URL:Mal svchost.exe another case!

Viruses and worms
1

Avast keeps warning about this when using Firefox:

Object: http://getmuzicas.info/
Infection: URL:Mal
Process: C:\Windows\system32\svchost.exe

Someone could help me please?
I will really apreciate it!

Thanks,

Alex

2

Hi,

For this step, I shall need a second ARK sight. We shall use GMER for that. After ARK scan, we shall deploy ComboFix. Let’s start …

Please download GMER, the AntiRootKit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ] button - save the report to the Desktop (named ARK );

Please attach here Gmer’s (ARK.txt) logreports.

.

  1. Please download ComboFix by sUBs (
    http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
    ) from here and save it to your Desktop.
    [i]If you are unsure how ComboFix works, read this guide.
  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

  1. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
  • If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]
  1. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
    => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

.

3

Here are your logs Magna.
It looks like problem is solved!
I’ll keep on trying.

Thanks

Alex.

4

Hello,

Could you please upload here the following file for future analysis. This is just renamed txt file so there is no active malware.

You shall find the file at:

C:\Qoobox\Quarantine\C\Users\Alex\AppData\Roaming[b]FoxitReaderUpdateInfo.txt.vir[/b]

Also could you please upload the following service as I would like to take a look at that reg file as well. The reg.dat file shall be located here:

C:\Qoobox\Quarantine\Registry_backups[b]Service_oxfwlf.reg.dat[/b]

Please upload on some cloud free sharing site, for example here:
http://www.wikisend.com

Please post here the download link so I can look at this. When I download the file you can be free to remove the download links there although there will be no active infection on this upload.

5

Find the files in the following link:
http://www.fileconvoy.com/dfl.php?id=g8bac75fabb0c7954999527494f148815d6cf76ba1

Thanks again!

Alex.

6

Hello,

I have the files, thanks. You may remove the download link. I would like you to keep your PC under surveillance for some time and give back here after few days with info is detections are gone. Then I will remove my tools.