URL:Mal - svchost.exe

system · July 9, 2014, 2:53am

It just happened yesterday. I don’t know what caused it as I was just doing what I normally do. Help me, please!

http://i260.photobucket.com/albums/ii21/ragnarok6354/avasterror_zps3ce94cdc.png

mchain · July 9, 2014, 4:16am

Hi jcqln_yu,

And welcome to the forums.

A certified malware expert has been contacted for you. He should be online here in a few hours. You’ve attached the needed logs , so please be patient.

magna86 · July 9, 2014, 6:51am

Hello,

From Start > Control Panel remove/uninstall the Ask Toolbar adware. Then …

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start REG: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5347542D-5637-006A-76A7-A758B70C0F00}" /f Reboot: C:\Program Files (x86)\AskPartnerNetwork C:\Program Files (x86)\VNT C:\Users\xxx\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhjloagockgobfpopemejpgjjechcpfd C:\ProgramData\AskPartnerNetwork C:\Users\xxx\AruaROSE_v875.exe C:\Users\xxx\iRosePHOnlineSetup.exe C:\Users\xxx\AppData\Local\Temp\*.exe Hosts: HKLM-x32\...\Run: [ApnTBMon] => C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1956760 2014-06-15] (APN) HKLM-x32\...\Run: [VNT] => C:\Program Files (x86)\VNT\vntldr.exe [196504 2014-06-15] (APN LLC.) HKLM-x32\...\Run: [] => [X] BHO: Ask Toolbar - {5347542D-5637-006A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\SGT-V7\Passport_x64.dll (APN LLC.) BHO-x32: Ask Toolbar - {5347542D-5637-006A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\SGT-V7\Passport.dll (APN LLC.) Toolbar: HKLM - Ask Toolbar - {5347542D-5637-006A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\SGT-V7\Passport_x64.dll (APN LLC.) Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKLM-x32 - Ask Toolbar - {5347542D-5637-006A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\SGT-V7\Passport.dll (APN LLC.) Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File Toolbar: HKCU - Ask Toolbar - {5347542D-5637-006A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\SGT-V7\Passport_x64.dll (APN LLC.) CHR HomePage: hxxp://isearch.avg.com/?cid={D559C65E-6B78-412F-B18F-56D8F5DB8F57}&mid=a58dd9d0ddbb4a3551adf54f4f1f1e51-ad1491be2ce6c122f6b66faa90e70c2decf7d34c&lang=en&ds=st011&pr=sa&d=2012-05-20 20:09:41&v=11.1.0.7&sap=hp CHR Extension: (No Name) - C:\Users\xxx\AppData\Local\Google\Chrome\User Data\Default\Extensions\nhjloagockgobfpopemejpgjjechcpfd [2013-04-16] CHR HKLM-x32\...\Chrome\Extension: [aaaailpifkkekipiachodfkfmgmiapmp] - C:\ProgramData\AskPartnerNetwork\Toolbar\SGT-V7\CRX\ToolbarCR.crx [2014-06-22] R2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [165784 2014-06-15] (APN LLC.) HKU\S-1-5-21-2727885-3341159988-215611516-1000\...\MountPoints2: D - D:\Autorun.exe HKU\S-1-5-21-2727885-3341159988-215611516-1000\...\MountPoints2: E - E:\Autorun.exe HKU\S-1-5-21-2727885-3341159988-215611516-1000\...\MountPoints2: {05a818d5-1dd6-11e3-9b75-002522cdf170} - E:\LaunchU3.exe -a HKU\S-1-5-21-2727885-3341159988-215611516-1000\...\MountPoints2: {4cfc10d2-a443-11e2-a44f-a09d5a298ade} - D:\Setup.exe HKU\S-1-5-21-2727885-3341159988-215611516-1000\...\MountPoints2: {6bf2b574-a4cc-11e2-ab24-002522cdf170} - D:\unlock.exe autoplay=true HKU\S-1-5-21-2727885-3341159988-215611516-1000\...\MountPoints2: {92396d9c-4d6a-11e3-a425-002522cdf170} - D:\unlock.exe autoplay=true AlternateDataStreams: C:\Users\xxx\Cookies:8RxM5xznNXLkX1BMDoH4aKDECfNEI AlternateDataStreams: C:\Users\xxx\Cookies:n2kDABZv60iissDUlAJX78PscQ AlternateDataStreams: C:\Users\xxx\Local Settings:UGaTXq0sNMXXTPwmMf7zFUh6 AlternateDataStreams: C:\Users\xxx\AppData\Local:UGaTXq0sNMXXTPwmMf7zFUh6 AlternateDataStreams: C:\Users\xxx\AppData\Local\Application Data:UGaTXq0sNMXXTPwmMf7zFUh6 End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Then let’s remove any leftovers …

Please download zoek by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Uninstall-List;
EmptyFoldersCheck;Delete 
EmptyCLSID;
ResetIEProxy;
ipconfig /flushdns >> %temp%\log.txt;b
AutoClean;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log”

system · July 9, 2014, 7:36am

Thank you for the welcome. And I’ve attached the logs.

magna86 · July 9, 2014, 11:11am

Hi,

Now create and run this zoek script:

afiikekanfnjlcbnmgamjlhhcdkcjjjd;chr
AutoClean;

After the reboot post me fresh created zoek log and tell me do you still have alerts?

system · July 9, 2014, 12:00pm

Yes, the alerts are still there.

magna86 · July 9, 2014, 1:05pm

Let’s use a different approach then.

Please download ComboFix by sUBs (
http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
) from here and save it to your Desktop.
[i]If you are unsure how ComboFix works, read this guide.

Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
[/i]

When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
=> Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

system · July 9, 2014, 3:13pm

Here are the logs.

magna86 · July 10, 2014, 10:30am

Hello jcqln_yu,

Do you still have alearts after running ComboFix? If you do, post me the fresh FRST.txt logreprot.

system · July 10, 2014, 11:39am

Looks like the alerts are gone now. I haven’t noticed any alert yet. Is it okay to assume that it’s really gone now? Thank you very much!

magna86 · July 10, 2014, 12:11pm

It should. Can you recall what are you where doing or browsing/download or installing before the alearts occurred. Think hard.

I am trying to find the source of the problem. If I could reproduse the issue that would be greate.

magna86 · July 10, 2014, 12:15pm

Also, could you please zip/rar and upload here the C:\Qoobox folder. I would like to see what fixes CF has preform as there is no active malware deletion.

Upload Qoobox folder using some of free sharing cloud site like:
http://www.wikisend.com
…or simular.

Paste here download link. Do not worry, there will me no infections in this upload…
Post here the created download link so I can see the folder.

system · July 10, 2014, 1:57pm

I think I was trying to download a song from http://www.anime-mp3.com/2012/02/fairy-tail.html. I think avast! alerted me of something when I tried downloading a song. I didn’t continue with the download after that though. Then the URL:Mal issue started after that.

Also, it seems that I can’t rar/zip the Qoobar folder because it can’t read/open the BackEnv folder. When I try to rar the Qoobar folder, WinRAR shows this message.

http://i260.photobucket.com/albums/ii21/ragnarok6354/Capture_zps21c4cfd7.png

When I tried to rar the files inside Qoobar folder, it showed this message.

http://i260.photobucket.com/albums/ii21/ragnarok6354/Capture2_zps27fe7e02.png

But it did produce a rar file, though the BackEnv folder did not contain anything inside.

magna86 · July 10, 2014, 8:13pm

Ok, thanks for help. We have solutions for these alearts but we can’t locate the loading point, the exact cause.

I have the Quobox folder. I’ll set up my test mashine and will try to replicate the issue. You may remove the download link now.

Also, it is time to remove used tools here.

• The following will implement some post-cleanup procedures:

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

system · July 11, 2014, 9:05am

Done. Thank you very much!

URL:Mal - svchost.exe

Announcements