Need help removing URL:Mal svchost.exe

system · July 10, 2016, 11:49am

Avast alerted me to an infection / malicious website, and I’m seeking help locating and removing it.
Object = sso.anbtr.com/domain/wpad.work
Infection = Url:Mal
Process = C:\windows\system32svchost.exe
I am running Windows 10 Pro 64bit
Thanks in advance

Asyn · July 10, 2016, 12:02pm

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253

system · July 10, 2016, 1:51pm

ok hrere is the scan logs you requested .

essexboy · July 10, 2016, 1:58pm

Open FRST and in the search box copy/paste the following :

sso.anbtr.com;wpad.work

Then press search registry
On completion a text pad will be produced
Please attach that

Also do you use this computer for work ?

system · July 10, 2016, 2:09pm

no my wife does accounts for a friend on it

essexboy · July 10, 2016, 3:51pm

Hmm not seeing it in the registry

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your Desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool
[*]Click the Scan button and wait for the process to complete.
[*]Click the logfile button and the log will open in Notepad
[*]Click on the Clean button follow the prompts.
[]A log file will automatically open after the scan has finished and the PC has rebooted
[]Please post the content of that log file with your next answer.
[*]The report will be saved in the C:\AdwCleaner folder.

system · July 10, 2016, 4:27pm

ok here it is

system · July 10, 2016, 5:35pm

ok after I press clean the progran freezes and stops responding = Not Responding
but here is the log file

essexboy · July 10, 2016, 6:01pm

Hmm could you reboot and then run AdwCleaner again please. Is Avast still alerting

system · July 10, 2016, 6:28pm

ok i rebooted twice ans same thing happens program lock up when i click on clean
but i attached the logfile and its still alearting

essexboy · July 10, 2016, 8:17pm

OK lets now try this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Tcpip\Parameters: [DhcpNameServer] 216.131.91.251 216.131.91.252 208.67.222.222 Tcpip\..\Interfaces\{cfc12fb4-2711-4ae6-ba2e-e3bf02891a74}: [DhcpNameServer] 216.131.91.251 216.131.91.252 208.67.222.222 S2 ClanoyplkulyCoreberweckfadeck.exe; "C:\Program Files (x86)\Wuzokrermupy\ClanoyplkulyCoreberweckfadeck.exe" {C25DA384-2010-45A4-A1ED-BFA540D4789B} {9DC74CD5-24EA-4ADE-9C42-608A8CE17116} [X] C:\Program Files (x86)\Wuzokrermupy Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · July 10, 2016, 10:06pm

heres the fixlog and avast is alearting me even more often now every few seconds
Process = c:\windows\system32\dllhost.exe
also got the clean function to work in safe mode and here are the results

Pondus · July 10, 2016, 10:16pm

Essexboy will be back online tomorrow, usually after 15:00 european time

essexboy · July 11, 2016, 1:38pm

Could I have a fresh FRST scan please and a screenshot of the Avast alert

system · July 11, 2016, 2:46pm

here is the results
pics wont upload say there are to big, 1= 4.mb is there anyway to reduce them first??

system · July 11, 2016, 3:49pm

next pic

essexboy · July 11, 2016, 6:27pm

Try this one and let me know how it goes

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: ShellExecuteHooks: - {6710C780-E20E-4C49-A87D-321850ED3D7C} - No File [ ] Tcpip\Parameters: [DhcpNameServer] 216.131.91.251 216.131.91.252 208.67.222.222 Tcpip\..\Interfaces\{cfc12fb4-2711-4ae6-ba2e-e3bf02891a74}: [DhcpNameServer] 216.131.91.251 216.131.91.252 208.67.222.222 BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg.dll => No File BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll => No File Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\TmIEPlg32.dll No File FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1009\FirefoxExtension => not found S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1072296 2016-07-08] (Enigma Software Group USA, LLC.) 2016-07-08 22:51 - 2016-07-08 22:51 - 00022704 _____ C:\WINDOWS\system32\Drivers\EsgScanner.sys 2016-07-08 15:35 - 2016-07-08 15:35 - 00009084 _____ C:\WINDOWS\System32\Tasks\Clanoyplkuly Core 2016-07-08 15:34 - 2016-07-08 15:35 - 00000000 ____D C:\Users\Owner\AppData\Local\prersszincultgroduch 2016-07-07 21:25 - 2016-07-07 21:25 - 00000000 _____ C:\autoexec.bat 2016-07-07 21:24 - 2016-07-08 22:53 - 00000000 ____D C:\Users\Owner\AppData\Roaming\Enigma Software Group Task: {C6F309AA-E19B-4E83-BED5-07DE556FD7CF} - System32\Tasks\Clanoyplkuly Core => C:\Program Files (x86)\Wuzokrermupy\ClanoyplkulyCoreshercergenaqaty.exe C:\Program Files (x86)\Wuzokrermupy Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · July 11, 2016, 8:16pm

latest fixlist

system · July 12, 2016, 11:23am

Hi essexboy how does this malware or virus gets on your computer cause i installed avast on my mother inlaws
computer and the same 2 popup message started appearing and that computer has no programs installed

essexboy · July 12, 2016, 1:52pm

Was your mother in law using your router ?

Need help removing URL:Mal svchost.exe

Announcements