Malicious URL Blocked

[Fazer]

I am running a Dual Boot XP (Drive C) and Win7 (Drive H) the XP is fine it's just the Win7 install where my problem is.

I seem to have acquired a piece of Malware or Spyware or something nasty.
Every 5 to 10 mins Avast will pop up and warn me of a "Malicious URL Blocked" the URL in question is "dnusax.com/exrev.exe" I have done some digging on the net about this "dnusax.com" and it appears to be a well know Malware site

The associated program says it is "H:/Windows/system32/svchost.exe"

I have downloaded and ran the following to try and remove it:-

HijackThis

MBAM

SpybotSearch&Destroy

SuperAntiSpyware

And still this thing avoids me, any help would be greatly appreciated.

[Pondus]

can you upload this H:/Windows/system32/svchost.exe to www.virustotal.com
when you have the result, copy the url in the address bar and post it here for us to see

The friend it want to download (dnusax.com/exrev.exe) is this
http://www.virustotal.com/file-scan/report.html?id=05285b128d7f5015781c8962a787eb6c26b07068fdea12453108aab96a7c39f1-1307451447

[Fazer]

Here is the URL to the file analysis:-

http://www.virustotal.com/file-scan/report.html?id=121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2-1307451444

[Pondus]

you can send it to avast lab like this

Moving files to the Virus Chest
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501&nav=0,2#idt_03

Submitting files from the Virus Chest to avast! Virus Lab
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501&nav=0,2#idt_07

or like this

send in password protected zip.file to  virus @ avast.com
mail subject: undetected sample
Password: infected


was your Malwarebytes program fully updated when you scanned ?
latest MBAM signature is 6796

[Fazer]

OK I have added it to the Chest and Submitted it for testing or whatever the guys do with it.

Does this mean that it will now stop the pop ups ??

***EDIT*** Nope it didn't............LOL

I just downloaded and updated MBAM this morning and ran the scan

[DavidR]

@ Fazer
You will possibly have seen a number of these Malicious URL Blocked in the viruses and worms forum and in most cases there is a rootkit hiding the issue. Try running the aswMBR tool below, post the log and see what it finds.

It is the rootkit and associated file/s which is misusing the svchost.exe file and not the svchost file which is infected or avast would have alerted on the actual file. Do Not send H:/Windows/system32/svchost.exe to the chest.

I take it is the H:/Windows/system32/svchost.exe location is the particular boot drive (win7) that you are using ?

Download aswMBR.exe ( 575KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply

[Pondus]

I suggest you also

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI

Essexboy will look at the logs when he arrive here later today..

[DavidR]

OK I have added it to the Chest and Submitted it for testing or whatever the guys do with it.

Does this mean that it will now stop the pop ups ??

***EDIT*** Nope it didn't............LOL

I just downloaded and updated MBAM this morning and ran the scan

I don't know how you managed to send H:/Windows/system32/svchost.exe to the chest, it should be protected by windows at the very least and if you were using that boot drive, I would have though avast wouldn't send it to the chest anyway.

[Fazer]

Thanks David and yes Drive H is the Boot Drive for my Win7 Install

Here is the log from the aswMBR tool:-

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-07 14:24:28
-----------------------------
14:24:28.605    OS Version: Windows 6.1.7600
14:24:28.605    Number of processors: 2 586 0x303
14:24:28.622    ComputerName: RICHARD  UserName: Richard
14:24:30.991    Initialize success
14:24:35.336    Disk 0  \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:24:35.341    Disk 0 Vendor: Maxtor_6Y200P0 YAR41BW0 Size: 194481MB BusType: 3
14:24:35.347    Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-1
14:24:35.351    Disk 1 Vendor: HDS728080PLAT20 PF2OA21B Size: 78533MB BusType: 3
14:24:35.358    Disk 2  \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP1T1L0-3
14:24:35.364    Disk 2 Vendor: Hitachi_HDT725040VLAT80 V5COA42A Size: 381554MB BusType: 3
14:24:37.377    Disk 1 MBR read successfully
14:24:37.384    Disk 1 MBR scan
14:24:37.390    Disk 1 Windows 7 default MBR code
14:24:39.400    Disk 1 scanning sectors +160826715
14:24:39.426    Disk 1 scanning H:\Windows\system32\drivers
14:24:44.419    Service scanning
14:24:46.050    Disk 1 trace - called modules:
14:24:46.053    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x84eec1e8]<<
14:24:46.072    1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x85046030]
14:24:46.074    3 CLASSPNP.SYS[87ed259e] -> nt!IofCallDriver -> [0x84f58330]
14:24:46.076    5 ACPI.sys[877573b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-1[0x84f38908]
14:24:46.079    \Driver\atapi[0x84f36b68] -> IRP_MJ_CREATE -> 0x84eec1e8
14:24:46.081    Scan finished successfully
14:25:52.113    Disk 1 MBR has been saved successfully to "H:\Users\Richard\Desktop\MBR.dat"
14:25:52.132    The log file has been saved successfully to "H:\Users\Richard\Desktop\aswMBR.txt"

[essexboy]

Hi from the windows 7 system run the following

Please read carefully and follow these steps. 

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[polonus]

@Fazer,

Follow essexboys' instructions to the dot to get rid of this malware

@Pondus
Somewhat more scan-information for you follows here:

The domain is also flagged by Norton Safe Web, see: http://safeweb.norton.com/report/show?url=dnusax.com
For exrev.exe see this report: http://www.prevx.com/filenames/X1381646459844391626-X1/EXREV.EXE.html
Always flagged as a threat: http://www.threatexpert.com/files/exrev.exe.html
Also seen as part of file infectors,.
An older wepawet scan from 2009 found here: http://wepawet.iseclab.org/view.php?hash=29ac5c679882fdfb6cefab16476e0a06&t=1252953035&type=js
with accompanying Anubis report: http://anubis.iseclab.org/?action=result&task_id=1316fd2b0f21c9b2495750f20768d772a
and the then VT results: http://www.virustotal.com/analisis/7f31021dba1cfc684dde783ec99c5d6552149e816a4f6ebb9586416667b6c98d-1252940465
So it is not new but a new reappearance of the 2009 malware:
A re-scan gave: http://wepawet.iseclab.org/view.php?hash=29ac5c679882fdfb6cefab16476e0a06&t=1307453196&type=js
And the new Anubis report here: http://anubis.iseclab.org/?action=result&task_id=16a5dcf5b6c0edcc429b835c9e1cad8b2
Analysis found Trojan.Cryptic (Sig-Id:60719417) according to Ikarus Virus Scanner
and: 4 out of 5 flagged it here:
http://vscan.urlvoid.com/analysis/9f1544a15a926ae886d8b52cf63796d6/ZXhyZXYtZXhl/

polonus

[Fazer]

It appears as if my MBAM that I downloaded and ran this morning was corrupt, I downloaded another one from essexboy's post and ran it, it found this:-

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6796

Windows 6.1.7600
Internet Explorer 9.0.8112.16421

07/06/2011 15:03:20
mbam-log-2011-06-07 (15-03-20).txt

Scan type: Full scan (H:\|)
Objects scanned: 200222
Time elapsed: 23 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
h:\Users\Richard\AppData\Local\Temp\IXP000.TMP\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Maybe this is the end of my problems??

[essexboy]

Probably not - run TDSS Killer now please

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
  
• Select All Users
  
• Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

[Fazer]

You were right essexboy, it didn't cure it, OK ran TDSS Killer,

Also ran OTS and log file is attached

[essexboy]

Looks like Combofix and MBAM cleared it - no apparent malware present