Need help removing a virus

So I’ve picked up some nasty virus that redirects google links to random websites. It also seems to be causing a significant amount of network and processor instability. I’ve used AVG and Avast and neither are able to kill the issue.

The text I get from avast says its URL:Mal and in svchost.exe.

So the question is, what do I need to do?

I did find some other posts talking about similar issues. I have run OTS using the following commands as per an essexboy post (c/p’d below) and I’ve attached the ots.txt to this post

Download OTS to your Desktop and double-click on it to run it

* Make sure you close all other programs and don't use the PC while the scan runs.
* Select All Users
* Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

* Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

* Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
* When the scan is complete Notepad will open with the report file loaded in it.
* Please attach the log in your next post.

Your problem may well be a rootkit as that tends to be the symptom “The text I get from avast says its URL:Mal and in svchost.exe.”

I don’t know if OTS would find this or not and I’m not very familiar with OTS, so it would need someone else to analyse the log.

In the meantime you can run this tool which is specifically looking for one type of rootkit MBR Master Boot Record rootkit.

Did as you asked attached the log.

two things came up in red
ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a48e4d0]<<
and
\Driver\atapi[0x8a61d0a0] → IRP_MJ_CREATE → 0x8a48e4d0

Well nothing conclusive there, the aswMBR is normally very clear if a an MBR rootkit is found. I don’t know what to make of the entries you mentioned were in red, so it will require further investigation by someone that can analyse this and the OTS log.

bump in hopes of more possible solutions.

Svchost.exe is a container of sorts that contains and controls the running of various services/programs grouped logically together in a svchost.exe process. It contains only what the OS loads into it as services and programs are started.

What Web Browser are you using?

In the past I have had problems with redirects in Firefox though I am sure that people get them in IE, Chrome, Opera etc. As I recall I finally located the problem in one of the addons and was able to fix it. It was nasty and took quite a bit of time to find it and get rid of it. Avast and other virus scanners did not detect it. I only found it by sheer luck persistence and a little experience.

It’s affecting both Chrome and Firefox. I’m quite certain that it’s a virus/rootkit/malware of some type.

You could try checking your computer with

MSFT Standalone System Sweeper

http://connect.microsoft.com/systemsweeper

and

SUPERAntiSpyware Portable Scanner

http://www.superantispyware.com/portablescanner.html?tag=SAS_HOMEPAGE

bumping for great justice.

I have tried to contact someone to take a look at the logs, but they may not be on the forums for a few hours (if they are at work).

Thanks David. It’ll likely be a long drawn out process since I won’t have access to the offending computer till this evening. Just trying to make sure that some eyes get on it during what I suspect is the busiest time of the day.

The internet is a weird place as far as time goes, it never sleeps, but for stuff like this where you need a malware removal specialist, if they aren’t in your time zone it can be a bit of a pain.

Which antivirus are you keeping as both are currently running on your system ?

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

It seems like it might have gotten it, I’ve not experienced any popups saying a malicious URL is trying to be accessed. Here are the logs though, just in case. (attached)

Could you run a fresh OTS log now please so I can check for remnants

Sure, I’ll get to that later this evening when I get home. Thanks for the assistance.

On a side note, are there any good sites that would provide a good starting point for me to learn about how to read these logs and the like?

None better than my home site
http://www.geekstogo.com/forum/topic/4817-would-you-like-to-learn-to-fight-malware/