I need some help please. I have followed the instructions from essexboy to run Malwarebytes’Anti-Malware and then OTS and I will attach the logs.
For the past 2 days I have run about 10 boot time scans and it might find a few infections. I will then open internet explorer and log into Earthlink and/or go to other sites. Soon after I log into Earthlink, another internet window will pop-up with a WalMart survey or some other ad. I can close these windows at least 2 other messages will pop up asking if I am sure I want to close them etc. Also, an AVAST message has been popping up after this happens saying
Suspicious URL Blocked.
These scenario described above keeps happening despite the numerous boot scans.
Just right now while typing this post, a svchost.exe Application error poped up saying
The instruction at “0x249dba0a” referenced memory at 0x00000000. The memory could not be “read”
While doing the OTS scan, the following error message popped up and I did not close it till the log appeared.
svchost.exe Application Error
The instruction at “0x203718b5” reference memory at “0x203718b5”. The memory could not be “written”
Also, my PC has been very slow during the past 2 days.
Any ideas on how to remove from my PC the cause of this problem?
Thank you very much.
Dogwalker
I take it that you did reboot after running the MBAM scan as that was required to delete one of the files ?
I can’t help with the OTS log as I’m not familiar with it.
It would have been more helpful if you could have posted the full text or an image of the alert window.
If the process involved is svchost.exe then it is most likely that you have a rootkit on your system and possibly an MBR rootkit.
You can check if you have an MBR rootkit using this tool:
Thank you David for your reply. Here is the log from aswMBR.exe scan.
yes, it was required to reboot after I ran the MBAM scan.
I dont know how to capture the image of the alert message. Is there a way?
It has popped again since I posted the original message. It stays up for abit and then goes away. Next time I see it I’ll copy as much as I can.
One of the alerts from yesterday had this info. I can see that the obj# has changed on other alert messages.
Obj: 19980.58.80
Infection: URL:Mal
Process C:\WinXP\System32\SVChost.exe
scan again then click “FIX” reboot and run the scan again to confirm you are clear.
After the fix, if the second report/log comes up clean, then MBAM and avast may find other things that were previously hidden. So run those scans again.
The exact same thing happened to a friend of mine. I gave him aswMBR and it found that TDL4 rootkit thing. Do you know where you may have gotten it from?
I did run the aswMBR.exe again then selected FIX.
At the end of the “FIX” a box came up and said to reboot. And just at the same time another alert came up about blocking a URL. My system has rebooted and I am going to run Malwarebytes Anti-Malware again and then a boot time scan with AVAST. I think I will run the aswMBR.exe again before I do these other 2 scans since I did get that alert message right after the FIX.
Thank you
I will let you know what happens after these 3 scans.
Hello David
Here is the log of the 2nd aswMBR scan after I had run FIX and the PC rebooted.
I am running the Malwarebytes’ Anti-Malware again right now.
Do you see anything wrong in this 2nd aswMBR scan?
In regards to the question from Dom Oznam, I have no idea where this problem came from.
Dear David
The 2nd Malwarebytes’Anti-Malware scan did not show any infected files.
I have attached the log.
I will now run an AVAST boot scan.
Did the 2nd aswMBR.exe scan show anything wrong?
I don’t see anything obvious in the aswMBR log other than it says it has removed the TDL4 MBR Rootkit. Since the avast URL alert came after the FIX but before the Reboot. That may simply be because it isn’t fixed until after the actual reboot as the change can’t be done whilst the system is currently running.
Have you had any more alerts since the FIX and after the reboot ?
If so there is something else hidden so will require further analysis, but we can cross that bridge if needs be.
For the future it is actually easier if the logs you are posting are short, like the MBAM and aswMBR, you can copy and paste the contents in your post. The OTS logs being an exception as it would need to be spread over many, many posts.
Dear David
I did not see anything moved to the virus chest during the boot scan.
Also, the good news is that I have opened up Earthlink and other trusted internet sites and for the past 5 minutes no windows or alerts have popped up. Yesterday, they would have popped up already.
Thank you for the suggestion about pasting the log in the reply. I will do that in the future.
You’re welcome, just keep monitoring your system and if anything returns, get back to the topic.
I would keep the trusted link status to an absolute minimum, like zero, with the most frequent cause of malware infection coming from hacked sites, the term trusted is no longer valid; they could get hacked too. I don’t even have windows update on trusted sites, nada, nothing, zero.