svchost virus

Hello, i have a message that pops up every time i start my computer, whether i boot it or wake it from sleep. it says avast just blocked a virus from svchost. I saw another post on how to fix it, but it said that the solution would only work for a specific computer, and i should start my own topic to resolve the problem.When the virus pops up it says:
(btw sometimes the url is different)
Url: xttp://epictory.com/4242/SectionDouble_142669563087016.dll
Infection: URL.Mal
Process: C:\Windows\System32\svchost.exe
Please help i only have 6 days of trial from Avast and i wont have the money to pay till after 6 days.

https://forum.avast.com/index.php?topic=53253.0

First can you please break the active link to prevent accidental exposure to a suspect link. Change the http to hXXp and it won’t be active.

This domain epictory.com certainly has some history as a malicious site - see image attachment of an extract of a search on that domain.

There appears to be a hidden malware element using svchost.exe to connect (highly suspect) to this malicious site. Follow Eddy’s link to start the ball rolling to produce the logs so someone can help remove this.

How do I change the active link to HXXp?
Thank you very much for the help.

You already changed the link I see, now please attach the requested logs to your next post.

Thank you for the help eddy, but i do not remember changing anything. Does Avast automatically do it for me? Here is the first scan log and everything that it found is in quarantine.
Thank you very much.

What we need are the Farbar log files and the mbam log file.
And please do not change the name(s) of the log file(s).

I do not have a name for the mbam log file, i will just put mbam scan log.
Thank you very much Eddy.

And here is the aswMBR file. I also got a file on my desktop called MBR.dat. Should i just leave it there or move it?
Thank you very much Eddy.

You didn’t change it, one of the Moderators did, if you look at the bottom of that post you will see « Last Edit: Yesterday at 07:43:09 by Milos »

For the future to you simply use the Modify button/text that is in the top right of the post. Then is is just a substitution/edit of the URL changing the http by replacing it with hXXp or any other substitution so it is no longer recognised as a correct URL and made active.

Ok thank you very much

You’re welcome.

In the meantime I will try to attract some attention to your logs.

Hi, it looks like Lenovo has entered the adware market

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: AppInit_DLLs: C:\PROGRA~2\LenovoBrowserGuard\LenovoBrowserGuard\bin\SPVC64Loader.dll => C:\Program Files (x86)\LenovoBrowserGuard\LenovoBrowserGuard\bin\SPVC64Loader.dll [206152 2014-08-25] (ClientConnect LTD) AppInit_DLLs-x32: c:/progra~3/{c49f2~1/193~1.1/cori.dll => c:\ProgramData\{C49F2C5C-941D-FDDA-259B-8D58F5195ED6}\1.9.3.1\cori.dll [1010688 2015-04-04] () AppInit_DLLs-x32: c:\progra~2\lenovobrowserguard\lenovobrowserguard\bin\spvc32loader.dll => c:\Program Files (x86)\lenovobrowserguard\lenovobrowserguard\bin\spvc32loader.dll [173896 2014-08-25] (ClientConnect LTD) ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled. ProxyServer: [.DEFAULT] => http=127.0.0.1:53291;https=127.0.0.1:53291 ProxyServer: [S-1-5-21-4193250072-3854272375-3513438132-1001] => http=127.0.0.1:47574 CHR StartupUrls: Default -> "hxxp://taplika.com/?f=7&a=tpl_installertech_15_14&cd=2XzuyEtN2Y1L1Qzu0DtByB0EtAyDtB0CtDzytBtDyByCzz0CtN0D0Tzu0StCtCzzzytN1L2XzutAtFzytFzztFtDtN1L1Czu2Z1E1I1V1L1G1B2Z1T1I1I1P1C2Z1P1R1MtN1L1G1B1V1N2Y1L1Qzu2StAtA0CyDzy0BzytAtG0CyByCyBtG0CzztDyCtGtA0F0AyCtGtCtCyD0ByEtD0AtC0FtByDyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyDyDyC0A0E0EtCtDtGtBzz0DtAtGyE0A0CyDtG0B0BtDtBtGtC0FtA0CtBtB0E0ByDyD0Fzz2QtN0A0LzuyEtN1B2Z1V1T1S1NzuyCyDzz&cr=1701368443&ir=", "hxxp://www.google.com/" 2015-04-25 08:32 - 2015-04-25 08:32 - 00000118 _____ () C:\windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat 2015-04-23 17:24 - 2015-04-23 17:24 - 00000401 _____ () C:\windows\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat 2015-04-05 01:02 - 2015-04-05 01:02 - 00000000 __SHD () C:\Users\Shay\AppData\Local\EmieBrowserModeList 2015-04-04 18:53 - 2015-04-04 19:24 - 00000000 ____D () C:\Program Files (x86)\Optimizer Pro 2015-04-04 18:52 - 2015-04-04 18:52 - 00000000 ____D () C:\ProgramData\{C49F2C5C-941D-FDDA-259B-8D58F5195ED6} C:\Program Files (x86)\LenovoBrowserGuard c:\ProgramData\{C49F2C5C-941D-FDDA-259B-8D58F5195ED6} Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Here is the Fixlog.txt. Should i restart first or download Adwcleaner first?
Thank you very much essexboy.

Reboot and then run AdwCleaner, the main alert should have ceased now

Thank you very much essex boy the problem has gone away. I just have one question, for anybody reading this post. Avast keeps asking me to upgrade, and every time, there is a bigger discount. Should I wait until I only have one day left, or should i upgrade now when the discount is at 60%.
Thank you very much, all on this forum. I do not think i would be able to solve my problem without your help.
Shay Mcfly

I am not sure if it gets less than 60%

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Thanks a lot, do you need the delfix .txt file?
Thank you very much essexboy.

I don’t believe that he needs that, generally I can’t recall seeing others posting it after the cleaning up of the tools.

Unfortunately we are playing a bit of time zone ping pong - it is almost 12:30am in the UK and essexboy will be in bed now. He should be back on-line again later today.

No, you can delete that and the programme