Mal URL Blocked/svchost problem

I recently installed avast! Free and had a malware problem with “MS Removal Tool”. I’ve run Malwarebytes’ Anti-malware and that detected and cleaned up some things. After reinstalling avast several times, and finaly running a repair to get it to work, if I run a full scan in safe mode it detects one infected file but there are no options to identify or deal with it. When I run a scan in normal mode no threat/infection is detected. I now have problems with a svchost.exe service running 100% of CPU and avast pop up notices “Malicious URL Blocked” that seem to be related to the service.

Is there a fix for the svchost problem?

What to do with the “infected” file? Try another AV?

Hard to complain about something that’s “free” but I already have way more time (lost) in this than the machine is worth. Fortunately I don’t think I’ve lost any data. I’ve run both the paid and free versions of avast for a couple years before without any problems.

XP Pro service pack 2.

Whilst this may not be directly responsible to your problem it is at least associated. XP SP3 has been out for almost two years and that did improve security of XP. Security updates ceased for XP SP2 almost a year ago, so once this is resolved you should get the XP SP3 update.

Trying another AV won’t resolve your problem.

You aren’t actually seeing an infected file being reported, just that svchost.exe is being used maliciously by a hidden/undetected process and it is that which needs to be found.

You may have a MBR rootkit infection and this rootkit is likely to be hiding what is responsible for the attempted connections to what are no doubt malicious sites.

Try this tool to confirm one way or another if you have an MBR rootkit:

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-20 13:37:34

13:37:34.406 OS Version: Windows 5.1.2600 Service Pack 2
13:37:34.406 Number of processors: 2 586 0x2302
13:37:34.406 ComputerName: happy UserName: computer
13:37:34.968 Initialize success
13:37:38.828 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\00000032
13:37:38.828 Disk 0 Vendor: WDC_WD1600JS-22MHB0 02.01C03 Size: 152626MB BusType: 3
13:37:38.828 Disk 1 \Device\Harddisk1\DR1 → \Device\00000079
13:37:38.828 Disk 1 Vendor: ST3500630AS 3.AAK Size: 476940MB BusType: 3
13:37:38.828 Device \Device\00000077 → ??\IDE#DiskWDC_WD1600JS-22MHB0_____________________02.01C03#2020202057202D4443574E41314D353036373331#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
13:37:38.828 Disk 0 MBR read error 0
13:37:38.828 Disk 0 MBR scan
13:37:38.828 Disk 0 unknown MBR code
13:37:38.828 MBR BIOS signature not found 0
13:37:38.828 Disk 0 scanning sectors +312576705
13:37:38.828 Disk 0 scanning C:\WINDOWS\system32\drivers
13:37:45.562 Service scanning
13:37:46.546 Disk 0 trace - called modules:
13:37:46.546 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a431ecc]<<
13:37:46.546 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a4c2ab8]
13:37:46.562 3 CLASSPNP.SYS[ba8e8fcf] → nt!IofCallDriver → \Device\00000078[0x8a42dac0]
13:37:46.562 5 ACPI.sys[ba77f620] → nt!IofCallDriver → [0x8a4c2030]
13:37:46.562 [0x8a40a818] → IRP_MJ_CREATE → 0x8a431ecc
13:37:46.562 Scan finished successfully

13:38:15.578 The log file has been saved successfully to “C:\Documents and Settings\64Xdual\My Documents\Downloads\aswMBR.txt”

Well it doesn’t look like you have an MBR rootkit as the aswMBR scan report is usually very clear about the detections.

Though I haven’t see a report like this one, seems like it detects two hard disks, but can’t find the device for one of them.
13:37:38.828 Device \Device\00000077 → ??\IDE#DiskWDC_WD1600JS-22MHB0_____________________02.01C03#2020202057202D4443574E41314D353036373331#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found

Do you have two hard disks (Western Digital and a Seagate) ?

Can you post the log of your last MBAM scan to see what it found.

Is coastal-delaware the same person as the OP J_P?. If not they may not have MBAM.

Ah didn’t even notice the topic hijacking by Coastal-Delaware, who should start their own new topic. Post the requested MBAM scan logs there and the reason why you felt the need to run the aswMBR scan at all.

Sorry for the thread hijack. He seemed to have the same issue as me.

I do have two hard drives. I do have mbam installed. Had to use it to get rid of the Windows Recovery Virus a few days ago. There is still something lurking on my computer.

This is the most recent MBAM Log:

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6609

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

5/19/2011 2:23:22 PM
mbam-log-2011-05-19 (14-23-22).txt

Scan type: Quick scan
Objects scanned: 65579
Time elapsed: 1 hour(s), 11 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Seeming to be the same doesn’t really matter it is trying to help multiple on the same topic becomes confusing for all concerned. So you need to start you own new topic and abandon this one.

OK, back to this. (Glad to see Coastal-Delaware got his problem sorted.)

aswMBR log:

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-23 18:27:14

18:27:14.343 OS Version: Windows 5.1.2600 Service Pack 2
18:27:14.343 Number of processors: 1 586 0x801
18:27:14.375 ComputerName: UserName:
18:27:15.578 Initialize success
18:27:55.890 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Scsi\symc8xx1Port2Path0Target0Lun0
18:27:55.890 Disk 0 Vendor: QUANTUM_ 08C8 Size: 8683MB BusType: 1
18:27:55.890 Device \Driver\symc8xx → DriverStartIo 8374331b
18:27:55.890 Disk 0 MBR read error 0
18:27:55.890 Disk 0 MBR scan
18:27:55.890 Disk 0 unknown MBR code
18:27:55.890 MBR BIOS signature not found 0
18:27:55.906 Disk 0 scanning sectors +17751825
18:27:55.906 Disk 0 scanning C:\WINDOWS\system32\drivers
18:28:04.062 Service scanning
18:28:05.906 Disk 0 trace - called modules:
18:28:05.906 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x837434d0]<<
18:28:05.906 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8379a4c0]
18:28:05.921 3 CLASSPNP.SYS[f786a05b] → nt!IofCallDriver → [0x837cd298]
18:28:05.953 \Driver\symc8xx[0x837663a8] → IRP_MJ_CREATE → 0x837434d0
18:28:05.953 Scan finished successfully
18:29:15.781 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\admin\Desktop\MBR.dat”
18:29:15.781 The log file has been saved successfully to “C:\Documents and Settings\admin\Desktop\aswMBR.txt”

I don’t see anything conclusive, but that doesn’t mean that there isn’t, so I will try to get essexboy top look at it. In the meantime if you can run another tool to gather some information for him when he is back on the forums later today. It is now 2:40 am here, and he is usually on the forums around 7pm UK time.

Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.

There a new variants coming out on an almost weekly basis

Once I have a look at the OTS log I should be able to see which way to proceed

Thanks for joining the topic, hopefully it won’t be another three days before JP is back with us.

I’m having trouble getting OTS to run. Suggestions?

What error are you getting when you try to run it ?

Try changing the extension from .exe to .scr

No error message shows up. When I double click on it there is about 8 seconds of the hourglass “doing something” icon. But that’s it.

Hmm lets test something out

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

Thanks for your help and patience. One malicious object found. Very slow on the reboot.

[deleted]

[deleted]

No need to post it all I saw the attached log - could you retry OTS now please