ***/task/2000 (where *** is a random url)
Infection URL:Mal
Process: C:\Windows\System32\svchost.exe

Blocking them prevents the memory leak. Before using avast it could balloon up to 2gb used. Booting clean in safe mode (with networking) doesn’t help. I’m attaching logs (as instructed in the sticky) to see if someone can assist me as I have reached the limit of my know-how.

Hi,

I don’t recommend host MC Servers. Take this from someone who used to. Just get a box from some place. (IE: MCProHosting, etc).

Remover Notified.

@obzinator

You obviously know how to help yourself? You have been running ComboFix and TDSSKiller …
Are you familiar with these tools, what they can do, what damage they may cause?

Once you have run these tools, it would be nice to tell us, not to try to withhold from us.
Attach here ComboFix.txt logreprot.
Attach here TDSSKiller logreport.

Then we may continue …

I have been troubleshooting on my own and found people with very similar issues and applied similar treatments. I used the same programs they were recommended to use and I took steps I thought would solve my issue. I am not withholding. I listed the logs the sticky told me to list.

If you need anything else, let me know.

Addendum: I’m not sure if the most recent TDSSKiller log I’ve already provided includes quarantine info, so I will attach the first log here so you can see what it originally found.

Well, as I assumed, you have been allow TDSSKiller to killed all legitimate items. None of this is malicious. You have killed the legit drivers. Some things from now on might not work properly. As for ComboFix log, while he was working, AntiVirus engine were not down. You’re lucky he’s gone unnoticed.

Both tool which you run have great power, and they can cause damage to the system.

Allow me to explain.
I do not mind what you do with your machine … Although warnings are clear, and where ever you see the instructions for running TDSSKiller or ComboFix,
it stood clear instructions on how to do with it.
The trick is that when someone post here the diagnostic logs (OTL for example) I look at the log line by line. Each item is important to me.
And when I see the entries here as belonging to the CF and TDSSK, I lost my time looking at OTL log, because I do not know what these tools are doing before and therefore the posted log does not mean anything to me and I have to seek and catch the item …

Let’s not talk about what these tools can do (kill, delete, whipe …), by just running them because you saw someone recommended is not wise at all. :wink:

Official warning abaut Combofix. Please read:
http://www.bleepingcomputer.com/forums/topic273628.html
…or you may read authors warning in person:
http://www.techsupportforum.com/1829551-post6.html


Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
IE - HKU\S-1-5-21-1919952068-1180565166-816242637-1000\..\SearchScopes\{180780f0-b348-4b44-8210-94a8f3ee15b2}: "URL" = http://search.comcast.net/search/?cat=Web&con=toolbar&q={searchTerms}
@Alternate Data Stream - 128 bytes -> C:\Windows\SysWow64\zlib.dll:SummaryInformation
@Alternate Data Stream - 128 bytes -> C:\Windows\SysWow64\zlib.dll:DocumentSummaryInformation


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

===== Next =====

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…
[list]
[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

EmptyCLSID;
jid1-BOjn8b0IM7kH2w@jetpack.xpi;FF
movableAppButton@Merci.chao.xpi;FF
{6005d9b1-d115-485a-a92a-3f6453ca3fe2}.xpi;FF
C:\Windows\SysNative\rzfytj.xif;F
C:\Windows\SysNative\qbhh.uyg;F
C:\Windows\SysNative\yefhggz.pns;F
C:\Windows\SysNative\giawegu.cjn;F
C:\Windows\SysNative\aecmdv.cra;F
AutoClean;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

Running OTL with the custom code yielded an instant result, no reboot, but did create a short log.

Running Zoek the first time caused a Plug and Play error forcing a reboot. This is the same error I got when I first noticed the memory leak. No log was produced.
A successful run after produced the attached log.

Ok, re-run zoek but this time use this script:

FFDefaults;
C:\Users\jca\AppData\Roaming\Mozilla\Firefox\Profiles\bjk11065.default\extensions\470a78a92af1b3a383cacf51a74585cfa84529d3bcb274072c0cb850803a0d02_lp.key
C:\Users\jca\AppData\Roaming\Mozilla\Firefox\Profiles\bjk11065.default\extensions\470a78a92af1b3a383cacf51a74585cfa84529d3bcb274072c0cb850803a0d02_lp.key
AutoClean;
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"
Reboot;

===============

Please re-run OTL, just hit QuickScan button and post me fresh created OTL.txt logreprot.

Before running anything more I’ve noticed the memory leak has stopped. If that is useful information.

The logs are attached.

Thank you so much for your time and help so far.

Ok, one short fix …

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:FILES
C:\Users\jca\AppData\Roaming\Mozilla\Firefox\Profiles\bjk11065.default\extensions\movableAppButton@Merci.chao.xpi
C:\Users\jca\AppData\Roaming\Mozilla\Firefox\Profiles\bjk11065.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

======= Next =======

It is necessary to uninstall ComboFix :
[list] [*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

======= Next =======

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

=> Please post me the DelFix logreport and tell me how’s your computer running now?

======= Note =======

Note for later:
You shall need to reinstall Gigabyte drivers.

With avast off, there is no memory leak. With it on the Shield doesn’t block anything, so everything seems to be running okay.

Here are the logs you requested.

Again, thank you so much for your help. It’s very appreciated.

I may have spoken too soon. Avast just blocked a similar threat to the original regarding svchost.exe.

Edit: Yeah, it’s happened a few more times. Nowhere near the frequency as before though.

Can you post the screen shots of avast alert? We’ll now run system diagnostics with these two powerful tools.

=> Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[
]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


=> Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ]- save the report to the Desktop (named ARK );

[*]Then click the >>> button and select Autostart card;
[*]Click [ Scan ] button;
[*]After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named autostart )

Attach here both Gmer logreports. (ARK.txt and autostart.txt)

Here are the logs you requested.

Here is a screen cap of the alert. (new post due to attachment limit)

Here’s something more serious looks like … :-\

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop and MBAM shall run …
[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

========= Next =========

Please post me fresh ARK.txt logreport.
Re-run GMER, after inital scan press Scan button, and save report as ARK.txt

Mbar did find something. Logs attached.

GMER is now calm. What is the situation now?

The machine has had about 8 hours of uptime and avast hasn’t detected anything odd happening. All processes seem to be behaving normally, no memory leaks, etc. If the new logs suggest everything is calm, them I’m satisfied this issue has been resolved.

Again, thank you very much for your assistance. It has been greatly appreciated.

You are malware free. Posted logs are now appear cleans and show no signs of active infection.

Good workman always cleans up after himself.
The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.


To help AntiVirus to protect your computer and speed it up, I recommend that you download, install and keep the following free programs:

  1. Keep Malwarebytes Anti-Malware, update it regularly or from time to time and run a Quick Scan weekly.
    Malwarebytes will detect and remove all traces of known malware. MBAM isn’t AntiVirus and it can NOT replace it.

  2. Keep MCShield Anti-Malware, the tool will be updated regularly and perform auto-checking for malware to each attached USB memory device.
    MCShield, has been designed as a lightweight scanner that’s smart enough to catch even new worms and work in fully automatic removal mode.

  3. It’s recommended to delete Temporary Files every once in a while. Run the tool and click on the Start button and TFC will begin to clean. Then restart the computer.
    Temp File Cleaner aka TFC by OldTimer
    TFC is small & usefull utility that shall clean up temp files from all userprofiles and system folders.


How to protect yourself?

  1. avast! Software Updater. Run avast!, click on Tools > Software Updater.
    For security reasons, make sure you do update your browser(s), Java, Flash Player, and basically every software you use often.

  2. avast! Browser Cleanup. Run avast!, click on Tools > BrowserCleanup.
    Browser Cleanup tool is an integrated tool in avast! AV that allows you the control on browsers unwanted addons.

  3. avast! Malware Scan. Run avast!, click on Scan and preform QuickScan by clicking on Start button.
    Every once in a whilere, it’s recommended to preform virus scan with avast! 2014.