URL:Mal from svchost.exe

Good evening,

Every time I start up my computer and connect to the internet I get a URL infection block that originates from svchost.exe. I have been trying to fix this issue for a couple of days using various types of anti-malware software, but none of them have detected anything. I have attached a couple of screenshots of the blocked infection.

http://i.imgur.com/MNOKCCo.png

http://i.imgur.com/zz2G8NB.png

Note: The url usually changes when I boot up again. I have gotten them from bestdriverstar.net, alwaysisobar.com, anythickago.com, and some others.

https://forum.avast.com/index.php?topic=53253.0

Probably some adware in browsers. Post the logs and I shall target them. :wink:

I have ran the Farbar Recovery Tool and Malwarebytes AntiMalware on my computer, here are the FRST.txt and Addition.txt files generated by Farbar, as well as the MBAM results generated by Malwarebytes, which I attached to the post.

Hopefully you can come up with a solution based on the logs that I posted.

Hello,

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the ‘all clear’ even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper

We will start with this might, as I would like to see the ComboFix’s logs first.


  1. Please download ComboFix by sUBs (
    http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
    ) from here and save it to your Desktop.
    [i]If you are unsure how ComboFix works, read this guide.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
  • If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
    => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.


Post me the fresh FRST reprots, both Addition.txt and FRST.txt for re-analysist.

I have ran ComboFix on my computer, and have also ran the FRST Scanner. Attached are the files you have requested from me after running ComboFix and FRST.

Hello again. Ok, let’s start now …

Since you had used ComboFix (among TDSSKiller and HitMan Pro …etc) on your own, first read this. Combofix is not a tool that is supposed to be used without expert oversight, sUBs the creator of Combofix has gone to great lengths to let people know this, including a clear and succinct message which is displayed every time that Combofix is run.
http://www.techsupportforum.com/forums/showpost.php?p=1829551
http://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/

Next, logs shows no active malware on system. The previus used tools has lefted a lots of traces and I need to remove these as well. Now, since there are some unicodes in script for FRST, I need to attach final FixList.txt.

Please download attached FixList.txt and save it to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

I ran the FRST Fix on my computer using the fixlist file you attached. After running the fix on FRST, my computer restarted.

Attached is the fixlog that was generated after I ran the fix on FRST.

Hi,

Fix isnt good. We need to repeat the step. Please run FRST one more time and press Scan button. A fresh FRST.txt log will be generated.

Please post fresh log for reanalysis.

Here is the new log. It did not make a new addition log.

Hello,

Yes you have a lots of Chrome extensions running along side the browser. You should access to browser extensions and remove all you do not use or what isn’t needed.

To access to extensions you may via meny > settings > extensions or simply copy-paste this to Chrome URL and press Enter

chrome://extensions/

Info:
https://support.google.com/chrome/answer/113907?hl=en

Then you should reset Chrome settings back to defaults;
https://support.google.com/chrome/answer/113907?hl=en

Now, I see you have been run Zoek on your own. Zoek as well isn’t a tool that is supposed to be used without expert oversight;
Post me the C:\zoek-results2015-06-20-211839.log logreprot.

Here is the log from Zoek. I also got rid of the extensions that I did not want from Chrome and reset the browser settings.

How is the computer behavior now?

I have not gotten anymore URL:Mal messages since running the FRST fix.

Glad I could help. Posted logs appear cleans and show no signs of active infection. You should be good to go …

We’re gonna remove my used tools now as well as carry out some further cleaning and security settings. To learn more about how to protect yourself I’ll give you a few tips for reading.

The following will implement some post-cleanup procedures:


http://www.mcshield.net/pg/images/arrow.png
It is necessary to uninstall ComboFix :

[*]Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.

[*]In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*]then click OK (or press Enter ).

Wait for the uninstall process is complete. This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.


http://www.mcshield.net/pg/images/arrow.png
Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Tip: Do not use security tools such as ComboFix, FRST, Zoek and the like. These are advanced security tool, should not be used without supervision.


Learn how to protect yourself:

=> In order to stay protected it is very important that you regularly update all of your software and Windows Operating System.

It is important that you visit Windows Update regularly.
How to configure and use Automatic Updates in Windows

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Keeping Java and Adobe update is priority.
Download and install latest version of Java
Download and install latest version of Adobe Reader

=> I recommend that you use one of the fantastic opportunities provided by
http://www.mcshield.net/pg/images/avast5.png
avast! AntiVirus.

For security protection, an active AntiVirus is required. If you want to reinforce your security setup I recommended additional security software and utilities:
Download and install Malwarebytes’ Anti-Malware and perform ‘Threat Scan’ from time to time. Malwarebytes will detect and remove all traces of known malware.
Download and install MCShield Anti-Malware Tool to prevent infections transmitted via removable drives.
Download and install Unchecky to keeps your checkboxes clear by preventing installing additional adware and other PUP bad software.
Download and install AdBlock for safe web browser surfing without annoying and malicious advertising ads.

Extra text for reading:

Please visit and review PC Safety and Security - What Do I Need? for some helpful information.

Please visit FAQ - Answers to common security questions - Best Practices to read tips how to protect yourself against malware infection.

You may also visit and read What to do if your Computer is running slowly? if you like to read some basic geek stuff.

The specific type of infection:

Meet CryptoPrevent. Security app that shall attempt to prevent dangerous malware that encrypts certain types of files stored on your disk, like CryptoWall, CryptoLocker and simular clones.

More information about this family of malicious software: CryptoLocker Ransomware Information Guide and FAQ ;
Cryptolocker Ransomware: What You Need To Know and CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

Stay safe.

Best Regards,
magna86

Thank you for your help magna86