svchost.exe connects to malicious sites

Hello Avast forum,

Just like a lot of people here, I’m also getting the dreaded 14 or so messages that svchost.exe connects to a site to download malware.
The urls are random, but it tries to download a .dll
Example: “http://reddienet/4141/TrimModule_142669093016272dll” (real dots replace so no url is generated for safety reasons :))

I’ve tried everything in my power to remove it, but no succes…
I’ve ran the Farbar recovery scanner like requested in other posts and attached the logs to this post.

I really hope some of you guys can help me. If you need further information, do ask :slight_smile:
Thanks in advance!

EDIT: Updated the OP with 2 additional logs.

Hello,

Please follow this topic and attach required reports

https://forum.avast.com/index.php?topic=53253.0

My apologies, I’ve updated the opening post.
(aswmbt.exe found something called “Minitoolbox.exe”, but it’s an application in the Farbar malware suite, is this a false positive?)

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/TDSSKiller_Kaspersky.png
Scan with TDSSKiller

Please download TDSSKiller by Kaspersky and save it to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/TDSSKiller_Kaspersky.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.
[*]Your machine may appear very slow and unusable after that - it’s normal.
[*]TDSSKiller will run automaticaly. Click on Change parameters and click OK.
[*]Click the Start Scan button and wait patiently.

If anything will be found follow this guidelines:

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.
[*]If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
If Cure is not available, please choose Skip instead.
[*]Do not choose Delete unless instructed!

A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version][Date][Time]_log.txt. Please include the contents of that file in your next post.

As requested, I’ve attached the log of TDSS Killer. No threads were found.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Make sure that Addition option is checked.
[*]Press Scan button and wait.
[*]The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

As requested, I’ve attached the 2 new logfiles of the Farbar Recovery Scan Tool.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Fixlog.txt attached. The svchost.exe message isn’t appearing @ the first reboot. Looks promising :slight_smile:

Very good. Keep me updated.

I will keep an eye on the message. I’ll keep you informed. If the message hasn’t shown itself after Saturday I’ll post it here.
Just for curiosity, what was the process that you killed with the fix? I’ve read it but couldn’t figure it out…

That is author’s secret :wink:

Hah, good response. 8) Ty very much. Ill keep you posted.

Just a question. Is it safe to use my pc for moneybusiness and other secure things?
I’ve read about the TDL4 botnet that was (Partially) present in my system. (Am I right?)
Or is a clean reinstall the best way to be safe?

Yes, clean install will be the best and safest option.

I didn’t want to take the security risk so I reinstalled Windows. This way I can trust my PC again.

Thank you for your help. Topic may be closed :slight_smile: