Help with svchost.exe issues

I have been getting multiple “Malicious URL blocked” notifications from Avast, about 2-3 a min. They are all coming from Process: svchost.exe

have run AV scan and mbam and they have not helped. Please help me

Mbam log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.19.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Doodle Bug :: DOODLEBUG [administrator]

8/19/2012 3:57:18 PM
mbam-log-2012-08-19 (15-57-18).txt

Scan type: Full scan (C:|D:|G:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 62678
Time elapsed: 52 minute(s), 1 second(s) [aborted]

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 6
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{0ED403E8-470A-4A8A-85A4-D7688CFE39A3} (Adware.Gamevance) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{0ED403E8-470A-4A8A-85A4-D7688CFE39A3} (Adware.Gamevance) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEBF} (Adware.SmartShopper) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEC0} (Adware.SmartShopper) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} (Adware.SmartShopper) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (Adware.GameVance) → Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Documents and Settings\All Users\Documents\SoftonicDownloader_for_putty.exe (PUP.OfferBundler.ST) → Quarantined and deleted successfully.
C:\Documents and Settings\Doodle Bug\Local Settings\Application Data\Xenocode\Sandbox\Mafia Bot\1.0.306.0510\2010.06.28T09.11\Native\STUBEXE\8.0.1112@PROGRAMFILES@\Mozilla Firefox\firefox.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\Doodle Bug\Local Settings\Application Data\Xenocode\Sandbox\Mafia Bot\1.0.306.0510\2010.06.28T09.11\Virtual\STUBEXE\8.0.1112@PROGRAMFILES@\MafiaBots.com\MafiaBot\mBot.exe (Trojan.Agent) → Quarantined and deleted successfully.

(end)

hey and welcome to the forum. thanks for attaching the necessary logs. malware expert will help you when one is on but might take some time.

Hello,
I will be working on your Malware issues :wink:

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please attach the contents of that log in your next reply.


Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Ran the requested Programs. ComboFix had an error and was unable to install the Recovery Console. As the TDSSKiller files are so big i will need to add them to my next two responces.
don’t know if this is needed info but i will let you know, my “infected” computer can NOT access Google, also CAPTCHA verifications do not appear, so am using a different comp to respond and upload the logs.

TDSSKiller First run log

TDSSKiller 2nd run log after reboot.

@spwolftech
You do not follow my instructions!
I was asking to first run TDSSKiller and to run it only once.
Then to run Combofix. You have done the other way around…

[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.


[*]Re-run TDSSKiller.exe and click on Change parametres.
[*]Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
[*]Click on Start Scan.
[*]If an infected file is detected, the default action will be Cure, click on
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the [b]C:[/b] directory.


Delete old Combofix icon and download fresh Combofix from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Open notepad and copy/paste the text present inside the code box below:



ClearJavaCache:: 

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\
  00,00


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )


Download MiniToolBox on Desktop ;
Run it by double-clicking, check all boxes/items and click on Go ;
After the application has finished its report will throw in Notepad.
Save notepad to your Desktop and attach here that report


Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

[*] Make sure that all options are checked.
[*] Press “Scan”.
[] It will create a log (FSS.txt) in the same directory the tool is run.
[
] Please attach FSS.txt log to your reply.

I appologize, I did run the TDSSKiller first, just uploaded the Logs in the wrong order, but you are correct i did run the TDSSKiller twice, sorry about that.

Never mind, carry on as directed with TDSSKiller and CFScript , MiniToolBox and FSS tools and let’s see what we can do. :wink:

I am unable to copy/paste the TDSSKiller report here as it has to many characters, i have attached the log instead

Attached is requested ComboFix Log with new install, Still unable to install Recovery Console

Log from MiniToolBox Attached

Log From FSS attached

Please re-run TDSSKiller as before (with change parametres ) and use Delete option for this entry:

\Device\Harddisk0\DR0 ( TDSS File System )


All is good? How is your computer behaving now ?

Have re-run TDSSKiller as befor and deleted entry \Device\Harddisk0\DR0 ( TDSS File System ). Log File attached. Computer is running much better, and Avast has stoped with the constant “Malicious URL blocked” messages.

Nice to hear that. :wink:

lust check…

[*]Re-run Malwarebytes.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
[*]Please save the log to a location you will remember ( desktop for example ).
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[
]Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.26.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Doodle Bug :: DOODLEBUG [administrator]

8/26/2012 4:00:19 PM
mbam-log-2012-08-26 (16-00-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207043
Time elapsed: 9 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Ok, thats it. 8)

It is necessary to uninstall the ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.

Thank you so much for all the help!!! I appreciate it very much!