Solved URL:Mal Connection from svchost.exe

[champo]

Hello,

About 2-3 weeks ago I started getting pop-ups from my Avast Antivirus indicating that it was blocking a connection that was infected with URL:Mal (see attached screenshot). In response to this, I ran a number of malware removal programs, including MalwareBytes, Hitman Pro, Emsisoft Emergency Kit and another program (which I can no longer recall the name of). Following these scans, the problem seemed to resolve itself in so far as I didn't see any further pop-ups from Avast for a while.

The problem now seems to have returned, and running the aforementioned programs has not resolved the issue this time, and no infections were identified. This infected connection is now being attempted every 10 minutes on the dot.

I have run Farbar Recovery Scan tool, and attached the reports.

Thanks in advance for your assistance. It is very late here, so I will be heading off to bed shortly, however will check for updates first thing in the morning.

Kind regards

 

[TwinHeadedEagle]

Hello,

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[champo]

Thanks TwinHeadedEagle.

As an update (and it may be meaningless), but the URL:Mal connection popped up immediately after running the above fix.

 

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.


Let me know if this fixed it.

 

[champo]

Thanks again TwinHeadedEagle.

I have only just turned my PC on for the day, and the first attack came at 8:22pm (my time). I have run the above fix, and waited 10 minutes from the original attack (the previous frequency of attacks) and I received a notification from Avast at 8:32pm of a URL:Mal connection being blocked.

 

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition.txt option is checked.
  
  
  
  
  
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please attach report into your next reply.

 

[champo]

Here you go!

Thanks in advance.

 

[TwinHeadedEagle]

Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Install the progam.
• Click the Scan tab, choose Threat Scan is checked and click Start Scan.
• If threats are detected, click the Quarantine Selected button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the Reports tab.
• Double-click the Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

 

[champo]

Hi TwinHeadedEagle,

Malwarebytes detected and quarantined 11 infections (scanned at 11:46am). See Scan Log.

Strangely, Malwarebytes immediately after the scan blocked a connection/website (11:50am) - seemingly the same infection (I've attached the Malwarebytes report for your information). Interestingly, thereafter neither Avast nor Malwarebytes detected/blocked any further connections.

 

[TwinHeadedEagle]

How is the situation now?

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition.txt option is checked.
  
  
  
  
  
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please attach report into your next reply.

 

[champo]

Thanks for following up TwinHeadedEagle. The coast seems all clear since our last exchange in this thread (i.e. no notifications).

 

[TwinHeadedEagle]

Logs are clean, you're good to go

 

[champo]

Thanks so much TwinHeadedEagle, really appreciate your assistance!

I’m curious if you can provide any insight into the likely source of infection based on the logs I’ve provided, or just your general experience?

It’d be nice if I can take steps to avoid this reoccurring in the future!

 

[TwinHeadedEagle]

I am not sure, but malware often travels with torrents and game cracks. Avoiding those is the best way not to get infected.