svchost URL: Mal Help

system · July 12, 2014, 4:56pm

Avast is continuously popping up with
Avast! Web Shield has blocked a harmful webpage or file.
Object: hxtp://getmuzicas.info/?e=pcho…
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

AND

avast! Web Shield has blocked a harmful webpage or file.
Object: hxtp://getusaall.info/?e=pcho…
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

If anyone could help, just talk me through what I need to do to fix this issue

Pondus · July 12, 2014, 5:04pm

Follow instructions … attach requested logs https://forum.avast.com/index.php?topic=53253.0

system · July 12, 2014, 6:01pm

I believe these are all the logs

magna86 · July 12, 2014, 6:36pm

I’m on it. Be right back …

magna86 · July 12, 2014, 6:41pm

Please know that we do not have guaranteed fix for Windows 8.1 system (this is the new ‘thing’ and we can’t locate the payloads) but I have a few ideas that I would like to try…

Tell me will this fix your problem?

The following FixList shall tell to aggressivly remove the complete content of default $Temp folders without any exception. I am not fan of using this kind of force on legit folder but that may fix the problem …

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

C:\Users\Haley\AppData\Local\Temp
Reboot:

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

system · July 12, 2014, 6:57pm

Here is the new log

system · July 12, 2014, 7:03pm

and I’m still receiving pop up from avast saying threat has been detected

magna86 · July 12, 2014, 7:03pm

Now please create and execute this FixList and post here the fresh created FixLog.

cmd: dir %temp%

system · July 12, 2014, 7:12pm

Alright

magna86 · July 12, 2014, 7:27pm

Ok, now create and execute this FixList and post here the fresh created FixLog. The system reboot shall be required.

=> Also, the two file shall be created and saved at C:\ named export1.reg and export2.reg.
Please attach these two file back here.

Start REG: reg export HKLM\SOFTWARE\Classes\TypeLib C:\export1.reg REG: reg export HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib C:\export2.reg CMD: ipconfig /flushdns CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ip reset CMD: netsh winsock reset catalog Folder: C:\ProgramData\a477036ef122ffa1 Folder: C:\Users\HomeGroupUser$\AppData\Local\Comodo Folder: C:\Users\Haley\AppData\Local\Comodo Folder: C:\Users\Guest\AppData\Local\Comodo Folder: C:\Users\Administrator\AppData\Local\Comodo Folder: C:\WINDOWS\system32\oobe Hosts: BHO-x32: No Name - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - No File BHO-x32: Oovoo Toolbar - {4F564F32-5637-006A-76A7-7A786E7484D7} - "C:\Program Files (x86)\AskPartnerNetwork\Toolbar\OVO2V7\Passport.dll" No File Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKLM-x32 - Oovoo Toolbar - {4F564F32-5637-006A-76A7-7A786E7484D7} - "C:\Program Files (x86)\AskPartnerNetwork\Toolbar\OVO2V7\Passport.dll" No File Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Toolbar: HKCU - No Name - {4F564F32-5637-006A-76A7-7A786E7484D7} - No File CHR StartupUrls: "hxxp://player.tritonmedia.com/entercom/KRBZFM" CHR Extension: (poricechoup) - C:\Users\Haley\AppData\Local\Google\Chrome\User Data\Default\Extensions\dehpgodffdgfjaohibppgblfdhkhmkdj\3.9 [2014-07-10] CHR HKCU\...\Chrome\Extension: [eihlgbnhhkigaajnpjohgjldcmdhjiol] - C:\Users\Haley\AppData\Local\CRE\eihlgbnhhkigaajnpjohgjldcmdhjiol.crx [2013-08-28] CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION Reboot: C:\Program Files (x86)\AskPartnerNetwork C:\Users\Haley\AppData\Local\Google\Chrome\User Data\Default\Extensions\dehpgodffdgfjaohibppgblfdhkhmkdj C:\Users\Haley\AppData\Local\CRE\eihlgbnhhkigaajnpjohgjldcmdhjiol.crx C:\WINDOWS\ACF5FE1B377240688B872D2A6EFD0A05.TMP C:\Users\Haley\AppData\Local\Temp End

Then …

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type {157B1AA6-3E5C-404A-9118-C1D91F537040} into the Search: field in FRST then click the Search Registry button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

system · July 12, 2014, 7:44pm

Here you go

system · July 12, 2014, 7:44pm

and the last two

magna86 · July 12, 2014, 7:52pm

Can you re-upload exports report (keys) here from your PC here on this hosts site please.

http://www.wikisend.com

Post me the download links.

system · July 12, 2014, 7:55pm

export1.reg

export2.reg

magna86 · July 12, 2014, 8:06pm

Ok, I have no luck. I can locate the loading point nor payloads.

I’ll I have to think about it …

system · July 12, 2014, 8:09pm

Oh no if you think of anything else let me know

magna86 · July 12, 2014, 8:13pm

Ok, I would like to try one more thing …

Download AVZ Antiviral Toolkit from the following link:

http://support.kaspersky.com/downloads/utils/avz4.zip

[*] Extract the archive to a folder.
[*] Run AVZ (double click on
http://amf.mycity.rs/pg/images/avz.png
icon);

[*] Click on File > Custom Scripts ;

[*] In the new window that opens, Copy/Paste everything inside the field code:

begin
ShowMessage('Attention! Before performing the AVZ script this shall automatically close all network connections.' + #13#10 + 'After the computer restarts the network connection will be restored automatically');
ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);
if not IsWOW64
then
  begin
   SearchRootkit(true, true);
   SetAVZGuardStatus(True);
  end;
DeleteFileMask('%Tmp%' , '*.*' , true) ;
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

[*] Click the Run and wait to execute the script.

magna86 · July 12, 2014, 8:14pm

I will not give up, I just need time to think and locate what avast! flag. This is generic detection and you are not infected.

Run AVZ …

magna86 · July 12, 2014, 8:54pm

@hal.wils3

How is your progress with AVZScript? Any luck?

system · July 12, 2014, 8:57pm

I ran the AVZ script you gave me and rebooted my computer but I’m still getting the avast! pop ups

svchost URL: Mal Help

Announcements