Infection URL:MAL also maybe a SVCHOST.EXE problem need help

Viruses and worms
21

I get many similar like this, but the IP and port changes, I have cut off the last part of the IP.

22

Hmm that is an inbound one as opposed to outgoing

Could you turn the router off for a few minutes please, that should then get you a new IP address

23

turned off and on and seems it worked for the SVCHOST issue. I am only using a trial version of MWB so I guess i have had that for awhile.

the MAL infection is still present. It seems less, but it is still there.

24

I stand corrected, MWB is finding this again just now…

25

To open an Administrator Cmd prompt from the Desktop use Win + X and choose Command Prompt (Admin) from the list.

In the black box type in/copy the following commands, each one followed by enter :

ipconfig /flushdns
netsh winsock reset catalog
netsh int ip reset c:\resetlog.txt
ipconfig /release
ipconfig /renew

Then reboot the computer

26

Hi ok, that was done, but for ipconfig/renew, it didn’t work. I got a message that said, “no operation can be performed on bluetooth network connection while has its media disconnected.” I am not on a bluetooth network, so I don’t get it.

In addition, I am still getting the SVCHOST messages from MWB and I am still getting the infection: URL:MAL from Avast.

27

OK this one is proving very difficult as it corrupts the TCPIP stack, earlier versions did not protect itself but the later ones appear to be doing that

I will now try to remove it from outside of windows

Download the following three programmes to your desktop :

  1. Rufus

For 64bit systems
2. Windows 7 64bit RC I will PM this link
3. Farbar Recovery Scan Tool x64

Insert the USB stick Then run Rufus

https://dl.dropbox.com/u/73555776/rufus.JPG

Select the ISO file on the desktop via the ISO icon.

Press Start Burn

https://dl.dropbox.com/u/73555776/RufusISO.JPG

Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

Windows 7 and Vista screenshots

When you reboot you will see this.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe or e:\frst.exe dependant on system
and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

28

It seems to only be effecting FireFox. Removing this one is not going to damage my OS to the point of having to reinstall is it?

29

No it will just enable me to work outside of windows. Although you say it is Firefox only now and not any time the system is connected ?

If so could you run firefox in safe mode https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode and see if the issue remains

30

Ok let me be more clear.

The Infection: URL: MAL problem effects Firefire only it seems, and it only happens when my network is connected. It does not happen when the network is disconnected.

The SVCHOST issue seemed to be more IE problem, but it only happens sporadically. But it seems it was inbound and outbound, but I have not kept track of it and it is not happening enough recently to check.

I did try, just for the heck of it, to load Win 7 in safemood, I went through msconfig to do it, even though networking was enabled, it was not loaded properly and I could not access it, in addition AVAST only would protect via firewall, though that should have been enough. Anyway it doesn’t matter as I could not connect to the internet anyway.

So… Based on the above, do we still need to go through the process you outlined and PMed me above? Or is there some other way we can get rid of the malware?

Thanks!!!

31

Note the end point, which I added after I had seen your firefox entry could you run FF in safe mode to see if it is still present

32

Do I need internet connectivity for that though? If I do, I can’t do it. As the network is not working in safe mode for some reason even when it is enabled. And the problem does not occur when the network is not connected, so I am not sure what good this would do… am I missing something?

Wait, do you mean FF safe mode or Windows safe mode???

EDIT: ok, I started FF in FF safe mode and the problem went away… So does this mean there is an ad-on somewhere that I have to remove???

33

Yep it means the addon is in Firefox

Could you reset firefox https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.co.uk%2Furl%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26ved%3D0CCIQFjAA%26url%3Dhttps%253A%252F%252Fsupport.mozilla.org%252Fen-US%252Fkb%252Freset-firefox-easily-fix-most-problems%26ei%3D8FPBU7WFD4WVO8X5gfgH%26usg%3DAFQjCNFtaKEVZ_YyFC_12I9TEu28byOooQ%26bvm%3Dbv.70810081%2Cd.ZWU
You will have to re-install your addons that you use though

34

Hello Essexboy, really sorry for my slow response. So far everything seems to be working well. That problem has been solved.
But I want to ask you this… I contacted Ilivid about the malware issue and they totally deny their software has any malware and have asked me to provide evidence of such. Would it be advisable to send them this link to this thread and show them directly, they can even comment if they wish. Let me know.

In addition, do you have any experinece with reading WhoCrashed software? I had installed IE 11 and it had issues so I went back to IE 9 and now my system blue screens everyday. And each time I run WhoCrashed I get a different result. If you have experinece I will start a new thread and send you the link. Also let me know which forum I should post it in, as so far I cannot see anything here related. Avast is the not the only reason for the blue screen, but the one time it was it was related to aswsnx.sys .

Thanks.

35
Would it be advisable to send them this link to this thread and show them directly, they can even comment if they wish. Let me know.
Yes you can ......
36

Thank you, they have been informed of this thread and that it can provide evidence their software contains malware.

37

iLivid response will be that you can uninstall their software, which is true after a fashion after you go through all the hoops and the hidden entries.

OK if aswnx is causing the blue screens do the following :

Download Avast Uninstall Utility to your Desktop.
Download the correct version of Avast
Avast Free
Avast Pro
Avast Internet Security
Avast Premier
Disconnect from the net
Uninstall Avast via control panel

[]Run the uninstall tool and accept the reboot to safe mode
[]Once complete reboot your system
[*]Reinstall Avast

If the blue screens continue after that then I will look at the minidumps :slight_smile: