I am running a Dual Boot XP (Drive C) and Win7 (Drive H) the XP is fine it’s just the Win7 install where my problem is.

I seem to have acquired a piece of Malware or Spyware or something nasty.
Every 5 to 10 mins Avast will pop up and warn me of a “Malicious URL Blocked” the URL in question is “dnusax.com/exrev.exe” I have done some digging on the net about this “dnusax.com” and it appears to be a well know Malware site

The associated program says it is “H:/Windows/system32/svchost.exe”

I have downloaded and ran the following to try and remove it:-

HijackThis

MBAM

SpybotSearch&Destroy

SuperAntiSpyware

And still this thing avoids me, any help would be greatly appreciated.

can you upload this H:/Windows/system32/svchost.exe to www.virustotal.com
when you have the result, copy the url in the address bar and post it here for us to see

The friend it want to download (dnusax.com/exrev.exe) is this
http://www.virustotal.com/file-scan/report.html?id=05285b128d7f5015781c8962a787eb6c26b07068fdea12453108aab96a7c39f1-1307451447

Here is the URL to the file analysis:-

http://www.virustotal.com/file-scan/report.html?id=121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2-1307451444

you can send it to avast lab like this

Moving files to the Virus Chest
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501&nav=0,2#idt_03

Submitting files from the Virus Chest to avast! Virus Lab
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501&nav=0,2#idt_07

or like this

send in password protected zip.file to virus @ avast.com
mail subject: undetected sample
Password: infected

was your Malwarebytes program fully updated when you scanned ?
latest MBAM signature is 6796

OK I have added it to the Chest and Submitted it for testing or whatever the guys do with it.

Does this mean that it will now stop the pop ups ??

EDIT Nope it didn’t…LOL

I just downloaded and updated MBAM this morning and ran the scan

@ Fazer
You will possibly have seen a number of these Malicious URL Blocked in the viruses and worms forum and in most cases there is a rootkit hiding the issue. Try running the aswMBR tool below, post the log and see what it finds.

It is the rootkit and associated file/s which is misusing the svchost.exe file and not the svchost file which is infected or avast would have alerted on the actual file. Do Not send H:/Windows/system32/svchost.exe to the chest.

I take it is the H:/Windows/system32/svchost.exe location is the particular boot drive (win7) that you are using ?

I suggest you also

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI

Essexboy will look at the logs when he arrive here later today…

I don’t know how you managed to send H:/Windows/system32/svchost.exe to the chest, it should be protected by windows at the very least and if you were using that boot drive, I would have though avast wouldn’t send it to the chest anyway.

Thanks David and yes Drive H is the Boot Drive for my Win7 Install

Here is the log from the aswMBR tool:-

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-07 14:24:28

14:24:28.605 OS Version: Windows 6.1.7600
14:24:28.605 Number of processors: 2 586 0x303
14:24:28.622 ComputerName: RICHARD UserName: Richard
14:24:30.991 Initialize success
14:24:35.336 Disk 0 \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
14:24:35.341 Disk 0 Vendor: Maxtor_6Y200P0 YAR41BW0 Size: 194481MB BusType: 3
14:24:35.347 Disk 1 (boot) \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP0T1L0-1
14:24:35.351 Disk 1 Vendor: HDS728080PLAT20 PF2OA21B Size: 78533MB BusType: 3
14:24:35.358 Disk 2 \Device\Harddisk2\DR2 → \Device\Ide\IdeDeviceP1T1L0-3
14:24:35.364 Disk 2 Vendor: Hitachi_HDT725040VLAT80 V5COA42A Size: 381554MB BusType: 3
14:24:37.377 Disk 1 MBR read successfully
14:24:37.384 Disk 1 MBR scan
14:24:37.390 Disk 1 Windows 7 default MBR code
14:24:39.400 Disk 1 scanning sectors +160826715
14:24:39.426 Disk 1 scanning H:\Windows\system32\drivers
14:24:44.419 Service scanning
14:24:46.050 Disk 1 trace - called modules:
14:24:46.053 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x84eec1e8]<<
14:24:46.072 1 nt!IofCallDriver → \Device\Harddisk1\DR1[0x85046030]
14:24:46.074 3 CLASSPNP.SYS[87ed259e] → nt!IofCallDriver → [0x84f58330]
14:24:46.076 5 ACPI.sys[877573b2] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T1L0-1[0x84f38908]
14:24:46.079 \Driver\atapi[0x84f36b68] → IRP_MJ_CREATE → 0x84eec1e8
14:24:46.081 Scan finished successfully
14:25:52.113 Disk 1 MBR has been saved successfully to “H:\Users\Richard\Desktop\MBR.dat”
14:25:52.132 The log file has been saved successfully to “H:\Users\Richard\Desktop\aswMBR.txt”

Hi from the windows 7 system run the following

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

@Fazer,

Follow essexboys’ instructions to the dot to get rid of this malware

@Pondus
Somewhat more scan-information for you follows here:

The domain is also flagged by Norton Safe Web, see: http://safeweb.norton.com/report/show?url=dnusax.com
For exrev.exe see this report: http://www.prevx.com/filenames/X1381646459844391626-X1/EXREV.EXE.html
Always flagged as a threat: http://www.threatexpert.com/files/exrev.exe.html
Also seen as part of file infectors,.
An older wepawet scan from 2009 found here: http://wepawet.iseclab.org/view.php?hash=29ac5c679882fdfb6cefab16476e0a06&t=1252953035&type=js
with accompanying Anubis report: http://anubis.iseclab.org/?action=result&task_id=1316fd2b0f21c9b2495750f20768d772a
and the then VT results: http://www.virustotal.com/analisis/7f31021dba1cfc684dde783ec99c5d6552149e816a4f6ebb9586416667b6c98d-1252940465
So it is not new but a new reappearance of the 2009 malware:
A re-scan gave: http://wepawet.iseclab.org/view.php?hash=29ac5c679882fdfb6cefab16476e0a06&t=1307453196&type=js
And the new Anubis report here: http://anubis.iseclab.org/?action=result&task_id=16a5dcf5b6c0edcc429b835c9e1cad8b2
Analysis found Trojan.Cryptic (Sig-Id:60719417) according to Ikarus Virus Scanner
and: 4 out of 5 flagged it here:
http://vscan.urlvoid.com/analysis/9f1544a15a926ae886d8b52cf63796d6/ZXhyZXYtZXhl/

polonus

It appears as if my MBAM that I downloaded and ran this morning was corrupt, I downloaded another one from essexboy’s post and ran it, it found this:-

Malwarebytes’ Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6796

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

07/06/2011 15:03:20
mbam-log-2011-06-07 (15-03-20).txt

Scan type: Full scan (H:|)
Objects scanned: 200222
Time elapsed: 23 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
h:\Users\Richard\AppData\Local\Temp\IXP000.TMP\lsass.exe (Trojan.Agent) → Quarantined and deleted successfully.

Maybe this is the end of my problems??

Probably not - run TDSS Killer now please

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

You were right essexboy, it didn’t cure it, OK ran TDSS Killer,

Also ran OTS and log file is attached

Looks like Combofix and MBAM cleared it - no apparent malware present ;D

It’s still doing the pop up and saying “Malicious URL Blocked”

I am really confused by this one

EDIT If I can catch it quick enough I will grab a screenshot of what Avast is showing me

Here is the screenshot, it just did it again

http://i262.photobucket.com/albums/ii86/Hackable-fazer/Untitled-1.png

Could you post the combofix log please as there may be something there that is hidden

Here’s the Combofix Log, I had to run it again as I couldn’t find the original log
On saying that, since I ran it, I have not had a popup…YET

Nothing appears hidden - however two files were suspect

h:\programdata\Microsoft\Network\Downloader\qmgr0.dat h:\programdata\Microsoft\Network\Downloader\qmgr1.dat