Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malicious URL Problems


  • Please log in to reply
6 replies to this topic

#1 Cartoon Shark

Cartoon Shark

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:41 AM

Posted 30 July 2011 - 07:09 AM

Hello! I'm having a bit of trouble with what I beleive to be a rootkit lurking in my system.

Earlier today, Avast! Anti-virus popped up with a message saying that it had repelled a Malicious URL. The process it was caused by was called C:\WINDOWS\system32\msvcm8032.exe. Since then, the same message has popped up several times, all with the same URL: 91.217.153.48. Luckily Avast! has been preventing it causing any damage, but it's still lurking on my system.

I have already ran a quick scan with Avast! and a quick scan with MalwareBytes. Both of them come up clean. I have also scanned the process itself with both Avast! and Malwarebytes, and still, coming up clean. The pop-ups are starting to get sparser, but they still keep showing up at some point.

This is the first time I've ever gotten something on my computer I can't remove myself. :blink:

I have another question, though. I am running both Avast! protection, and the MalwareBytes Protection Trial. Do you think the two might be interfering with each other? I just need to make sure I'm not knocking out their chances of finding anything in their scans. I am also running Windows XP SP3.

Thanks for any help!

Edited by Cartoon Shark, 30 July 2011 - 07:13 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:41 AM

Posted 30 July 2011 - 07:21 AM

Anytime you come across a suspicious file or you want a second opinion, submit it to one of the following online services that analyzes suspicious files:In the "File to upload & scan" box, browse to the location of the suspicious file (msvcm8032.exe) and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze file now.

If it comes back as malware, be aware that Malwarebytes Anti-Malware has a built-in FileAssassin feature for removing stubborn malware or other malicious files that it did not detect.
  • Go to the "More Tools" tab and click on the "Run Tool" button
  • Browse to the location of the file(s) to remove using the drop down box next to "Look in:" at the top.
  • When you find the file, click on it to highlight, then select Open.
  • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
  • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully.
  • Click Ok and exit MBAM.
  • If prompted to reboot, then do so immediately.
-- If the file returns, then you probably have other malware on your system which is protecting or regenerating it.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to remove highly persistent files. Using it incorrectly could lead to serious problems with your operating system if removing a critical file.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Cartoon Shark

Cartoon Shark
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:41 AM

Posted 30 July 2011 - 07:27 AM

It's definitely something dangerous, judging by scanning it with VirusTotal with a 10/43 result. I will run FileAssassin and get back to you.

Thanks!

#4 Cartoon Shark

Cartoon Shark
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:41 AM

Posted 30 July 2011 - 07:40 AM

Alright, I am back now with what appears to be good news! I had to restart my computer to remove the file, and it seems the malicious file is gone. I have another question, because there is another file that might be related to that malicious one. It has the same file-name as a part of it, but it appears to be in the Prefetch folder. I have included an image of it in search..

http://i.imgur.com/ZdsQD.png

Should I remove this file as well? Virus Total came back with a 0/43 result, but I still need to be sure.

Edited by Cartoon Shark, 30 July 2011 - 07:52 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:41 AM

Posted 30 July 2011 - 08:21 AM

The Prefetch folder is used by Windows to track and save information related to files commonly used to speed up the boot process. The files in the Prefetch folder are .pf files. They are not executable and they are not copies of the actual files but they can be related to both legitimate and malicious files. If you find a file in the Prefetch folder which is malware related, then remove it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Cartoon Shark

Cartoon Shark
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:41 AM

Posted 30 July 2011 - 08:29 AM

Successfully deleted! Thank you for your help. :)

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:41 AM

Posted 30 July 2011 - 10:33 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users