Malicious URLs continuously blocked.

Avast has been blocking many sites that I’m not attempting to open. It’s showing it’s trying to be opened by the Service Hosts (svchost.exe). Did a full scan and a boot time scan with avast and it found nothing so I’m coming here.
Sites it’s attempting to open are.
hxxp://tragromert-c2.net/
hxxp://rancho-for-zomb0.net/task/3034/
hxxp://rumberger-fon.net/task/2003
hxxp://rttunc-net.com/task/3034
hxxp://ruggersner8.net/
hxxp://robertollo-green.net/task/2003
There are more but when I try and go back to see them in the little pop ups 5 more show up

Also I’m in the process of following the instructions found here http://forum.avast.com/index.php?topic=53253.0 but the MalwareBytes program continues to pop up showing a Trojan.Zekos.Patched thing being blocked from C:\Windows\System32\rpcss.dll

Next post will have logs.

You accidently enabled a trial version of their Premium Product, but thats no problem.

When logs are posted wait for an malware expert.

I ran the malwarebyte software and I let it restart my comp after I saved the logs, but now my pc is stuck at a black screen.

Did you let MBAM cure the RPCSS file ?

What version of windows do you have and is it 32 or 64 bit

Yeah I let it patch the rpcss file, and I’m running win7 64 bit. I don’t remember the exact version unfortunately.

Ok at this stage I do not believe that MBAM can quite hack the file change

I would like you to run FRST twice on the computer, the first will be a general scan and the second to locate a spare copy of RPCSS

Download the following three programmes to your desktop :

  1. Rufus

For 64bit systems
2. Windows 7 64bit RC I will PM the link
3. Farbar Recovery Scan Tool x64

Insert the USB stick Then run Rufus

https://dl.dropbox.com/u/73555776/rufus.JPG

Select the ISO file on the desktop via the ISO icon.

Press Start Burn

https://dl.dropbox.com/u/73555776/RufusISO.JPG

Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this although yours will say windows 7.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

For the second FRST type in the search box rpcss.dll
Then click Search File(s)
A second log will be generated attach that as well

Here are the logs, also I couldnt figure out my how to boot with the USB but my PC had the software on it. Hope that doesn’t change anything.

Yep MBAM killed the file but did not replace it

Download the attached Fixlist.txt to the same location as FRST
Run FRST and press Fix
On completion a log will be generated please post that
Then reboot to normal windows

Done. I’m on the original computer now (No more avast popping up about those sites trying to be opened!)
Here’s the log.

Hmm that looks a bit empty :slight_smile:

I would like to check for anything else though to be sure

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[
]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

Additionally was there a quarantine folder on the USB that you used from FRST ? If so could you zip the entire folder and place it on a file sharing site for me to collect

No Quarantine folder. Here are the logs.

Looks good, just some adware to clear

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.