Malicious URL blocked \\.\globalroot\systemroot\svchost.exe

Hi, it seems I have this bugger/rootkit on my computer and cannot access google or any google related site (posting this from a lab on campus). Any kind of standby or sleep and upon wake up the computer reports that it had shutdown unexpectedly and needs to run start up repair to get running again. I’ved tried mwb at first but after 2 tries it didn’t work and then I searched for solutions online and I saw that there have been some others who had a similar problem here and had it fixed so hopefully someone can help me out! Thanks so much ahead of time!

There may be some delay due to differing time zones and availability of the volunteer malware removal specialists.

That is not a problem, as long as this issue is fixable :D. Semester’s only starting up so I’m not in too much of a bind yet.

Hi Rankre, welcome to the forum.

To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

I see you have TDSSKiller on your computer. Did you try running it before you posted here?

If not do not run it yet. If you did please post the log. It can be found usually in the C:\ folder in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

OK, ran the TDSSKiller and am posting log.

Sorry for double posting but one last time before I go to bed. Hopefully I can get this done soon to pay my bills on my home computer lol.

Hi Rankre,

Since you use this computer for paying bills I suggest you do the following from a known clean computer.

  • Change all your passwords to any and all forums you belong to
  • Change all passwords on any online financial services such as banks or companies you do transactions with

If you do not have access to another computer do not use this one to change the passwords until it is clean.

Download ComboFix from :

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Right click on ComboFix.exe, click Run as Administrator & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. If you recieve a message after running combofix similar to “Illegal operation attempted on a registry marked for deletion” simplt reboot the computer to reolve it.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Thanks

Here it is!

Thanks again.

Hi Rankre,

How’s the computer?

This infection is known to corrupt some of windows services. We’ll have a look.
Next

Please download Farbar Service Scanner and save it to your desktop.
[*]Check all the boxes and click scan
[*]Please copy and paste the log to your reply.

The Computer is working pretty good! Have not had any of those alerts by Avast, can access google and I’m not getting a random shutdown followed by startup repair anymore if I do use standby or sleep. :smiley: Hopefully this is the last of it. Eitherway, thanks a whole bunch!

Hi Rankre,

That looks ok.

One more scan to check our handiwork.

As a Vista/Win7 user you will need to right click your browser icon and select “Run as Administrator” in order to run this scan.
[]Do not use this instance of your browser for anything besides doing this scan
[
]When the scan is complete and the results saved, close that instance of your browser
[*]Open a new one the usual way and post the results in this topic.

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Go here to run an online scannner from
ESET

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

[*]Tick the box next to YES, I accept the Terms of Use.
[*]Click Start
[*]When asked, allow the activex control to install
[*]Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
[*]Click Start
[*]Make sure that the option “Remove found threats” is Unchecked, and the option “Scan unwanted applications” is Checked.
[*]Click Scan.
[*]Wait for the scan to finish.
[*]When the scan completes, click List of found threats
[*]click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
[*]Include the contents of this report in your next reply

Note - when ESET doesn’t find any threats, no report will be created.

[*]Push the back button.
[*]Push Finish
[*]Re-enable your Antivirus software.

Please post back with[list]
[]FSS log
[
]ESET log is there is one

Everything still ok?[/list]

Everything looks ok and still might be? Hmm

Hi Rankre,

Those are ok as that is TDSSK’s quarantined folder. We will remove it shortly.

Please locate this folder C:\Qoobox There should be a file named add_Remove Programs.txt. Please post it’s contents.

Ah I see, thanks. Attachment coming up.

Hi Rankre,

We’ll cleanup the tools now.

From your desktop, please delete, if present
[]any notepads/logs that we created
[
]TDSSKiller
[]Farbar Service Scanner
[
]aswMBR
[*]mbr.dat

You can also delete all the TDSSKiller logs from C:. They will be named TDSSKiller.[Version][Date][Time]_log.txt

Delete this folder also, C:\TDSSKiller_Quarantine

I suggest you keep MBAM.

Next

Click the Start button. Copy and paste the following line into the search box and hit enter


Combofix /uninstall

Next

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Those you have now provided you are using a firewall. Windows 7 has a built in firewall which is pretty good when set up. You can find some very good information HERE .

You should also use Spyware Blaster to help immunize your computer.

  • SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.
[*]Change the Download signed ActiveX controls to Prompt
[*]Change the Download unsigned ActiveX controls to Disable
[*]Change the Initialize and script ActiveX controls not marked as safe to Disable
[*]Change the Installation of desktop items to Prompt
[*]Change the Launching programs and files in an IFRAME to Prompt
[*]Change the Navigate sub-frames across different domains to Prompt
[*]When all these settings have been made, click on the OK button.
[*]If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

  • Make sure you have reset Windows Updates to your chosen option. Click your start button > Control Panel > System > Windows updates (lower left) > change settings

  • Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE

Please post back if you have any problems.

Take care.

Take care

I have done all of the above and also downloaded SpywareBlaster. I cannot thank you enough for helping me through this process! Many many thanks and have a good day!

Hi Rankre,

You are very welcome.