Just installed a few hours ago, and I’m having a “Malicious Url Blocked” pop up every couple seconds, even when I’m not browsing. The Object line is a random site every second, and the process is listed as: C:\Windows\SysWOW64\svchost.exe
Can anyone please help me out?
Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0
here is the ADWCleaner log
***** [Services] *****
***** [Files / Folders] *****
***** [Registry] *****
***** [Internet Browsers] *****
-\ Internet Explorer v8.0.7601.17514
[OK] Registry is clean.
-\ Google Chrome v26.0.1410.43
File : C:\Users\Pat\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
AdwCleaner[R1].txt - [4136 octets] - [02/04/2013 22:35:23]
AdwCleaner[S1].txt - [4274 octets] - [02/04/2013 22:35:53]
AdwCleaner[S2].txt - [837 octets] - [02/04/2013 23:17:02]
########## EOF - C:\AdwCleaner[S2].txt - [896 octets] ##########
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.04.03.01
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Pat :: PAT-PC [administrator]
4/2/2013 11:28:38 PM
mbam-log-2013-04-02 (23-28-38).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 233972
Time elapsed: 4 minute(s), 8 second(s)
Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → 3996 → Delete on reboot.
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) → Delete on reboot.
(end)
heres the OTL as an attachment
2nd from OTL
heres the last one: attached
Bump for anyone able to help me! All logs are posted above.
Anyone able to help?
well, it seems no one notified the removers about your topic
anyway it is done now…
@pburke23
Sorry, somehow we missed you. Here is malware removal guide for you. Follow this instructions:
Step#1
Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/
Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.
[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe
[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”
[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.
[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
Please attach the two following logs from the mbar folder:
system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.
Step#2
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
How to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
Here is step 1, and thank you for the help!
here is the combofix log.
Seems to be running really smoothly right now. Definately don’t have the “malicious url” popup every 2 seconds. And everything seems fine, I’ll check back in 12 hours.
Hou have been run TDSSKiller;
Log (or logs) has been produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Attach it (all) here.
Start > Run , copu-paste:
notepad c:\users\Pat\AppData\Roaming\SetValue.bat
Enter
notepad with some txt will be open. Copy-paste that txt here.
Open notepad and copy/paste the text present inside the code box below:
Driver::
24739360
ClearJavaCache::
DDS::
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )