SVCHOST Malicious url keeps popping up

Hi,

Let’s do this…

Download GMER Rootkit Scanner from here or here.

[*] Extract the contents of the zipped file to desktop.
[*] Right-click and Run as Administrator GMER.exe. If asked to allow gmer.sys driver to load, please consent .
[*] If it gives you a warning about rootkit activity and asks if you want to run scan…click on NO.


http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[] In the right panel, you will see several boxes that have been checked. Uncheck the following …
[
] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[
] Show All (don’t miss this one)

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “Gmer.txt” or it will save as a .log file which cannot be uploaded to your post.

[*]Save it where you can easily find it, such as your desktop, and attach it in your reply.

Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
.

Hi Jeff

The only way I could get into Windows was Safe Mode With Networking. Did this, and got GMER, run as administrator, cannot proceed w/ your instructions because bunch of stuff is greyed out pls see attached image.

My main concern right now is How can I possibly load into Windows (not Safe mode)? I have deadlines to meet and not being able to get on my PC is panicking to say the least! :frowning:

Thank you!
Karen

Hi Jeff,

Actually was able to get Windows loaded normally but it is running Verrrrry slowly. I open up windows explorer and right-click on gmer.exe and it’s taking Forrrever (spinning circle, Not Responding). Very abnormal. Finally after about 3 minutes the right-click menu presents itself and I choose ‘run as administrator’.

Nothing will open… Gmer won’t open… Task Manager won’t open… Chrome won’t open…

At a loss here :frowning:

Hi,

Sorry to see so many problems with your system. I was looking over your logs and believe that along with all the illegal software that CKScanner picked up I believe that the ZeroAccess rootkit came aboard with some of that software as well. Just so you know that infection is the real deal.

Since you are only able to boot to Safe Mode please do the following…

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now

[*]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)


Hi Jeff - I am currently running a full scan Malwarebytes on my pc in safe mode - do you want me to cancel that and do the following or wait until it is complete?

Thank you,
Karen

You can wait until it is complete. Then run TDSSKiller and attach both of the logs then. :slight_smile:

Hi Jeff

Attached are the logs from Malwarebytes and TDSSKiller.

Thank you,
Karen

Download

FIXTDSS

Launch it. It may ask for restart. Reboot the PC

On reboot let me know what it finds

Reboot in safe mode w/ Networking? Or try Normal mode this time?

Hi,

Try in Normal Mode…if it won’t work give it a try in Safe Mode with Networking. :slight_smile:

Hi Jeff,

Restarted in normal mode, it didn’t find anything. But my PC is back to “working” like normal, i.e. not running slow.

Not sure about the original problem yet though, since I need to wait and see if that pops up again with Avast.

What now? :slight_smile:

Karen

Okay, original problem still exists… still Malicious URL blocked issue… :frowning:

Hi,

Do you know how to take a screen shot? If you are, please take a screenshot of the popup the next time that it happens. We may just be dealing with a False Positive (FP).

Yes I will take a screenshot. Every day it’s a new url though… but always svchost.exe

Thank you,
Karen

Ok great! That might shed more light.

Hi Jeff,

Here is the screen shot attached

Thank you
Karen

Hi,

Ok…

OTL

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output.
[*]Check the boxes beside LOP Check and Purity Check.
[*]In Custom Scans/Fixes put the following:
netsvcs
/md5start
consrv.dll
/md5stop

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
[*]Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

Hi Jeff,

Did what you said but it only created OTL.txt and that file is way too large to put in a post so I’ve attached it here.
(post maximum characters is 10000)

Thank you,
Karen

Just attach all logs. :slight_smile:

I did, the only log it created was OTL.txt which I attached in my prior post.