Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast pops up URL:MAL every time I open browser


  • This topic is locked This topic is locked
30 replies to this topic

#1 acer34e

acer34e

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 09 July 2015 - 03:41 PM

I have been working on a customers computer and even after running an Avast boot time scan, Malwarebytes, JRT and ADWcleaner I still receive multiple warnings that an infection is being blocked:
 
URL: hxxx://bestdriverstar.net/4141/ReactorExtender_142667250412991.dll
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe
 
I even removed the HDD, hooked it up to a different computer and ran the scans but I can't remove the warnings. I would appreciate any and all help with this! It is an HP 15 laptop running Windows 8.1
 
Thank you so much!


Edited by hamluis, 09 July 2015 - 03:52 PM.
Deactivated link - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 PM

Posted 09 July 2015 - 04:09 PM

Download MBAR and save it to your desktop. Run tool as Administrator ,program will extract and launch itself. After program is executed,click Next then Update to obtain latest definitions. If malware is found make sure that Create Restore Point is selected,if yes click Cleanup. Restart your computer,program will create a log which you will paste here. Download link : http://downloads.malwarebytes.org/file/mbar



#3 BenjaminGordonT

BenjaminGordonT

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 09 July 2015 - 04:14 PM

It is very possible that svchost.exe has been compromised... Which would cause this sort of problem... It could also be Avast is just detecting an old malware which is possible... I have had problems with Avast before so I tend to use Bitdefender... Try Malwarebytes or Bitdefender and see if you still get the error...

 

Virustotal detects the site as malicious but on further look I can conclude that the site itself is one of those illegitimate sites that claims to give you what you want and just gives you crap adware...

 

The actual file downloaded has a 36/56 detection ration so yeah it is a virus... My guess is that there is a remnant of adware that is still hijacking your computer... I would suggest you use ComboFix but I am in no authority to do so... Here is my suggestion:

 

First run both JRT and AdwCleaner and attach the logs in your next reply.

 

Next,

 

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

=======

 

After running these 3 programs and NOT rebooting your computer does the warnings stop?

 

Post all 3 logs in your next reply and I will give you advice as to what to do next...

 

-BenjaminsiPod



#4 BenjaminGordonT

BenjaminGordonT

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 09 July 2015 - 04:16 PM

Download MBAR and save it to your desktop. Run tool as Administrator ,program will extract and launch itself. After program is executed,click Next then Update to obtain latest definitions. If malware is found make sure that Create Restore Point is selected,if yes click Cleanup. Restart your computer,program will create a log which you will paste here. Download link : http://downloads.malwarebytes.org/file/mbar

 

Seems like we both responded at the same time... Um...



#5 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 PM

Posted 09 July 2015 - 04:16 PM

That's most likely rootkit issue,i've encountered that issue when i was helping. I'm under Malware Removal Training (not here),so i'm sure that's rootkit present on system.



#6 BenjaminGordonT

BenjaminGordonT

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 09 July 2015 - 04:18 PM

In that case I'll let you handle it... No reason to waste time with 2 people on 1 case... But have the user follow the advice I gave previously anyway as I believe RogueKiller should really help narrow down where it is...

 

That's most likely rootkit issue,i've encountered that issue when i was helping. I'm under Malware Removal Training (not here),so i'm sure that's rootkit present on system.



#7 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 PM

Posted 09 July 2015 - 04:21 PM

Or he can use both tools,but MBAR will be better choice :) Anyway,AdwCleaner and JRT are mostly for Adware/PUP,not for Rootkits.



#8 BenjaminGordonT

BenjaminGordonT

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 09 July 2015 - 04:24 PM

True just not sure yet if it is a rootkit... The signs point to it but we have no logs or anything yet... I had a very similar problem and the solution was to use RogueKiller... It stopped the malware for the time being so I could locate it and destroy it... Anyway no problem... The reason I think it is adware is because the file that the user is pointing to is directly related to adware as well as everything else... Rootkits don't tend to focus on loading adware usually adware loads itself lol



#9 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 PM

Posted 09 July 2015 - 04:27 PM

True lol :D RogueKiller is good,but i'm not sure are we using it in our school. Anyway most lamest thing about Avast that once it's notification stuck on my screen and froze :/ Ok now we need logs of MBAR and RogueKiller to determine is it a rootkit or not.



#10 acer34e

acer34e
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 09 July 2015 - 04:48 PM

Sorry I missed reading the thread while I let the scan run. Thank you both for jumping in. MBAR found nothing:

Malwarebytes Anti-Rootkit BETA 1.09.1.1004
www.malwarebytes.org

Database version:
main: v2015.07.09.06
rootkit: v2015.07.09.01

Windows 8.1 x64 NTFS
Internet Explorer 11.0.9600.17842
Lorraiane :: PERSONALPC [administrator]

7/9/2015 5:12:20 PM
mbar-log-2015-07-09 (17-12-20).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 354591
Time elapsed: 26 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)


I will run the other two programs now and attach the logs once it is finished.


Edited by hamluis, 10 July 2015 - 08:09 AM.
Removed formatting - Hamluis.


#11 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 PM

Posted 09 July 2015 - 04:51 PM

Ok,try now RogueKiller . You can also scan with TDSS Killer by Kaspersky as well .



#12 acer34e

acer34e
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 09 July 2015 - 04:59 PM

Here is the log from ADWcleaner:
# AdwCleaner v4.208 - Logfile created 09/07/2015 at 17:55:41
# Updated 09/07/2015 by Xplode
# Database : 2015-07-09.2 [Server]
# Operating system : Windows 8.1 (x64)
# Username : Lorraiane - PERSONALPC
# Running from : C:\Users\Lorraiane\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17840


-\\ Mozilla Firefox v39.0 (x86 en-US)


-\\ Chromium v


*************************

AdwCleaner[R0].txt - [756 bytes] - [09/07/2015 17:52:19]
AdwCleaner[R1].txt - [814 bytes] - [09/07/2015 17:53:46]
AdwCleaner[S0].txt - [740 bytes] - [09/07/2015 17:55:41]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [798 bytes] ##########

Edited by hamluis, 10 July 2015 - 08:10 AM.
Removed formatting - Hamluis.


#13 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:28 PM

Posted 09 July 2015 - 05:01 PM

Logs are clean. You may need to run TDSS Killer and Rogue Killer if you haven't done already.



#14 acer34e

acer34e
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 09 July 2015 - 05:19 PM

I will runRogueKiller now but here are the results from JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.3.8 (07.09.2015:1)
OS: Windows 8.1 x64
Ran by Lorraiane on Thu 07/09/2015 at 17:59:25.25
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Tasks

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Chrome

[C:\Users\Lorraiane\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Lorraiane\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Lorraiane\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Lorraiane\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 07/09/2015 at 18:07:20.45
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Edited by hamluis, 10 July 2015 - 08:12 AM.
Removed formatting - Hamluis.


#15 BenjaminGordonT

BenjaminGordonT

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 09 July 2015 - 06:39 PM

Everything you've given so far indicates that your computer is clean even though it isn't... Yeah like [m=Firehouse] said run TDSS Killer and RogueKiller and post those logs... Those will be the most helpful... From what I can tell this is probably a hidden EXE that runs at startup that is just plain and simple adware... But I don't know without actually getting logs from RogueKiller and TDSS Killer...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users