possible svchost.exe hijack

[AdvancedSetup]

If you're concerned please do a Factory Reset on the router and set it up again. Then make sure you put a strong password on the router.

 

Other than that how is the computer running now and are there any other signs of an infection?

[cybot]

well, after getting my laptop back from the repair shop (the keyboard they ordered for my was DOA) I found I could not access this forum or several other security related sites. I finally managed to get here by disabling the "DNS client" service. I also discovered that every single file now had a "read only" attribute added. I fixed the second issue, but am not sure how to deal with the first. when it first happened I thought maybe the forums were down. but after three days, I figured it was something else, which is when I discovered that other security related sites were blocked too (grc.com, dnsleaktest.com, forums.malwarebytes.org, to name a few.). I will also speak to the repair place about this.

[cybot]

looks like the "dns client" service issue solved it self. I was getting ready to restart my system, an took one last look at my services list, and the "dns client" was listed as started, but I was still able to access the previously blocked sites. still no blocked messages involving svchost. so I guess nothing else is wrong with my PC. I am looking at getting Eset for my PC, my home router has a hardware firewall, should I get eset smart security, or NO32. I ask because I have read having multiple firewalls can cause problems. I ran a stealth test at grc.com, an all my ports are fully stealthed when using just the routers hardware firewall, so I am not sure if I need eset smart security (nod32 + firewall)

[AdvancedSetup]

Yes an onboard firewall is highly recommended and I would advise leaving it or using Windows built-in.

 

I would recommend that we run some other scans again to see if anything else is detected. Make sure you put a check mark in the ADDITIONS.TXT check box to get a new log for that as well.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply as well.
  

 

[cybot]

here are the farbar logs

Addition.txt

FRST.txt

[AdvancedSetup]

I'm only seeing a couple of things that seem odd.

 

You have SNMP loading (nothing wrong with it just odd to be running it especially on a home computer) Simple Network Management Protocol

You have this entry in the Registry for a load point that is not normal and we should probably run another scanner (see below)

AppInit_DLLs-x32: => "" File Not Found

 

You also have an entry for Alternate Data Streams on a file which is not normal for most users.

 

I'd recommend we run Combofix and have it scan the system for us at this time.

 

 

 

Please visit this webpage and read the ComboFix User's Guide:

• Once you've read the article and are ready to use the program you can download it directly from the link below.
• Important! - Please make sure you save combofix to your desktop and do not run it from your browser
• Direct download link for: ComboFix.exe
• Please make sure you disable your security applications before running ComboFix.
• Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
• Please attach that log file to your next reply.
• If needed the file can be located here:  C:\combofix.txt
• NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
  

 

[cybot]

I saw that appinit_dll entry, I don't know why, but all it had as a value was an extended ascii character. I have returned that reg key back to it's default value. here is the combofix log

ComboFix.txt

[AdvancedSetup]

Let's do one more scan and if that comes back clean to then the computer would appear to be okay now.

 

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.
 

 

 

 

Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.
 

[cybot]

I have attaché a log from tdsskiller, there were 'suspicious' items found, but they were all false positives

tdsskiller.txt

[cybot]

since installing eset smart security, even though no malware or viruses appear to have been found through the steps we've taken, or through the eset software, there have been no more blocked messages from mbam involving svchost.

[AdvancedSetup]

Well things do look pretty good at this point. The logs are not showing any obvious infections at this time.

[cybot]

I woul have agree with you 24 hours ago, but just a few minutes ago after making a purchase on steam, mbam just gave another svchost.exe blocked message. after no messages for almost a week, one pops up out of the blue.... no other symptoms and nothing found by any scans. the most obvious reason I am concerned is because it happened right after making a transaction using paypal.

malwarebytes scan log 4.txt

mbam protect log 4.txt

[AdvancedSetup]

I wonder if it was a bad website advertisement. One goes to China the other to the Netherlands.

 

I would recommend doing a FACTORY RESET on your Router and enable a Strong Password on it.

 

Next, let me have you do the following scans though to double check.

 

 

Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.
 

 

 

Please download aswMBR ( 4.5MB ) to your desktop.

• Double click the aswMBR.exe icon, and click Run.
• There will be a short delay before the next dialog box comes up.  Please just wait a minute or two.
• When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
• Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
• Click the Scan button to start the scan once the update has finished downloading
• On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

Note: There will also be a file on your desktop named MBR.dat do not delete this for now.  It is an actual backup of the MBR (master boot record).
 

 

 

 

 

[cybot]

I already have what would be considered a strong password on our router. It has both upper and lower case letters as well as numbers. I will do a factory reset of the router if you still think it is necessary. aswMBR asked if I wanted to use virtualization, should I tell it yes? the steam client uses a something calle webkit I think as it's web browser, but it will only browse pages associated with steampowered.com an I believe those pages are listed as secure when I browse them from outside of the steam client (I.E. IE11, chrome, etc.)as long as I'm logged in to sites. but I have seen these blocked messages when no web browser has been active in the last five minutes.

[AdvancedSetup]

If you have a strong password on the router then it should be fine. Just a bit odd that two different computers on the same network would experience the same issue. No you don't need virtualization for the scan.

 

Please post your protection log from today from MBAM as well.

[cybot]

two ifferent computers? I am only experiencing this problem on mine. should anything that is run from the browser be able to have svchost.exe initiate a connection to an ip of it choosing? if it is some bad web ads, then it looks like I need to look at some anti-ad software. back when I was using win98SE there was a program called webwasher. but the company that made it has not updated it since the early 2000's. I don't know of any software that provides the same service that webwasher did. can you recommend any? If you guys made a webwasher clone, I would certainly be first in line to buy it.

[AdvancedSetup]

We can look at other preventions when we're done here. For now let's go ahead then and run FRST on the affected  computer and post back new logs.  We'll consider the other computer now clean.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply as well.
  

 

[cybot]

here is the aswmbr log you asked for previously. sorry for the delay, my computer was in the repair shop getting it's keyboard replaced.

aswMBR.txt

[AdvancedSetup]

Okay, well since the computer was away and we have no idea of the state or if the shop changed or fixed anything lets start over for this computer.

 

 

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

General P2P/Piracy Warning:
 
 

 

If you're using

Peer 2 Peer

software such as

uTorrent, BitTorrent

or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have

illegal/cracked software, cracks, keygens etc

. on the system, please remove or uninstall them now and read the policy on

Piracy

.

 
Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

• Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
• If the log is too large then you can use attachments by clicking on the More Reply Options button.
• Please enable your system to show hidden files: How to see hidden files in Windows
• Make sure you're subscribed to this topic:
  
  • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
    

  [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)
  

 
STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.
 

Link 1

Link 2

• On Windows XP double-click on the Rkill desktop icon to run the tool.
• On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.
• Do not reboot the computer, you will need to run the application again.
  

STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from one of the following links: Link1 | Link2 | Link3
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
• NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup.
  
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
    

  [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe
  

STEP 02
Please run a Threat Scan with MBAM.  If you're unable to run or complete the scan as shown below please see the following:  MBAM Clean Removal Process 2x
When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.
 
 
STEP 03
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

• RogueKiller 32-bit | RogueKiller 64-bit
• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• When the scan completes Close the program > Don't Fix anything!
• Don't run any other options, they're not all bad!!
• Post back the report which should be located on your desktop.
  

Thank you
 

[cybot]

ugh..... ok. I had the frst logs ready to send, did you still want those?

 

I looked at the event viewer once I got my PC back, and it looks like all they did was the repair. there were no logs for the entire time it was in the shop. also they did not have my windows password, as it was not nesseccary  for the repair. the I do not know how much access the phantom account setup be eset smart security anti-theftwould give them, but It does not look like the phantom account was accessed either. I will post the asked for mbam logs along with the others soon. as to pasting the logs, as already posted about, for what ever reason I am unable to paste anything into my posts on this forum. it works fine elsewhere, but not here.

[cybot]

here are the rkill and mbam logs roguekiller logs will be posted soon

 

Rkill.txt

mbam protect log 1a.txt

[cybot]

here is the rogue killer logs there were 8 grey entries in under the registry tab, but I believe they are false detections. there were a number of non green entries under the anti-rootkit tab, but only one red entry. the orange entries tracked back to condusiv (diskkeeper12) and eset (eset smart security). the red entry does concern me however. I do synaptics touchpad on my laptop, and I do have4 the synaptics software installed, but I do not think it should not be using 1394ohci.sys I do not own any firewire devices, so I can not test my firewire port to see if it operates properly. my touchpad is connected to an internal ps/2 port according to windows. googling some of the text displayed in roguekiller, says it might or it might not be a keylogger. I will leave the ultimate decision on whether it is or not up to you.

RKreport_SCN_07232014_183038.log

[cybot]

looking back at the rules created by eset firewall, the addresses that ended up being blocked by mbam addresses may have been causing svchost.exe to respond to WPAD requests (WinHttpAutoProxySvc) WinHTTP Web Auto-Discovery Service

 

is it safe to stop and disable this service with out impacting any of my games? I am not on a proxy and don't use web proxys or VPN's

[AdvancedSetup]

I don't think there should be an issue with it.

 

 

Please go ahead and run through the following steps and post back the logs when ready.
 
STEP 04
Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus
  

STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
• If you're ready to clean it all up.....click the Clean button.
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted:
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
  

STEP 06
Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.


STEP 07


Please go here to run the online antivirus scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
  
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
    

  
  [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.
  

STEP 08
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
  

[cybot]

I ran MBAR to see if it would catch what roguekiller marked as red, but MBAR said I was clean.