Mal URL Blocked/svchost problem

Avast Free Antivirus / Premium Security
21

OTS log attached.

22

Obviously malware writers are getting fed up with OTS. There are some Norton and AVG remnants being removed as well. Once thsi fix has run can you let me know what problems remain

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (Symantec Core LC) Symantec Core LC [Auto | Stopped] -> 
[Driver Services - Safe List]
YY -> (SymEvent) SymEvent [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\SYMEVENT.SYS
YY -> (symlcbrd) symlcbrd [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\symlcbrd.sys
[Registry - Safe List]
< FireFox Extensions [Program Folders] > -> 
YY -> XULRunner -> C:\DOCUMENTS AND SETTINGS\ADMIN\LOCAL SETTINGS\APPLICATION DATA\{D23A1CA2-973B-4C7A-A5B8-5ACF5A2F0F11}
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY ->  jI02400NmNmO02400 -> C:\Documents and Settings\All Users\Application Data\jI02400NmNmO02400
[Files/Folders - Modified Within 30 Days]
NY ->  Acokupovilomet.bin -> C:\WINDOWS\Acokupovilomet.bin
NY ->  Fqayom.dat -> C:\WINDOWS\Fqayom.dat
NY ->  2gweorjqjutp92vjy9gake -> C:\Documents and Settings\admin\2gweorjqjutp92vjy9gake
[Files - No Company Name]
NY ->  Fqayom.dat -> C:\WINDOWS\Fqayom.dat
NY ->  Acokupovilomet.bin -> C:\WINDOWS\Acokupovilomet.bin
NY ->  2gweorjqjutp92vjy9gake -> C:\Documents and Settings\admin\2gweorjqjutp92vjy9gake
[File - Lop Check]
NY ->  AVG7 -> C:\Documents and Settings\admin\Application Data\AVG7
NY ->  avg7 -> C:\Documents and Settings\All Users\Application Data\avg7
NY ->  jI02400NmNmO02400 -> C:\Documents and Settings\All Users\Application Data\jI02400NmNmO02400
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

23

Fix log attached.

24

Avast! just popped up with:

Rootkit Found
File name: MBR \ \PHYSICALDRIVE0
Rootkit name: hidden boot sector

Should I delete now?

25

Run a bootscan to remove it properly

Looking at the log now

26

Also after the bootscan re-run aswMBR and post the log please

27

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-24 16:36:00

16:36:00.218 OS Version: Windows 5.1.2600 Service Pack 2
16:36:00.218 Number of processors: 1 586 0x801
16:36:00.218 ComputerName: UserName:
16:36:00.812 Initialize success
16:36:41.687 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Scsi\symc8xx1Port2Path0Target0Lun0
16:36:41.687 Disk 0 Vendor: QUANTUM_ 08C8 Size: 8683MB BusType: 1
16:36:43.703 Disk 0 MBR read successfully
16:36:43.703 Disk 0 MBR scan
16:36:43.703 Disk 0 TDL4@MBR code has been found
16:36:43.703 Disk 0 MBR [TDL4] ROOTKIT
16:36:43.703 Disk 0 scanning C:\WINDOWS\system32\drivers
16:36:51.421 Service scanning
16:36:53.250 Disk 0 trace - called modules:
16:36:53.265 ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll symc8xx.sys
16:36:53.265 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x837d6ab8]
16:36:53.265 3 CLASSPNP.SYS[f786a05b] → nt!IofCallDriver → \Device\Scsi\symc8xx1Port2Path0Target0Lun0[0x837d6030]
16:36:53.265 Scan finished successfully
16:37:27.718 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\admin\Desktop\MBR.dat”
16:37:27.734 The log file has been saved successfully to “C:\Documents and Settings\admin\Desktop\aswMBR-2.txt”

The boot scan detected a couple of infected files.

28

Re-Run aswMBR

Click Scan

On completion of the scan

Click the FixButton

http://public.avast.com/~gmerek/aswMBR3.png

Save the log as before and post in your next reply

29

I think this got cleaned up yesterday but I re-ran a scan just now.

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-25 13:50:56

13:50:56.171 OS Version: Windows 5.1.2600 Service Pack 2
13:50:56.171 Number of processors: 1 586 0x801
13:50:56.218 ComputerName: UserName:
13:50:57.921 Initialize success
13:51:01.921 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Scsi\symc8xx1Port2Path0Target0Lun0
13:51:01.921 Disk 0 Vendor: QUANTUM_ 08C8 Size: 8683MB BusType: 1
13:51:03.953 Disk 0 MBR read successfully
13:51:03.953 Disk 0 MBR scan
13:51:03.953 Disk 0 Windows XP default MBR code
13:51:05.968 Disk 0 scanning sectors +17751825
13:51:06.000 Disk 0 scanning C:\WINDOWS\system32\drivers
13:51:14.000 Service scanning
13:51:16.171 Disk 0 trace - called modules:
13:51:16.187 ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll symc8xx.sys
13:51:16.187 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x837d6ab8]
13:51:16.187 3 CLASSPNP.SYS[f786a05b] → nt!IofCallDriver → \Device\Scsi\symc8xx1Port2Path0Target0Lun0[0x837d6030]
13:51:16.203 Scan finished successfully
13:51:52.343 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\admin\Desktop\MBR.dat”
13:51:52.343 The log file has been saved successfully to “C:\Documents and Settings\admin\Desktop\aswMBR-3.txt”

30

Weird - the previous aswMBR must have been an old report

What are your current problems ?

31

I ran several scans/fixes after that post yesterday and it seems to have cleaned things up. I hope. I haven’t noticed any more problems today. svchost seems to be behaving and no avast! warnings. I greatly appreciate your generous help and DavidR’s as well.

Are we done? :slight_smile: I need to leave soon for an hour or two.

32

No if you could run for a day or so - If you experience no further problems then Post here and I will remove my tools and tidy you up

33

Will do. Thanks again.

34

Great discussion on how to to remove a TDSS rootkit variant! Should be separately posted as such.

35

The problem being is that they aren’t all the same, it is the analysis need to determine what you have and need to do.

36

bump

I haven’t noticed any more problems.

37

Subject to no further problems :slight_smile: I would recommend you update to SP3

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Empty Temp Folders]
[EmptyFlash]
[ClearAllRestorePoints]

Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

SPRING CLEAN
Final stretch

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check

http://i1224.photobucket.com/albums/ee362/Essexboy3/Puran.gif

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: