I’m a new user of avast! Antivirus… Just switched to it today after my subscription of ESET Smart Security ran out… Last I know, I didn’t have a virus and I’m a quite careful user…
I’m running avast! on Vista Service Pack 2… Whenever I restart my PC, avast! gives a few popups on the desktop saying it has blocked svchost.exe from opening a malicious URL… It gives around 8-12 such consecutive pop-ups and then stops… After this, if I open the Task Manager, I see one instance of svchost.exe using roughly 50% of CPU (there are few other instances running at 0 CPU use)… I have to kill that process, else any other app takes additional time to run/open…
Well in other topics, svchost.exe trying to connect to malicious sites has been related to have a rootkit infection and possibly an MBR Rootkit.
Given your forum name have you tried blacklight to see if you have a rootkit ?
You can check if you have an MBR rootkit using this tool:
This latest version of aswMBR.exe can have avast do a QuickScan (image3) and depending on your system spec it could take a while, on my system it took a little under 15 minutes.
OK, that looks a bit better in that it isn’t certain you have an MBR rootkit, but I believe there is a probability you do still have one as the report is showing you have an unknown MBR code.
You don’t have a dual boot system by any chance (as that could change the default MBR) ?
No, I do not have a dual boot system, it is just the Vista SP2 installed… At some point during the last year, I did mess up the MBR somehow when using some utilities; I had to run /fixMBR from a Vista Recovery Disc to be able to boot into Windows again… Dunno if that has anything to do with it…
Well I would have though that the /fixmbr command should have set it back to a default MBR and not an unknown one, which is normally associated with either a dual boot system or something like a Dell or HP which might have a custom MBR to allow access to its recovery partition. So do you have a Dell/HP or other manufactures system ?
Well in a way that’s not good in that TDSSKiller didn’t find anything, so this is going to need investigation by someone more experienced than in malware removal using more analysis tools. I will try and get someone to take a look at it, but they are likely to be in bed now (UK time 00:05am). So it would be much later today before they are back on the forums.
When you say this happens 8-12 consecutive times, perhaps this to simplistic, but you could check your task scheduler and see if there are any tasks there that you didn’t create.
I took a few more screenshots of the problem. I got 6 avast! Network Shield warnings when I booted up today and a further 2-3 more once I opened my browser (Firefox 5). avast! seems to be blocking an instance of svchost.exe from opening derribazu.net/random file name & extension. I’m not 100% sure the process being blocked is the same with the high CPU %tage but seems most likely (PID 3620). I’m able to easily kill the process in Task Manager and all is fine after that (i.e. I get my CPU idle again). Could this be a false-positive? Following are attached:
My system is Acer Aspire 6920G. I do faintly remember seeinga Windows XP logo sometimes, I do not rememebr if it was when booting into the recovery partition or into the “Media Only” mode… I thought I had lost all that when I overwrote the MBR a year back…
I just got another avast popup, will post in the next msg (attachment limit is very small)
Unfortunately the images you posted aren’t any help.
The idea of the svchost-analyser that I suggested is to first identify which svchost.exe occurrence is the one with the high CPU% (as you mentioned before) and note the PID (Process Identifier) and that is the one you should look at in the svchost-analyser.
Once you open that one you will see all the different processes using that occurrence of svchost.exe as in my image. I would be looking for any strange looking processes, random looking names given their file location, etc.
But this does need further specialist analysis, the saving grace is that avast is blocking these attempts to connect to malicious sites.
The PID was 3620 and when checking in the analyzer, there are 0 processes/services running under it…That’s why the lower window is blank in the image…
I just now ran F-Secure Easyclean and it made me reboot once and found infection of Trojan.Generic.KDV. It said it has cleaned it. Now I’m not getting any more avast! popups… Perhaps its resolved now…
When I ran Easyclean, I ran it on a fresh reboot of windows with that 50% CPU svchost process running… When I ran aswMBR yesterday, it was after I had killed that process… Perhaps that made a difference in the detection?..
Hi there methinks that a little analysis is required, and then mayhap dive in with a stronger dedicated tool
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Check the box that says 64 bit
[*]Under Additional Scans check the following:
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Oops need to remove that line as it now autodetects
On completion of this run could you let me know what problems you are having
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Users\Neil\AppData\Roaming\Mozilla\FireFox\Profiles\nzoh2wg2.default\prefs.js
YN -> network.proxy.backup.ftp -> "127.0.0.1"
YN -> network.proxy.backup.ftp_port -> 9666
YN -> network.proxy.backup.gopher -> "127.0.0.1"
YN -> network.proxy.backup.gopher_port -> 9666
YN -> network.proxy.backup.socks -> ""
YN -> network.proxy.backup.socks_port -> 0
YN -> network.proxy.backup.ssl -> "127.0.0.1"
YN -> network.proxy.backup.ssl_port -> 9666
YN -> network.proxy.http -> "127.0.0.1"
YN -> network.proxy.http_port -> 8580
YN -> network.proxy.share_proxy_settings -> true
YN -> network.proxy.socks_remote_dns -> true
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {0A87E45F-537A-40B4-B812-E2544C21A09F} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86}\shell\AutoRun\command ->
YN -> \{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86}\shell\AutoRun\command\\"" -> [yjkjfuo.cmd]
YN -> \{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86}\shell\explore\Command ->
YN -> \{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86}\shell\explore\Command\\"" -> [yjkjfuo.cmd]
YN -> \{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86}\shell\open\Command ->
YN -> \{eb20fc11-ae43-11dd-a6a2-00a0d1a72f86}\shell\open\Command\\"" -> [yjkjfuo.cmd]
[Registry - Additional Scans - Safe List]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> ~rdjddrg hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
[Files/Folders - Created Within 30 Days]
NY -> SecTaskMan -> C:\ProgramData\SecTaskMan
NY -> Security Task Manager -> C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Security Task Manager
NY -> Security Task Manager -> C:\Program Files\Security Task Manager
[Files/Folders - Modified Within 30 Days]
NY -> Dat61AB.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat61AB.tmp.xsi
NY -> Dat469B.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat469B.tmp.xsi
NY -> DatF771.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatF771.tmp.xsi
NY -> DatCCE7.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatCCE7.tmp.xsi
NY -> Dat873F.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat873F.tmp.xsi
NY -> DatAF06.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatAF06.tmp.xsi
NY -> Dat933B.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat933B.tmp.xsi
NY -> Dat901E.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat901E.tmp.xsi
NY -> DatDF73.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatDF73.tmp.xsi
NY -> DatBAE2.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatBAE2.tmp.xsi
NY -> Dat7069.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat7069.tmp.xsi
NY -> Dat55D7.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat55D7.tmp.xsi
NY -> DatCF0A.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatCF0A.tmp.xsi
NY -> DatE391.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatE391.tmp.xsi
NY -> DatE832.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatE832.tmp.xsi
NY -> Dat66C6.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat66C6.tmp.xsi
NY -> Dat43CA.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat43CA.tmp.xsi
NY -> DatD713.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatD713.tmp.xsi
NY -> DatF0B9.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatF0B9.tmp.xsi
NY -> DatE331.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatE331.tmp.xsi
NY -> DatA343.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatA343.tmp.xsi
NY -> Dat457A.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat457A.tmp.xsi
NY -> DatA0FF.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatA0FF.tmp.xsi
NY -> Dat508E.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat508E.tmp.xsi
NY -> Dat9B14.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat9B14.tmp.xsi
NY -> Dat7847.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat7847.tmp.xsi
NY -> Dat43EE.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat43EE.tmp.xsi
NY -> DatFABD.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatFABD.tmp.xsi
NY -> DatF7CF.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatF7CF.tmp.xsi
NY -> DatEE7B.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatEE7B.tmp.xsi
NY -> Dat5B12.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat5B12.tmp.xsi
NY -> DatD904.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatD904.tmp.xsi
NY -> DatA160.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatA160.tmp.xsi
NY -> Dat8B9E.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat8B9E.tmp.xsi
NY -> Dat732D.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat732D.tmp.xsi
NY -> Dat618.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat618.tmp.xsi
NY -> DatEF4D.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatEF4D.tmp.xsi
NY -> DatC32D.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatC32D.tmp.xsi
NY -> DatA7EF.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatA7EF.tmp.xsi
NY -> Dat888C.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat888C.tmp.xsi
NY -> Dat5C2E.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat5C2E.tmp.xsi
NY -> DatE3F1.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatE3F1.tmp.xsi
NY -> DatA471.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatA471.tmp.xsi
NY -> Dat69E0.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat69E0.tmp.xsi
NY -> DatD731.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatD731.tmp.xsi
NY -> Dat715.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat715.tmp.xsi
NY -> Dat9E83.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat9E83.tmp.xsi
NY -> Dat8CB6.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat8CB6.tmp.xsi
NY -> Dat782C.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat782C.tmp.xsi
NY -> Dat67C7.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat67C7.tmp.xsi
NY -> Dat4C1B.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat4C1B.tmp.xsi
NY -> DatF7A4.tmp.xsi -> C:\Users\Neil\AppData\Roaming\DatF7A4.tmp.xsi
NY -> Dat8D1E.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat8D1E.tmp.xsi
NY -> Dat6F22.tmp.xsi -> C:\Users\Neil\AppData\Roaming\Dat6F22.tmp.xsi
NY -> y2oyun7u.exe -> C:\Users\Neil\Desktop\y2oyun7u.exe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
Certainly - there are some proxies set on firefox
There is a malware run key
Some malware mountpoints from an infected USB
A few BHo’s that are not nice to have
And the Virus defs taking up space from the f secure run
If this does not resolve the problem then I will use something stronger