Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: thatdan23 on June 05, 2011, 09:54:45 PM

Title: Need help removing a virus
Post by: thatdan23 on June 05, 2011, 09:54:45 PM
So I've picked up some nasty virus that redirects google links to random websites.  It also seems to be causing a significant amount of network and processor instability.  I've used AVG and Avast and neither are able to kill the issue.

The text I get from avast says its URL:Mal and in svchost.exe.

So the question is, what do I need to do?

I did find some other posts talking about similar issues.  I have run OTS using the following commands as per an essexboy post (c/p'd below) and I've attached the ots.txt to this post

Download OTS to your Desktop and double-click on it to run it

    * Make sure you close all other programs and don't use the PC while the scan runs.
    * Select All Users
    * Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

    * Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

    * Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
    * When the scan is complete Notepad will open with the report file loaded in it.
    * Please attach the log in your next post.
Title: Re: Need help removing a virus
Post by: DavidR on June 05, 2011, 11:55:49 PM
Your problem may well be a rootkit as that tends to be the symptom "The text I get from avast says its URL:Mal and in svchost.exe."

I don't know if OTS would find this or not and I'm not very familiar with OTS, so it would need someone else to analyse the log.

In the meantime you can run this tool which is specifically looking for one type of rootkit MBR Master Boot Record rootkit.

Quote from: essexboy
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 575KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
(http://public.avast.com/~gmerek/aswMBR1.png)
 
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://public.avast.com/~gmerek/aswMBR2.png)
Title: Re: Need help removing a virus
Post by: thatdan23 on June 06, 2011, 01:00:18 AM
Did as you asked attached the log.

two things came up in red
ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a48e4d0]<<
and
\Driver\atapi[0x8a61d0a0] -> IRP_MJ_CREATE -> 0x8a48e4d0
Title: Re: Need help removing a virus
Post by: DavidR on June 06, 2011, 01:20:29 AM
Well nothing conclusive there, the aswMBR is normally very clear if a an MBR rootkit is found. I don't know what to make of the entries you mentioned were in red, so it will require further investigation by someone that can analyse this and the OTS log.

Title: Re: Need help removing a virus
Post by: thatdan23 on June 06, 2011, 04:38:51 AM
bump in hopes of more possible solutions.
Title: Re: Need help removing a virus
Post by: Nesivos on June 06, 2011, 05:32:49 AM
bump in hopes of more possible solutions.

Svchost.exe is a container of sorts that contains and controls the running of various services/programs grouped logically together in a svchost.exe process.  It contains only what the OS loads into it as services and programs are started.

What Web Browser are you using?

In the past I have had problems with redirects in Firefox though I am sure that people get them in IE, Chrome, Opera etc.  As I recall I finally located the problem in one of the addons and was able to fix it.  It was nasty and took quite a bit of time to find it and get rid of it.  Avast and other virus scanners did not detect it.  I only found it by sheer luck persistence and a little experience.


Title: Re: Need help removing a virus
Post by: thatdan23 on June 06, 2011, 05:41:36 AM
It's affecting both Chrome and Firefox.  I'm quite certain that it's a virus/rootkit/malware of some type.
Title: Re: Need help removing a virus
Post by: Nesivos on June 06, 2011, 05:53:17 AM
It's affecting both Chrome and Firefox.  I'm quite certain that it's a virus/rootkit/malware of some type.

You could try checking your computer with

MSFT Standalone System Sweeper

http://connect.microsoft.com/systemsweeper (http://connect.microsoft.com/systemsweeper)

and

Quote
SUPERAntiSpyware Portable Scanner

http://www.superantispyware.com/portablescanner.html?tag=SAS_HOMEPAGE (http://www.superantispyware.com/portablescanner.html?tag=SAS_HOMEPAGE)
Title: Re: Need help removing a virus
Post by: thatdan23 on June 06, 2011, 03:33:50 PM
bumping for great justice.
Title: Re: Need help removing a virus
Post by: DavidR on June 06, 2011, 04:41:14 PM
I have tried to contact someone to take a look at the logs, but they may not be on the forums for a few hours (if they are at work).
Title: Re: Need help removing a virus
Post by: thatdan23 on June 06, 2011, 04:48:06 PM
Thanks David.  It'll likely be a long drawn out process since I won't have access to the offending computer till this evening.  Just trying to make sure that some eyes get on it during what I suspect is the busiest time of the day.
Title: Re: Need help removing a virus
Post by: DavidR on June 06, 2011, 04:54:28 PM
The internet is a weird place as far as time goes, it never sleeps, but for stuff like this where you need a malware removal specialist, if they aren't in your time zone it can be a bit of a pain.
Title: Re: Need help removing a virus
Post by: essexboy on June 06, 2011, 05:49:58 PM
Which antivirus are you keeping as both are currently running on your system ?

Please read carefully and follow these steps. 
Title: Re: Need help removing a virus
Post by: thatdan23 on June 07, 2011, 06:52:59 AM
It seems like it might have gotten it, I've not experienced any popups saying a malicious URL is trying to be accessed.  Here are the logs though, just in case. (attached)
Title: Re: Need help removing a virus
Post by: essexboy on June 07, 2011, 03:59:22 PM
Could you run a fresh OTS log now please so I can check for remnants
Title: Re: Need help removing a virus
Post by: thatdan23 on June 07, 2011, 04:07:00 PM
Sure, I'll get to that later this evening when I get home.  Thanks for the assistance.

On a side note, are there any good sites that would provide a good starting point for me to learn about how to read these logs and the like?
Title: Re: Need help removing a virus
Post by: essexboy on June 07, 2011, 04:10:24 PM
None better than my home site
http://www.geekstogo.com/forum/topic/4817-would-you-like-to-learn-to-fight-malware/