Author Topic: Constant urlmal-avast-process-cwindowssystem32svchostexe/ alert when browsing  (Read 26963 times)

0 Members and 2 Guests are viewing this topic.

REDACTED

  • Guest
ok should I be worried? It's now happening on regular browsing and its saying its attacking/flagging on avast?


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Could I have a fresh FRST please

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
As info for Essexboy :
IP    :113.171.224.171
Host    :127.0.0.1

Could be something in the hosts file.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
According to the FRST Host is empty

REDACTED

  • Guest
I disabled Avast for 10 minutes

Ran the scan as administrator

Here are the results attached

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Did you install this extension   Sad Panda

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

REDACTED

  • Guest
Yeh, that's one I installed, is it that thats causing the problem?

REDACTED

  • Guest
Here's the fix log.


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
OK we are going to have to search the registry

Start FRST and in the search box copy/paste the following :

videoplayer;113.171.224.174

Press Search Registry and attach the resultant log

REDACTED

  • Guest
Ok done,

I didn't turn of avast though before the search, is that necessary? 

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Essexboy in his Addition.txt
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
No clue what it is, but doesn't seem normal to me.

OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
Can be from Creative but there is also malware by that name.

ph (x32 Version: 1.0.0 - Your Company Name) Hidden
No clue what it is, but doesn't seem normal to me.

PhotoScape (HKLM-x32\...\PhotoScape) (Version:  - )
https://www.herdprotect.com/photoscape-3.6.5.exe-cd45d0259252e935d8e51d86bec01333d0677d2c.aspx

Perhaps running a specialized rootkit scanner is a idea.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
OK lets try and see what happens

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
ph (x32 Version: 1.0.0 - Your Company Name) Hidden

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

Then go to control panel > programmes and features and uninstall the following :

bl
ph

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Hi essexboy,

On a side-note. What our friend Eddy kicks up in this thread, is a localhost address for a httpserver in Han Noi
with a certain  linux-gnu nConnect issue. nServer mail issue, consuming 100% CPU?
Just passing this info for what it is worth.
Thanks to Eddy for that unconventional assist info,
would not have thought of looking there.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Ok followed the steps

ran the fix

uninstalled the bl and ph thing, what ever it was.

If it helps I'm currently living in Saigon (vietnam), our computers at work have been affected by viruses lately (earlier this year) which have now been fixed (I think)

I use my usb a lot (which I normally wouldn't do, knowing this) Avast doesn't flag anything, and I've assumed its been safe enough to continue.

I'll probs just start using cloud now.

thanks for the chip in of help guys

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
I can recommend to get and use McShield.
It is especially for removable devices and a good addition to avast.
http://www.mcshield.net/