Malicious Website Blocked SysWOW64\svchost.exe

[Oredigger]

OK, I will run the Microsoft Windows Defender Offline as you suggest and let you know what it finds.  thanks

[Oredigger]

Hi Maurice,

 

The Microsoft Windows Defender Offline full scan completed and it found no items.  Are there more steps we can take?  I am still getting the blocked sites.

 

thank you, Andrew

[Oredigger]

Hi Maurice,

 

I am just checking to see if you think there are other things we can try to solve this issue.  I know you are probably quite busy and I appreciate your help.

 

I read through the page you suggested about blocked IP addresses.  I am still getting just the one address blocked.  It occurs every 2-5 seconds.  So far I am only seeing the one address and its outbound.  It occurs regardless of whether I have a browser running or not.  And I don't think I have any P2P or messenger processes running, so I am not sure what process it is using.

 

thank you,

Andrew

[Maurice Naggar]

I need to see some recent protection logs from MBAM logs folder.

I need to see the Protection log named **protection-log-2014-MM-DD** in the corresponding folder.  Please attach it for my review.

on Windows Vista & Win7 & WIN8 / 8.1   from this folder:
C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs

 

I would like for you to attach these logs.

protection-log-2014-10-27.xml

protection-log-2014-10-26.xml

protection-log-2014-10-25.xml

 

 

Also, please run this diagnostic as well.

Please download and SAVE RogueKiller 64 bit to your desktop from this next link
http://www.adlice.com/softs/roguekiller/RogueKillerX64.exe

Quit all running programs.

Do a right-click on the roguekiller64.exe , select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Please attach the report which should be located on your desktop:   RKreport[1].txt

[Oredigger]

Here are the protection logs.  I will run roguekiller now

protection-log-2014-10-25.xml

protection-log-2014-10-26.xml

protection-log-2014-10-27.xml

[Oredigger]

Here is the roguekiller report.  Also, I wanted to mention that since I have been getting the blocked website notifications, I also get a debug error in ie.  I have attached a jpg of that error in case it is helpful to you.

RKreport_SCN_10272014_142548.log

[Maurice Naggar]

• Disable your anti-virus program, How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
• Please disconnect any USB or external storage drives from the computer before you run this scan! 
• For Vista or Windows 7 / 8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

  For Windows XP, double-click to start.

• Wait until Prescan finishes.
• On the RogueKiller console, click the Registry tab.

  Put a check next to all of these and uncheck the rest: (if found)

  [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ALSysIO (\??\C:\Users\ANDREW~1\AppData\Local\Temp\ALSysIO64.sys) -> Found

  [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALSysIO (\??\C:\Users\ANDREW~1\AppData\Local\Temp\ALSysIO64.sys) -> Found

  [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ALSysIO (\??\C:\Users\ANDREW~1\AppData\Local\Temp\ALSysIO64.sys) -> Found

  UN-check any -other - lines shown on your screen that are not listed in the above list.

• Then click on Delete on the right hand column under Options.
• When done, logoff & Restart the system.
• The log will be found as RKreport

  Attach RKreport  into next reply.

 

 

( 2)

 

• Please download CKScanner from >>Here<<
• Important: - Save it to your desktop.
• Right-click CKScanner.exe &  select Run as administrator to start.
• then click Search For Files.
• After a very short time, when the cursor hourglass disappears, click Save List To File.
• A message box will verify the file saved. Please Run the program only once.
• Copy/paste the contents of CKFiles.txt in your next reply.

 

 

(3)

The IE message:  you need to do some digging around in your I.E. settings and turn off debugging of scriot errors.

Tools >> Internet Options >> Advanced >>  Browsing ---- > Disable script debugging

[Oredigger]

Hi Maurice,

 

I ran RougeKiller but there was nothing listed in the registry tab.  So I rescanned and then did as you asked.  Hopefully that was ok.  The scan and delete logs are attached.

 

I ran CKscanner successfully.  But I was not able to paste the contents of ckfiles.txt so I am attaching it.

 

thanks,

Andrew

 

 

 

 

RKreport_DEL_10292014_033704.log

RKreport_SCN_10292014_033436.log

ckfiles.txt

[Oredigger]

Hi Maurice,

 

Since the RogueKiller actions three hours ago I have had ZERO blocks.  As it was happening every few seconds I am hopeful that we might have fixed it.  But I will let you know if it reoccurs in the next day or so. 

 

Also, the debug issue is now gone too.  I had looked at the settings you recommended but did not make any changes since they were already set the right way.  Perhaps it was related to the malware process.

 

thank you for your help,

Andrew

[Maurice Naggar]

Please visit this site and post back the results.
http://www.microsoft.com/genuine/diag/

[Oredigger]

I get this message when I navigate to that site.  I tried it from ie11 and Chrome

 

[Oredigger]

I installed Firefox and ran the diag and this is the result:

 

 

[Maurice Naggar]

Download DDS and save it to your desktop from here http://download.bleepingcomputer.com/sUBs/dds.com

 

Once it is saved and on the desktop, right click on dds.com and select Run as Administrator and reply YES and allow it to start.

 

If it does not run, you may need to run it from an elevated command prompt.

How to Open an Elevated Command Prompt in Windows 7
http://www.sevenforums.com/tutorials/783-elevated-command-prompt.html

 

DDS will run in a command prompt window and will take 3 to 4 minutes or so.
Follow and answer the prompts as appropriate.   Accept the EULA  and follow the prompts.   Have patience while it runs in  the background.

When done, DDS will open two (2) logs: DDS.txt & Attach.txt
Save both reports to your desktop.
Please attach following logs in your next reply:  DDS.txt  +  Attach.txt

[Oredigger]

DDS files attached

dds.txt

attach.txt

[Oredigger]

Hi Maurice,

 

I have not had any more instances of the issue.  Even so, I am considering reformatting the SSD and reinstalling Windows.  I want to be certain the problem is fixed and I would not mind cleaning up some of the old junk on the drive with a fresh install anyway. 

 

Are you still wanting to run any more diagnostics or can I proceed with my reinstall?

 

thank you,

Andrew

[Maurice Naggar]

Hello Andrew,

If there have been no IP BLock noticies, then that is fine.

If you want to do a wipe and clean install of Windows and all applications that is probably the safest thing to do for the long term.

You may proceed as desired.

I wish you well.

[Maurice Naggar]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.