Malicious URLs blocked from SVCHOST.EXE

I am trying to help a friend sort their PC out - it appears they have had no AV in place for some time, and after running Malwarebytes (which found 32 infected files/folders/registry keys), I installed Avast (free) and ran a full scan. It found 2 files, which it has moved to chest, but now I keep seeing MALICIOUS URL BLOCKED warnings, where the details are:
Object: 199.80.55.19/go.php?uid4714…
Infection: URL:Mal
Action: Blocked
Process: C:\Windows\system32\svchost.exe

I’m also seeing MALWARE BLOCKED warnings, where the system shield has blocked the threat. Details are:
Object: C:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.IE5\L5IT1RBQ\ha81naoo0o0_com[1].htm
Infection: HTML:Iframe-inf
Action: Moved to chest
Process: C:\Windows\system32\svchost.exe

I’m also seeing the option to report the latter item as a false positive, but haven’t done so due to the former warning.

The object details differ each time, but I think they all stem from the same locations. Can anyone please tell me how to deal with these problems?

Thanks in advance
Martin

Hi there lets see what is left on the system

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Hi
Thanks, have downloaded the OTS file, and when I run it Avast is suggesting I open it in a sandbox - should I change this to run normally?
Martin

OK, I ran as normal (pasted the data into the fix box first time, so had to run it again).
Log file is attached.
Many thanks
Martin

Aye it will not work in the sandbox - let me know if this kills it

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (srvBF4) srvBF4 [Auto | Stopped] -> 
YN -> (McSysmon) McAfee SystemGuards [Auto | Stopped] -> 
YN -> (McShield) McAfee Real-time Scanner [Unknown | Stopped] -> 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2265180834-3589896195-1863088483-1000\] > -> 
YN -> HKEY_USERS\S-1-5-21-2265180834-3589896195-1863088483-1000\: URLSearchHooks\\"{D3D233D5-9F6D-436C-B6C7-E63F77503B30}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D7E97865-918F-41E4-9CD0-25AB1C574CE8}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D7E97865-918F-41E4-9CD0-25AB1C574CE8}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2265180834-3589896195-1863088483-1000\] > -> HKEY_USERS\S-1-5-21-2265180834-3589896195-1863088483-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D7E97865-918F-41E4-9CD0-25AB1C574CE8}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Menu Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\
YN -> Crawler Search -> [tbr:iemenu]
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\
YN -> Crawler Search -> [tbr:iemenu]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Hi
It’s running as I type, though i forgot to close the IE session down that i copied the fix from - the progress bar in the middle is progressing time after time, and all that is left in the Fix box is
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
Is this because IE is open? I’ve also had 6 more warnings whilst this was running…
[EDIT]I did ALT+F4 and closed the IE session, though it’s still running[/EDIT]
Thanks
Martin

OK, it finished and required a reboot.
Resulting file is attached.

Have had no warnings since reboot…
Many thanks for your help so far
Martin

It took a while as there were a fair few files to remove Total Files Cleaned = 1,505.00 mb

Many many thanks for your help.
I’ve got some other questions but will come back and ask those another day - been at the PC all day and think I need a drink!
Thanks again
Martin

For sure - I would like you to run for a while though to ensure it is cleared

Do you mean run avast or OTS?

Not wishing to put words into essexboy’s mouth, I believe he means for you to run the system and monitor it for 24hrs or so to ensure it is gone.

Then report back if all is still good and he will remove his tools.

OK, that’s fine - I was going to anyway as have laptop for the weekend.
Thanks again
Martin

That is true :-[

:frowning:
It’s back!
I got a critical error telling me it had found a rootkit, then I got 6 warnings as before.
Shall I re-run OST with the same settings, or sort out the rootkit issue first?
I have a feeling I might just do a restore back from the recovery partition and start fresh as am also having other issues with windows update since installing SP1 for vista.

[EDIT]
I rand Kasperky’s TDSS Killer and that has resolved the rootkit and it also seems to have resolved the windows update issues I was having. I’ll leave it running over the next 24 hours and see if i get any more warnings, and will report back either way.
[/EDIT]

Thanks again
Martin

TDDSKiller is a great rootkit remove. Fast and effective. Hitman Pro is also great at removing rootkits. Gmer is another rootkit remover. OTS is good but involves too much user interaction. One of the easiest ways to spot a rootkit is by opening up task manager when not using your browser and seeing if “iexplorer.exe” is running. If it is then thats a tell tale sign that a rootkit is calling home.

That would tend to suggest it is being respawned

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.