Author Topic: Need help removing a virus  (Read 4953 times)

0 Members and 1 Guest are viewing this topic.

thatdan23

  • Guest
Need help removing a virus
« on: June 05, 2011, 09:54:45 PM »
So I've picked up some nasty virus that redirects google links to random websites.  It also seems to be causing a significant amount of network and processor instability.  I've used AVG and Avast and neither are able to kill the issue.

The text I get from avast says its URL:Mal and in svchost.exe.

So the question is, what do I need to do?

I did find some other posts talking about similar issues.  I have run OTS using the following commands as per an essexboy post (c/p'd below) and I've attached the ots.txt to this post

Download OTS to your Desktop and double-click on it to run it

    * Make sure you close all other programs and don't use the PC while the scan runs.
    * Select All Users
    * Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

    * Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

    * Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
    * When the scan is complete Notepad will open with the report file loaded in it.
    * Please attach the log in your next post.
« Last Edit: June 05, 2011, 11:46:33 PM by thatdan23 »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Need help removing a virus
« Reply #1 on: June 05, 2011, 11:55:49 PM »
Your problem may well be a rootkit as that tends to be the symptom "The text I get from avast says its URL:Mal and in svchost.exe."

I don't know if OTS would find this or not and I'm not very familiar with OTS, so it would need someone else to analyse the log.

In the meantime you can run this tool which is specifically looking for one type of rootkit MBR Master Boot Record rootkit.

Quote from: essexboy
Download aswMBR.exe ( 575KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

thatdan23

  • Guest
Re: Need help removing a virus
« Reply #2 on: June 06, 2011, 01:00:18 AM »
Did as you asked attached the log.

two things came up in red
ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a48e4d0]<<
and
\Driver\atapi[0x8a61d0a0] -> IRP_MJ_CREATE -> 0x8a48e4d0

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Need help removing a virus
« Reply #3 on: June 06, 2011, 01:20:29 AM »
Well nothing conclusive there, the aswMBR is normally very clear if a an MBR rootkit is found. I don't know what to make of the entries you mentioned were in red, so it will require further investigation by someone that can analyse this and the OTS log.

« Last Edit: June 06, 2011, 01:22:59 AM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

thatdan23

  • Guest
Re: Need help removing a virus
« Reply #4 on: June 06, 2011, 04:38:51 AM »
bump in hopes of more possible solutions.

Nesivos

  • Guest
Re: Need help removing a virus
« Reply #5 on: June 06, 2011, 05:32:49 AM »
bump in hopes of more possible solutions.

Svchost.exe is a container of sorts that contains and controls the running of various services/programs grouped logically together in a svchost.exe process.  It contains only what the OS loads into it as services and programs are started.

What Web Browser are you using?

In the past I have had problems with redirects in Firefox though I am sure that people get them in IE, Chrome, Opera etc.  As I recall I finally located the problem in one of the addons and was able to fix it.  It was nasty and took quite a bit of time to find it and get rid of it.  Avast and other virus scanners did not detect it.  I only found it by sheer luck persistence and a little experience.


« Last Edit: June 06, 2011, 05:37:52 AM by Nesivos »

thatdan23

  • Guest
Re: Need help removing a virus
« Reply #6 on: June 06, 2011, 05:41:36 AM »
It's affecting both Chrome and Firefox.  I'm quite certain that it's a virus/rootkit/malware of some type.

Nesivos

  • Guest
Re: Need help removing a virus
« Reply #7 on: June 06, 2011, 05:53:17 AM »
It's affecting both Chrome and Firefox.  I'm quite certain that it's a virus/rootkit/malware of some type.

You could try checking your computer with

MSFT Standalone System Sweeper

http://connect.microsoft.com/systemsweeper

and

Quote
SUPERAntiSpyware Portable Scanner

http://www.superantispyware.com/portablescanner.html?tag=SAS_HOMEPAGE

thatdan23

  • Guest
Re: Need help removing a virus
« Reply #8 on: June 06, 2011, 03:33:50 PM »
bumping for great justice.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Need help removing a virus
« Reply #9 on: June 06, 2011, 04:41:14 PM »
I have tried to contact someone to take a look at the logs, but they may not be on the forums for a few hours (if they are at work).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

thatdan23

  • Guest
Re: Need help removing a virus
« Reply #10 on: June 06, 2011, 04:48:06 PM »
Thanks David.  It'll likely be a long drawn out process since I won't have access to the offending computer till this evening.  Just trying to make sure that some eyes get on it during what I suspect is the busiest time of the day.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Need help removing a virus
« Reply #11 on: June 06, 2011, 04:54:28 PM »
The internet is a weird place as far as time goes, it never sleeps, but for stuff like this where you need a malware removal specialist, if they aren't in your time zone it can be a bit of a pain.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Need help removing a virus
« Reply #12 on: June 06, 2011, 05:49:58 PM »
Which antivirus are you keeping as both are currently running on your system ?

Please read carefully and follow these steps. 
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
     
     

     
     
  • If an infected file is detected, the default action will be Cure, click on Continue.
     
     

     
     
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
     
     

     
     
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
     
     

     
     
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

thatdan23

  • Guest
Re: Need help removing a virus
« Reply #13 on: June 07, 2011, 06:52:59 AM »
It seems like it might have gotten it, I've not experienced any popups saying a malicious URL is trying to be accessed.  Here are the logs though, just in case. (attached)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Need help removing a virus
« Reply #14 on: June 07, 2011, 03:59:22 PM »
Could you run a fresh OTS log now please so I can check for remnants