svchost problem

system · July 6, 2014, 8:38pm

I got an alert about opening an url (hxxp://getusaaall.info/…) by svchost

wdwpower

magna86 · July 6, 2014, 10:11pm

Hi,

=> Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

=> Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ]- save the report to the Desktop (named ARK );

system · July 7, 2014, 9:22am

Here are some logging as attachment

system · July 7, 2014, 9:26am

Sorry, but I executed the scan twice after cleaning up. Thus I gave no “Addition.txt” any more

system · July 7, 2014, 10:30am

The “Addition.txt” is now available by setting it on in the “Optional Scan”

magna86 · July 7, 2014, 10:50am

Hi,

Remove IObit programs and then execute the FixList. FixList shall not target the IObit programs.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start File: E:\Windows\system32\HPZinw12.dll Reboot: E:\Program Files (x86)\SW-Booster E:\Users\Willy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn E:\Users\Willy\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki E:\Users\Willy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda E:\Users\Willy\AppData\Local\Slick Savings E:\ProgramData\InstallMate E:\Users\Willy\AppData\Local\Temp\NEventMessages.dll E:\Users\Willy\AppData\Local\Temp\NOSEventMessages.dll Hosts: HKLM-x32\...\Run: [] => [X] AppInit_DLLs: E:\Program Files (x86)\SW-Booster\Assistant_x64.dll => E:\Program Files (x86)\SW-Booster\Assistant_x64.dll File Not Found IFEO\bitguard.exe: [Debugger] tasklist.exe IFEO\bprotect.exe: [Debugger] tasklist.exe IFEO\bpsvc.exe: [Debugger] tasklist.exe IFEO\browserdefender.exe: [Debugger] tasklist.exe IFEO\browserprotect.exe: [Debugger] tasklist.exe IFEO\browsersafeguard.exe: [Debugger] tasklist.exe IFEO\dprotectsvc.exe: [Debugger] tasklist.exe IFEO\jumpflip: [Debugger] tasklist.exe IFEO\protectedsearch.exe: [Debugger] tasklist.exe IFEO\searchinstaller.exe: [Debugger] tasklist.exe IFEO\searchprotection.exe: [Debugger] tasklist.exe IFEO\searchprotector.exe: [Debugger] tasklist.exe IFEO\searchsettings.exe: [Debugger] tasklist.exe IFEO\searchsettings64.exe: [Debugger] tasklist.exe IFEO\snapdo.exe: [Debugger] tasklist.exe IFEO\stinst32.exe: [Debugger] tasklist.exe IFEO\stinst64.exe: [Debugger] tasklist.exe IFEO\umbrella.exe: [Debugger] tasklist.exe IFEO\utiljumpflip.exe: [Debugger] tasklist.exe IFEO\volaro: [Debugger] tasklist.exe IFEO\vonteera: [Debugger] tasklist.exe IFEO\websteroids.exe: [Debugger] tasklist.exe IFEO\websteroidsservice.exe: [Debugger] tasklist.exe SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2476} URL = http://www.default-search.net/search?sid=476&aid=155&itype=n&ver=13001&tm=390&src=ds&p={searchTerms} SearchScopes: HKLM-x32 - DefaultScope {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.fastsearchings.info/?l=1&q={searchTerms}&pid=1741&r=2014/06/27&hid=12424471894103342587&lg=EN&cc=BE&unqvl=56 SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2476} URL = http://www.default-search.net/search?sid=476&aid=155&itype=n&ver=13001&tm=390&src=ds&p={searchTerms} SearchScopes: HKLM-x32 - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.fastsearchings.info/?l=1&q={searchTerms}&pid=1741&r=2014/06/27&hid=12424471894103342587&lg=EN&cc=BE&unqvl=56 SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2476} URL = http://www.default-search.net/search?sid=476&aid=155&itype=n&ver=13001&tm=390&src=ds&p={searchTerms} SearchScopes: HKCU - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.fastsearchings.info/?l=1&q={searchTerms}&pid=1741&r=2014/06/27&hid=12424471894103342587&lg=EN&cc=BE&unqvl=56 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - No File CHR Extension: (No Name) - E:\Users\Willy\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-26] CHR Extension: (No Name) - E:\Users\Willy\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-07-03] CHR Extension: (No Name) - E:\Users\Willy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-06-26] CHR HKLM-x32\...\Chrome\Extension: [mhkaekfpcppmmioggniknbnbdbcigpkk] - E:\Users\Willy\AppData\Local\Slick Savings\coupons.crx [2014-06-29] R3 ALSysIO; \??\E:\Users\Willy\AppData\Local\Temp\ALSysIO64.sys [X] U3 fgloqpod; \??\E:\Users\Willy\AppData\Local\Temp\fgloqpod.sys [X] CMD: ipconfig /flushdns CMD: DEL %TEMP%\*.* /F /S /Q CMD: DEL %WINDIR%\TEMP\*.* /F /S /Q CMD: RD /S /Q %TEMP% CMD: RD /S /Q %WINDIR%\TEMP End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

system · July 7, 2014, 11:10am

Included the fixlog

system · July 7, 2014, 11:42am

Problem not solved.

BTW why should I unstall the IOBit programs. I never got a problem with it. I’m using only the Defrag.

system · July 7, 2014, 7:36pm

During reading the threads about svchost I found the solution (I think).
In following thread https://forum.avast.com/index.php?topic=151804.0 the program ComboFix solve the problem.
About 2 hours ago I applyed on my system, no alerts anymore.
Please some feedback.

magna86 · July 7, 2014, 11:00pm

Have you read the disclamer of the ComboFix tool?
Then read this official disclamer:
http://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/

Post me the CF’s logfile. You shall find the log at C:\ComboFix.txt

svchost problem

Announcements