Jump to content

Malware from svchost.exe with random website URLS


Recommended Posts

I'm currently using Avast, and just this week everyday about 8 notifications at startup would show about Avast detecting malware from svchost.exe or sometimes chrome.exe with URLs from random websites such as www.epictory.com. I never install suspicious programs, and even with legit programs I read carefully in case they offer a "free" program or something. But the same cannot be said with my sister, who uses the computer occasionally.

 

I did the prerequisites in this forum; I tried Hyper scan first and it found about 4 non-malware stuff and I just let MB do its work. Next I did the Threat Scan, and found 1 non-malware and I just let it do its work again. After that I used Farbar, and here are the logs.

 

 

Addition.txt

FRST.txt

Link to post
Share on other sites

Hi zildjianjoshua, :)

:welcome:

My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):

  • Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
  • Please do not install any new software while we are working on this system as it may hinder our process.
  • Malware removal is a complicated process so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
  • Please do not try to fix anything without being ask.
  • Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
  • Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
  • Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
  • If you are confused about any instruction, stop and ask. Do not keep on going.
  • Do not repeat the steps if you face any problems.
  • I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
  • Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
  • The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.

Uninstall Google Chrome completely as it has been patched to developer's mode.


PunkBuster Advice:

There are some issues with infections in relation to PunkBuster...

Your computer has installed gaming tools. Some of these, like Punkbuster, use spyware techniques to engage in the anti-piracy battle.

In the process, they take control of much of your PC, and they actually meet the definition of spyware/malware.

They are sometimes designed to prevent orderly removal or modification, and they have only limited respect for retaining the overall security and integrity of your machine.

My advice would be to download the removal tool from here. Use this to uninstall PunkBuster Services. Then when I give the all clear use it again to reinstall PunkBuster Services if you so wish.


  • Step #1 Fix with FRST

    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.

    • Open Notepad.exe. Do not use any other text editor software;
    • Copy and Paste the contents inside the code-box to your Notepad --

      StartCreateRestorePoint:CloseProcesses:Emptytemp:CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTIONSearchScopes: HKLM-x32 -> DefaultScope value is missing.SearchScopes: HKU\S-1-5-21-194168964-286767703-3275671440-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = C:\Users\Zildjian\AppData\Local\Google\Chrome\C:\Program Files (x86)\Google\Chrome\CMD: bitsadmin /reset /allusersEnd
    • Click on File > Save as...
      • Inside the File Name box type fixlist.txt;
      • From the Save as type drop down list, choose All Files
    • Save the file to your Desktop;
    • Re-run FRST.exe and click Fix;
      • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
    • After the completion, a log will be produced;
    • Copy and Paste the contents of the log in your next reply.

  • Required Log(s):
    • FRST Fix Log
Regards,

Valinorum

Link to post
Share on other sites

Okay. I also removed PunkBuster services like you said. Here is FRST Fix log.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-01-2015
Ran by Zildjian at 2015-01-24 16:27:05 Run:1
Running from C:\Users\Zildjian\Desktop
Loaded Profiles: Zildjian (Available profiles: Zildjian & Family)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
CreateRestorePoint:
CloseProcesses:
Emptytemp:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
SearchScopes: HKU\S-1-5-21-194168964-286767703-3275671440-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
C:\Users\Zildjian\AppData\Local\Google\Chrome\
C:\Program Files (x86)\Google\Chrome\
CMD: bitsadmin /reset /allusers
End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"HKU\S-1-5-21-194168964-286767703-3275671440-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
"C:\Users\Zildjian\AppData\Local\Google\Chrome" => File/Directory not found.
"C:\Program Files (x86)\Google\Chrome" => File/Directory not found.

=========  bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to cancel {9769634F-1100-41A7-AD8F-F93FCA940C7F}.
Unable to cancel {6150937C-B9D6-494F-8C13-6D15F0959F09}.
{79D59096-459D-42AB-8E13-E99F9FD4B73F} canceled.
{91953131-499B-4FC0-B59A-227696AC8450} canceled.
{BBD40A42-E9C2-4659-B50A-BBA567196A31} canceled.
3 out of 5 jobs canceled.

========= End of CMD: =========

EmptyTemp: => Removed 983.8 MB temporary data.

The system needed a reboot.

==== End of Fixlog 16:27:48 ====

Link to post
Share on other sites

How is your PC performing?


  • Step #2 Scan with Malwarebytes' Anti-Malware
    • Re-run Malwarebytes' Anti-Malware.
    • Once the program has loaded, The MBAM dashboard will appear with an alert to update - click the green button Update Now;
    • Click on Setting--
      • Navigate to the tab Detection and Protection and check all the boxes under Detection Options
    • From the Dashboard click on Scan Now;
    • If threats are detected click on Apply actions. If the program asks to reboot your PC, let it do so;
    • On completion of the scan click on View Detailed Log after that click on Export Button, select Text File and save the log to your Desktop;
    • Copy and Paste the contents of the log in your next reply.

  • Step #3 ESET Online Scanner

    Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this for additional information.

    • Download esetsmartinstaller_enu.exe by clicking here.
    • Right-click on the program and choose Run as administrator.
    • Accept their terms and condition and proceed.
    • Install Add-On/Active X if prompted.
    • From the Computer Scan Setting check the following box --
      • Enable detection for potentially unwanted programs
    • Click on Advanced Setting --
      • Check the box beside Remove Found Threats;
      • Check the box beside Scan archives
      • Check the box beside Scan for potentially unsafe applications
      • Check the box beside Enable Anti-Stealth Technology
    • Click on Start and wait for the virus signature database to update.
    • The online scan will begin automatically and can take several hours.
      • Note: Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
    • After the Scan finishes --
      • If no threats were found:
        • Put a checkmark in Uninstall application on close.
        • Close the program and report that nothing was found
      • If threats were found:
        • Open the file located in C:\Program Files\ESET\ESET Online Scanner\log.txt (32-bit) or C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt (64-bit).
        • Copy and Paste contents of the log file in your next reply.
    Note: Enable your security programs afterwards.

  • Required Log(s):
    • Malwarebytes' Anti-Malware Log
    • ESET Scan Log
Regards,

Valinorum

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.