Jump to content

MB blocking svchost.exe malicious website

djkeefer
 Share

Recommended Posts

  • 2 weeks later...
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Okay, let's start out with a new scan and new logs please.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply. Make sure it's the Clean log, not the scan log.

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites
djkeefer

djkeefer

Posted
  • Author
Posted

Mixed results.  I still feel like there is something taking over svchost.exe  

At times it runs fine, but other times mundane tasks take forever but for only a few seconds, then everything works fine again.

Problem is this, I ran ADWCleaner 4 times last night, each time coming up with a result of either PUP.optional.Amazonbrowserbar  or PUP.optional.legacy coming up.

AFter the 5th time last night, i got a clean scan from ADW Cleaner, but today i cam up with both results at different times.

Advise??

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

I think this is probably just a browser hijack, but we'll scan a couple other methods and see.

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

PC Winvids - How to run Kaspersky TDSSKiller

If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.

Thank you

Ron

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hi @djkeefer

The file that TDSSKiller found is Related to SDWSCSvc.exe Windows Security Center integration. from Safer-Networking Ltd.

http://www.systemlookup.com/search.php?type=filename&search=SDWSCSvc.exe&s

 

Let's go ahead and reset your browsers back to default.

 

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Refresh Firefox button.

Chrome
Reset Chrome back to defaults to completely clear out issues with Chrome.

  • First, go to >> Google Sync << and sign into your account. Make sure you know your password as this will clear it from the browser.
  • Scroll down until you see the  reset_chrome_sync.png "reset sync" button to clear your data from the server and remove your passphrase.
  • Now, close all Chrome windows. Chrome cannot be running for the next step. If needed, print this information or use another browser to read the information.
  • Press the Windows key + R at the same time, to bring up the run dialog box.
     
    • run_command.png
       
  • Type in (or copy/paste) the following and press Enter:     %localappdata%\Google\Chrome\User Data\Default\
  1. Press Ctrl + A to select all the files and folders.
  2. Hold down Ctrl + A and click once on the files "Bookmarks" and "Bookmarks.bak". This will unselect them.
  3. With all the files selected (except for your Bookmarks), press the Delete key and click Yes to delete the files and folders.
  4. Example of all files and folders selected, except Bookmarks
     

chrome_files_folders.png

 

Restart your computer now and make sure there are no longer any redirects or other browser issues. 

 

Link to post
Share on other sites
djkeefer

djkeefer

Posted
  • Author
Posted

Well I did this, and it seemed to work, however this morning I had a browser type hijack where the website changed off my Yahoo sports page and an intrusion was blocked by MB.

What steps should I take at this point since I did the browser resets?  FYI, I did resets on both IE and Chrome, and I do not have Firefox/Waterfox.

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the infection or modification in the Chrome browser you need to disable your Google Sync again if you're using it.

https://support.google.com/chrome/answer/3097271

Then I'd recommend you run the Chrome Cleanup Tool which has recently been updated by Google

Make sure all your browsers are closed when running the tool.

Then once clean, look at using an Ad Blocker and Script Blocker for Chrome to help prevent these type of change requests. Unfortunately websites can ask, make some changes to allow for a look and feel to your browser. Some abuse that and make changes the user does not want.

 Let me know if the tool is able to remove the change or not.

Ron

 

 

Link to post
Share on other sites
djkeefer

djkeefer

Posted
  • Author
Posted

Hi, sorry for the delayed response.

I tried everything you mentioned, and I am still getting browser re-directs, although I notice it happening mostly on Yahoo.com's Fantasy Football site.

I also have installed Norton products into my browser to try to have an extra level of protection, but I noticed I have the same problem regardless of weather or not those extensions are on.

Otherwise, I have no additional extensions currently activated.

Here are a few event logs from recent intrusion attempts that were caught by MB.

 

Event.txt

Event 1.txt

Event 2.txt

Event 3.txt

Link to post
Share on other sites
  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept