Jump to content

Constant malicious URL repel by Avast


Recommended Posts

Ok, so I have Avast free and Zonealarm free installed, updated and running on this PC. It is running Windows XP. I just ran into an issue last night after visiting a shady website. Avast Network shield repeatedly pops up telling me it has repelled a malicious URL even when i'm not going from page to page. It pops up constantly, even while just sitting static on yahoo.com I also ran CCleaner already.

Here are the URLs is giving and then the process.

hxxp://espeak911.com/x/

hxxp://colexity777.com/x/

hxxp://37.220.36.44/x/

infection: Mal

then for process it says... C/WINDOWS/System32/svchost.exe

I have run an updated scan of Malwarebytes and it came up with two objects that I deleted. Should have wrote down what they were, but wasn't thinking. I also ran an updated scan of Avast which came up with one object I believe.

I ran a hijack this log and it is as follows:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 12:58:44 PM, on 8/12/2012

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

D:\Avast Updated\AvastSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe

C:\WINDOWS\ATKKBService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Common Files\Pure Networks

Shared\Platform\nmsrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

D:\Program Files\Canon MP160 Printer\OpwareSE4.exe

D:\AVASTU~1\avastUI.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\Common Files\Pure Networks

Shared\Platform\nmctxth.exe

C:\Program Files\Pure Networks\Network Magic\nmapp.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Jason\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Jason\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Jason\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Jason\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Jason\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Jason\My

Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page

= http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search

Page = http://go.microsoft....k/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page

= http://go.microsoft....k/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} -

(no file)

O2 - BHO: AcroIEHelperStub -

{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D7942484F} -

D:\ANTIVI~1\SPYBOT~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java™ Plug-In SSV Helper -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre6\bin\ssv.dll

O2 - BHO: ZoneAlarm Security Engine Registrar -

{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program

Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEP

lugin.dll

O2 - BHO: avast! WebRep -

{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - D:\Avast

Updated\aswWebRepIE.dll

O2 - BHO: Java™ Plug-In 2 SSV Helper -

{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: avast! WebRep -

{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - D:\Avast

Updated\aswWebRepIE.dll

O3 - Toolbar: ZoneAlarm Security Engine -

{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program

Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEP

lugin.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft

Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection]

C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common

Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"

-Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "D:\Program Files\Canon MP160

Printer\OpwareSE4.exe"

O4 - HKLM\..\Run: [ASUS Probe] d:\program files\pc

probe\AsusProb.exe

O4 - HKLM\..\Run: [avast5] D:\AVASTU~1\avastUI.exe /nogui

O4 - HKLM\..\Run: [switchBoard] C:\Program Files\Common

Files\Adobe\SwitchBoard\SwitchBoard.exe

O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program

Files\Common

Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe"

-launchedbylogin

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe

NvMCTray.dll,NvTaskbarInit -login

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA

Corporation\nView\nwiz.exe /installquiet

O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common

Files\Pure Networks Shared\Platform\nmctxth.exe"

O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure

Networks\Network Magic\nmapp.exe" -autorun -nosplash

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common

Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program

Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common

Files\Apple\Apple Application Support\APSDaemon.exe"

O4 - HKLM\..\Run: [iSW] C:\Program

Files\CheckPoint\ZAForceField\ForceField.exe /icon="hidden"

O4 - HKLM\..\Run: [ZoneAlarm] "C:\Program

Files\CheckPoint\ZoneAlarm\zatray.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and

Settings\Jason\Local Settings\Application

Data\Google\Update\GoogleUpdate.exe" /c

O9 - Extra button: (no name) -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

D:\ANTIVI~1\SPYBOT~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy

Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

D:\ANTIVI~1\SPYBOT~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop

Utility) - http://pcpitstop.com...t/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=39204

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System

Requirements Lab) -

http://www.nvidia.co...l/3.0.0.4/srl_b

in/sysreqlab_nvd.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.micros...Controls/en/x86

/client/wuweb_site.cab?1249495443842

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook

Photo Uploader 5 Control) -

http://upload.facebo...v5.5.8.1/Facebo

okPhotoUploader55.cab

O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace

Uploader Control) -

http://lads.myspace....ceUploader2.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom

Class) -

http://platformdl.ad...Plus/1.6/gp.cab

O22 - SharedTaskScheduler: Browseui preloader -

{438755C2-A8BA-11D1-B96B-00A0C90312E1} -

C:\WINDOWS\System32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon -

{8C7461EF-2B13-11d2-BE35-3078302C2030} -

C:\WINDOWS\System32\browseui.dll

O23 - Service: Adobe Flash Player Update Service

(AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated -

C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.ex

e

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program

Files\Common Files\Apple\Mobile Device

Support\AppleMobileDeviceService.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) -

ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe

O23 - Service: avast! Antivirus - AVAST Software - D:\Avast

Updated\AvastSvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe

O23 - Service: ZoneAlarm LTD Toolbar IswSvc (IswSvc) - Check

Point Software Technologies - C:\Program

Files\CheckPoint\ZAForceField\IswSvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) -

Sun Microsystems, Inc. - C:\Program

Files\Java\jre6\bin\jqs.exe

O23 - Service: McciCMService - Motive Communications, Inc. -

C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: Mozilla Maintenance Service

(MozillaMaintenance) - Mozilla Foundation - C:\Program

Files\Mozilla Maintenance Service\maintenanceservice.exe

O23 - Service: Pure Networks Platform Service (nmservice) -

Cisco Systems, Inc. - C:\Program Files\Common Files\Pure

Networks Shared\Platform\nmsrvc.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown

owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA

Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService)

- NVIDIA Corporation - C:\Program Files\NVIDIA

Corporation\NVIDIA Updatus\daemonu.exe

O23 - Service: Internet Pass-Through Service (PassThru

Service) - Unknown owner - C:\Program Files\HTC\Internet

Pass-Through\PassThruSvr.exe

O23 - Service: PCLEPCI - Pinnacle Systems GmbH -

C:\WINDOWS\system32\drivers\pclepci.sys

O23 - Service: PinnacleUpdate Service (PinnacleUpdateSvc) -

KALiNKOsoft - D:\Program Files\Game

Profiler\pinnacle_updater.exe

O23 - Service: PnkBstrA - Unknown owner -

C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems

Incorporated - C:\Program Files\Common

Files\Adobe\SwitchBoard\SwitchBoard.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check

Point Software Technologies LTD - C:\Program

Files\CheckPoint\ZoneAlarm\vsmon.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. -

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 10983 bytes

Would be thankful for any and all help!

Link to post
Share on other sites

:welcome:

Please do not post live links. Also you should not run a temporary file cleaner until after you are cleaned up as it makes recovery difficult. Most malware now move things like system files or start menu folders/files to the temporary folders making recovery almost impossible if you cleaned your temporary files before hand.

It sounds as if you might be infected.

We cannot work on malware removal in this section of the forums, so please read below for assistance with cleaning your system.

IMPORTANT: Please do NOT use any temporary file cleaners unless instructed to do so - they can cause data loss, making it hard to recover your system.

PLEASE CHOOSE ONE OF THE FOLLOWING 3 OPTIONS:

OPTION 1: Free, one-on-one, expert assistance in the Malware Removal Forum.

OPTION 2: For paid users of MBAM PRO, free, one-on-one, expert assistance from MBAM support.

OPTION 3: Fee-based, one-on-one, expert assistance from Premium Support.

OPTION 1:

  • Please print out, read and carefully follow the instructions in the "I'm Infected - What Do I Do Now?" article.
  • If the infection has so crippled the computer that you cannot complete some or all of the steps, then just do the best you can and start a new topic as described below.

  • Then please start a new post in the Malware Removal Forum.
  • When starting your new post, please note the following:
  • Please do NOT post in a topic started by someone else, even if their problem sounds similar.
  • Please COPY/PASTE the requested logs into your post, rather than attaching them.
  • Under options, please be sure to select "track this topic" and "immediate email notification", so you'll know when a helper responds.

  • Please be patient - it may be 48 hours or more before a helper can assist you, especially when the forum is very busy.
  • Please do NOT "bump" your topic or reply back to it for at least 48 hours.
  • Doing so may cause your topic to be overlooked, as it will appear that you are already being helped.

OPTION 2:

Alternatively, as a paying customer, you can contact the help desk by filling out the form here.

OPTION 3:

If you would like to use the Malwarebytes Premium Services (comprehensive solutions to all your computer support needs – from installation and set-up to troubleshooting and tune-ups), please go to our Premium Support site here.

Please be patient – someone will assist you as soon as possible.

PS Please use theoeXUf.png button or the XA9Ey.png message pane (instead of the “Quote” and “MultiQuote” buttons) when replying here & at the other forums. That will make your topic easier to follow. :)

Link to post
Share on other sites

Sorry about posting active links. Was also unaware of the fact that running cleaners and things would make it difficult to solve the problem. Was just trying to do the little bit I knew to do before having to ask someone to figure it out for me.

I have followed the instructions and created a new topic in the hijackthis logs section.

Thank you!

Link to post
Share on other sites

That's okay we just don't want people clicking them. :) Yes this is common among fake utility programs(rogues) now these days. It use to be advised, but now it's not so much anymore as malware is using different strategies to make cleanup difficult.

You're welcome. Hopefully they resolve your issues. :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.