Internet Search Redirect - svchost.exe -k

Discussion in 'Malware Help (A Specialist Will Reply)' started by ElCaminoGirl, Oct 29, 2010.

  1. ElCaminoGirl

    ElCaminoGirl Private E-2

    I'm here because starting last night, everytime I did a google search, I was redirected to another page. I was also having issues with some programs I have that need the internet to run not being able to connect when I had a healthy viable connection.

    So, I got up this morning and ran MBAM and it detected only 1 infected file (svchost.exe -k). I opted for quarantine and got the "quarantined successfully" prompt. I then ran Avast (my live running scanner) and it did the same thing. Then I uninstalled avast and installed Kapersky, it found 7 infected files, but wasn't able to rid me of them either. My last shot was with Avira, it found TR/Crypt.XPACK.Gen.

    Now, I've followed all instructions in "Read & Run me first". I uninstalled any extra AVs, I "housecleaned" and ran one of my favorite programs CCleaner (I've always had this on my computers). I opened my files and set up my msconfig. And finished with steps 5-7.

    I have downloaded MAMB and SAS, Combo and RR won't work with my computer (64 bit). Then downloaded MGTools. Disabled UAC and rebooted.

    On to the scans... I followed directions with SAS, it get's about 3/4 of the way through and crashes. Just ran MGTools and attaching that. Other than that I have HJT, OTL (both OTL and extras), DDS and attach logs.

    Now I just can't seem to get rid of whatever the issue is and it's making me nutty. Thanks in advance for any and all help!!

    ECG
     

    Attached Files:

    ElCaminoGirl, Oct 29, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.
     
    Kestrel13!, Oct 29, 2010
    #2
  3. ElCaminoGirl

    ElCaminoGirl Private E-2

    Will be watching for you.

    Thanks,
    ECG
     
    ElCaminoGirl, Oct 29, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I have been through those logs and I can see where the problems are. I have half composed a fix for you, however I am due in at work in less than an hour, so rather than rushing it, I'll get through my short shift and return later with a response. :) Thanks for your patience.
     
    Kestrel13!, Oct 29, 2010
    #4
  5. ElCaminoGirl

    ElCaminoGirl Private E-2

    NP, I have to run off to school Halloween parties with the kids. I'll check back later.
     
    ElCaminoGirl, Oct 29, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Tell me what is inside of this folder?

    C:\ProgramData\{E961CE1B-C3EA-4882-9F67-F859B555D097}

    Java(TM) 6 Update 14 <--- Uninstall this outdated version of java.

    If you did not deliberately set this proxy yourself then please include it in the HJT fix below:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    Code:
    :reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe," 

:files
C:\Users\Shawn\Local Settings\TEMP\dwm.exe
C:\Users\Shawn\AppData\Local\Temp\dwm.exe
C:\Users\Shawn\AppData\Roaming\Microsoft\svchost.exe
C:\Users\Shawn\AppData\Roaming\Microsoft\Windows\shell.exe
C:\Users\Shawn\AppData\Local\dqhmxvxqx
C:\Users\Shawn\AppData\Local\tqnmxoyjb
C:\Users\Shawn\Local Settings\TEMP\utt5321.tmp
C:\Users\Shawn\Local Settings\TEMP\utt5321.tmp.bat
C:\Users\Shawn\Local Settings\TEMP\WPDNSE
C:\Users\Shawn\Local Settings\TEMP\YwG8fgq5.exe.part
C:\Users\Shawn\Local Settings\TEMP\pglcypob.sys
:Commands
[emptytemp]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Tell me how things are running now. Don't forget to tell me about that folder I asked about.
     
    Kestrel13!, Oct 30, 2010
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds