Avast WEBforum
Other => Viruses and worms => Topic started by: Druidmisanth on April 10, 2010, 10:09:51 AM
-
This message(below) recurs at seemingly random intervals for the last three days. Have scanned with Avast(both full scan and boot scan) with no result. Likewise with Microsoft Security Essentials, which I have since deleted. Judging by the message itself, my machine is safe and Avast AV is doing it's job but I sure would like to figure out just what, inside my computer, is compelling this continuous assault by whatever the heck "77.74.48.111/pldr/test.jpg?suid=b422fa..." is. Will download MBAM and scan with it in the interim but any assistance would be greatly appreciated.
Gordon
(http://farm3.static.flickr.com/2690/4507447040_eefea94f8f_o.jpg)
-
Hi
What the link malware ?
Thanks
-
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3973
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
4/10/2010 7:26:03 AM
mbam-log-2010-04-10 (07-26-03).txt
Scan type: Full scan (C:\|)
Objects scanned: 169474
Time elapsed: 1 hour(s), 43 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{981111eb-4770-4c06-a9b4-6cacf126f5fa} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{981111eb-4770-4c06-a9b4-6cacf126f5fa} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remekulobe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1c445201 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm1f77619d (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\noqmqx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Brown\My Documents\ACSA\Adobe.CS3.Web.Premium.Keygen_Activation\Adobe.Web.Premium.CS3.Keygen+Activation.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Brown\My Documents\ACSA\NYU Adobe CS3 Keygens\Adobe Web Premium CS3 Keygen + Activation.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gordon Brown\My Documents\ACSA\NYU Adobe CS3 Keygens\InDesign CS3 Keygen VLK.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\update.exe (Trojan.Agent) -> Quarantined and deleted successfully.
-
If you scan again (do the quick scan) does it come up clean ? problems gone ?
Also run Superantispyware www.superantispyware.com
Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26
-
Is it possible to give the internet address name (using hXXp:// rather than http://) so that we can check out the page?
by using hXXp the link will not be able to be activated.
-
It is in the original post, image and text, it is an IP address rather than a domain name.
There really is no page to check as the origin is on the users system trying to connect to that page, so what is on it is rather immaterial. We have to try and find what is using svchost.exe to connect to the malicious site, that is why started the ball rolling on that with MBAM and SAS is a good start.
-
oh okay David, sorry I rushed through the page. I will leave them to it. In good hands.
-
No problem, it may have been vundo trying to get out, but it may not be that simple.
Vundo, or the Vundo Trojan (also known as Virtumonde or Virtumondo and sometimes referred to as MS Juan) is a Trojan horse that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook.
-
(http://farm3.static.flickr.com/2078/4507546049_9bbb998f1e.jpg)
-
Okay, I'm actually on another tower entirely- which the keyboard from my main machine
works just fine on. Any suggestions? Is it possible, somewhere on that computer to block the
URL in question entirely- in the internet security maybe? I'll have to take any advice and assemble it all together to try out on the machine when I hook it back up- and I suppose I could email any necessary links to myself to get around the nonfunctioning keyboard. Thanks in advance.
Gordon
Incidentally, the full URL that Avast keeps blocking and reporting is:
"77.74.48.111/pldr/test.jpg?suid=b422fa140378de814a177850fffffcuid=caba63b92ff1f44abbe14211373fef6affid=200327tid=nka10067cver=2li=1bi=Onc=1"
-
I certainly haven't heard of a virus that targets your keyboard, though I guess it wouldn't be impossible if a keyboard driver was killed/damaged.
Whilst this would be a pain (OK for short tasks), but it is still possible by using the windows on screen keyboard, using your mouse, see mouse actions in, http://www.microsoft.com/windowsxp/using/accessibility/oskturnonuse.mspx (http://www.microsoft.com/windowsxp/using/accessibility/oskturnonuse.mspx).
Have you tried running SAS yet ?
-
Druidmisanth,
This is a known vundo download site. Re: http://www.bleepingcomputer.com/forums/topic294721.html
polonus
-
just to add to the info that Pol has posted
- screenshot shows top part of page returned from search of site address of suspect domain
- I can capture and post the whole page in segments if anyone thinks will help
I'm not sure if the info is much use, and I'm a bit busy to follow up myself at the moment
- info gathered through putting into practice v5 sandbox in IS AV
I made sure to access the info from a safe distance, and would advise anyone unpractised in doing should steer well clear of this domain
Edit - well some of the domain is okay, so caveat perhaps - viewer beware
-
I'm back- typing with the abovementioned onscreen keyboard. In the interim, have run rkill, vundofix, virtumundobegone, with nothing found in the latter two.
Then, I ran hijackthis, producing this:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 1:30:49 AM, on 4/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\osk.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.zoomtown.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [remekulobe] Rundll32.exe "C:\WINDOWS\system32\wirahahe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [remekulobe] Rundll32.exe "C:\WINDOWS\system32\wirahahe.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\piyuzuju.dll noqmqx.dll c:\windows\system32\ruvaluno.dll
O21 - SSODL: Autapbi - {950F4790-CDED-424D-8C4C-6C5B6EA25D15} - C:\WINDOWS\system32\exewebro.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O24 - Desktop Component 0: (no name) - http://www.kindgirls.com/graf/fondo2.png
--
End of file - 8304 bytes
But I haven't the slightest idea what it means. Running Malwarebytes again as we speak.
Other than the keyboard not working, all that really remains is that initial notice that Avast is blocking access to that same old URL.
-
Here's the VitumundoBeGoneLog:
[04/15/2010, 1:26:56] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Gordon Brown\My Documents\Downloads\VirtumundoBeGone.exe" )
[04/15/2010, 1:27:00] - Detected System Information:
[04/15/2010, 1:27:00] - Windows Version: 5.1.2600, Service Pack 3
[04/15/2010, 1:27:00] - Current Username: Gordon Brown (Admin)
[04/15/2010, 1:27:00] - Windows is in NORMAL mode.
[04/15/2010, 1:27:00] - Searching for Browser Helper Objects:
[04/15/2010, 1:27:00] - BHO 1: {0347C33E-8762-4905-BF09-768834316C61} (HP Print Enhancer)
[04/15/2010, 1:27:00] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[04/15/2010, 1:27:00] - BHO 3: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
[04/15/2010, 1:27:00] - BHO 4: {DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
[04/15/2010, 1:27:00] - BHO 5: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} (JQSIEStartDetectorImpl Class)
[04/15/2010, 1:27:00] - BHO 6: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} (HP Smart BHO Class)
[04/15/2010, 1:27:00] - Finished Searching Browser Helper Objects
[04/15/2010, 1:27:00] - Finishing up...
[04/15/2010, 1:27:00] - Nothing found! Exiting...
-
I don't know if this is helps or not, but I'm seeing exactly the same behavior. Investigating the network shield log gives a PID for a slew of services hosted by svchost.exe (Process Explorer). Nothing looks odd. I've tried numerous scanners (malwarebytes, superantispyware, hijackthis, housecall, rootkitbuster, ad-aware, and aVast of course) and none have yet found anything. The topic on bleepingcomputer is of little help (suggesting that this in an aVast false-positive). A reverse-lookup gives a domain hosted from the British VI and I'm completely sure I've got nothing to do with them.
I'm sorry if there's not a lot of new info in this post, but I think there's something really nasty in this and it's able to hide itself really well.
In addition to whatever service it is that's doing this, I'm seeing a DNS redirection on search hits from a search-results page (google, yahoo, you name it). I believe that the problems are linked in my case.
-
Hi Druidsmith
Like Jeffc says, there's something really nasty in this.
Lets do a preliminary anyway. But you may be needing more help
Fix this entry - relatively straightforward
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
To fix the entry - put checkmark in box next to the entry and click Fix Checked in bottom left hand corner of the screen
- after fixed checked, you need to run Scan to bring up a new log - I prefer to fix one entry at a time
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
Are these on demand for online scanner? - if you can try and disable these in yr browser under Manage add-ons - It would be good to have them out of way for the time being - but wait for second opinion if you want
You may need to fix these others by running a HjT scan in Safe Mode - even then may be very difficult to delete
Perhaps do everything in Safe mode - so copy this post as a file to yr hard drive first so you have a reference
O4 - HKUS\S-1-5-19\..\Run: [remekulobe] Rundll32.exe "C:\WINDOWS\system32\wirahahe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [remekulobe] Rundll32.exe "C:\WINDOWS\system32\wirahahe.dll",s (User 'NETWORK SERVICE')
Fix checked both of these - wirahe.dll is suspect trojan and appears to have locked yr system
- see screenshot (edited)
Edit - on second thoughts, wait for second opinion on this - you may need more in depth help for these.
Since we are talking pretty much the whole system, lets not be hasty.
O20 - AppInit_DLLs: C:\WINDOWS\system32\piyuzuju.dll noqmqx.dll c:\windows\system32\ruvaluno.dll
This is suspect
http://www.techspot.com/vb/topic119190.html
O21 - SSODL: Autapbi - {950F4790-CDED-424D-8C4C-6C5B6EA25D15} - C:\WINDOWS\system32\exewebro.dll
This is suspect but have no information on it - second opinion perhaps
As for your keyboard I can only suggest go into bios - as computer first starts, you need to start tapping should be either F1, F2, or DEL to take the computer into Setup and look for which F Key will allow you to load setup defaults (or optimal failsafe defaults) and press that, then go to Save and Exit - if keyboard port is working then things should be okay.
Usually before you go into setup, if the keyboard is not working then you will get the error message and thats about it - you wont be able to use it. try a USB keyboard and see if that works.
-
Well, for the moment, the keyboard is working. Seems to be an on again off again phenomenon without any discernible pattern that I can see- restarts and uninstall/reinstalls seem to eventually remedy the situation at least until the next conniption my machine throws.
mkis, being nothing if not hasty, I went ahead and jettisoned everything you listed. I am now going to reboot and see what happens. If I'm not back in an hour, I may be at the store buying something with Ubuntu preinstalled. ; ) Thanks for your help. Oh, here's the latest hijack log:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:24:55 PM, on 4/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 6594 bytes
-
you appear to have jettisoned a bit more than that
what happened to Internet Explorer / Internet connection?
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.zoomtown.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
-
I think I failed at the elementary copy and paste function because I didn't delete those things. Let me scan again. Hmm, not there and, yet, I didn't... Anyway, the notification is still there- though everything else seems to be working properly. Maybe I should just be happy with the way things are?
-
so are you on the computer now?
okay the cleanup was a bit blunt thats all. we can work to restore to smooth running bit by bit.
I don't suppose you have a windows CD disk that came with yr computer, or with yr operating system if you bought it.
and what is the notification? Do you mean the avast warning in your original post?
-
Yep, that same old 77.74.48.111 thing.
-
okay here are a couple of things you will have to do at length --so keep them in mind
- if you have Windows CD put it to one side because I wouldn't run a Repair in the current state of yr computer - can do later
- uninstall Adobe reader - as looks well out of date
- update your Java - to make sure you are running latest version
- reset yr Internet Explorer / Internet Options
Is possible that your computer will lock up again so lets for a start take of the peripheral stuff off - whish you can load back on later
- do this for start - just to clear the field a bit so to speak
Fix these entries - we say they are helpers not essential to system running - we can reload later
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Fix checked on this but may prove hard to budge - you dont need it at startup anyway - but fix checked on this
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
Fix checked
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
uninstall your ADOBE Reader
update your java - Control Panel -> Java -> update java tab
HijackThis not much use to us anymore so go to this link
http://forum.avast.com/index.php?topic=53253.msg451454#msg451454
follow directions - Run mbam as it says but update to latest version before running
-
Hi Druidsmith
If we still working on this and I think we should be
when we get near to finish with a clean computer (hopefully) there some finishing up tasks to see to
but if yr computer is still running okay do them at yr own free time and will -
Here is a preliminary for Reset of IE and Internet Options
Are your Internet Options (other than home page and search) set to default?
- if not, is there any reason why we cannot run at default as best case scenario?
Open Internet Options in Control Panel
- go to Advanced tab - Reset both Internet Explorer and advanced settings to default in that order
Go to General tab and set home page as what you want (mine is http://google.co.nz)
Then on same page go to Settings in Change search defaults (mine in screenshot)
- use find more search providers in lower left corner of screen if you need to find more
- make sure whatever is yr home page is also yr default Search Provider (mine is google)
- probably best to disable all search suggestions for now (going bit over the top now, but all good considering situation)
Then do this same page -
- checkmark in delete browsing history and also press Delete
- go to Settings there and delete any temp internet files that may still be there in 'View files'
- finally for now, also open up 'View objects' and see if there is anything in there that is broken
- (i think we probably fixed anything broken when we were in HijackThis, but have look anyway
Also -
you might as well go to Secunia website and run an OSI test
- even just to check yr flashplayer is perform at optimum - checks java is up to date as well
http://secunia.com/vulnerability_scanning/online/
click Start Scanner - choose display only insecure, click start - scanner runs, generates report at finish - follow directions
-
Following my own path on this (on the belief that my DNS redirection stuff is related to this problem), I've come up with the following:
1) I've got some sort of thing hanging onto atapi.sys. It's reported by GMER and found (but not fixed) by TDSSKiller. ComboFix will not function on this box for some reason (BSODs with something about mbr.sys).
2) The thing that's apparently generating the calls out to the malicious URL appears to be generating the following as well (watch Network Shield--is there anyway to get it to log everything it sees?):
mfdclk001.org/zk.............(really long url--no query string--just path)
dns://cdnmfdclk.org (I'm pretty sure it blasted by before I could get it all recorded)
dns://cesoftware.com
dns://img.mfdclk001.org
I may be completely off-track here, this is my first time with any serious infection, but I just get the feeling that the atapi.sys thing is linked to these weird network accesses.
Druidsmith: Are you seeing browser link redirection?
-
If you haven't got to these links yet jeffc_lenovo
http://www.threatexpert.com/report.aspx?md5=cabf86f75e24ff6949a2ece21f4e7a7e
http://www.threatexpert.com/report.aspx?md5=50955e13c8e5e220901ecc4328ae76cc
oh sorry, I should have said that you have to go down the page a bit to find the url
-
Hi mkis,
Good find and analysis,
polonus
-
MKIS,
First, thank you!
Second, if I read the links correctly, this stuff just creates a bunch of new registry values not actually modifying anything. I'm right about that? Please confirm, as it looks like I can use regedit to just blow this stuff off, right?
And third, thanks again, profusely.
-
sorry I have been having a bit of a break
My advise on a quick look at threat expert info just this minute
- generally such black and white deletion of trojan is not really a feasible method of removal
- I see here reference to trojan downloader and virtool, which is not good
I cannot give any kind of affirmative without information about yr system, because how long malware has been active, etc..
- but generally no - if caught straight away possibly as you say - also these things can be variant as well as can mutate
Above definition is more likely just a behavioral guideline - I wouldn't say an exact example of what is yr infection
In short I simply don't know - sorry, just woke up, so I would throw yr question open to the forum members
I would advise to start here
http://forum.avast.com/index.php?topic=53253.msg451454#msg451454
If you run mbam, make sure to update to latest version before you run
-
MKIS, any, all,
The information provided did not lead me to a solution, just more information. Whatever this is, it sits on the NetworkService account and uses that to communicate with the world. The IE browser history and temporary internet files for the NetworkService profile continue to grow. And, as I noted in an earlier post, the PID reported by aVast's network scanner is a PID associated with a slew of services hosted by svchost.exe.
I determined that with Microsoft's procexp (Process Explorer). A closer look with that tool illustrates that the PID used to host whatever's doing the internet accesses is holding the index.dat files from the NetworkService profile (for the history, the cookies, and the temporary files) in memory. That is, if you view the lower pane in Process Explorer and select 'View DLLS' for the lower pane, the pane displays the index.dat files with paths, etc. Right clicking the .dat file for the browse history and viewing the strings illustrates up our friend mfdclk001.org and a number of other successful connects. There's no history entry for 77.74.48.111, but I expect that's due to the fact that aVast blocks the access attempt.
So it appears that there's a memory image here that scanners should be able to get to and kill (aVast, help please!). I just can't figure out any reasonable explanation for the PID to keep this data in memory. It seems like an obvious marker for something.
Finally, on another forum someone with what sounds like the same problem was unable to fix it using the 'standard' set of tools (malwarebytes, combofix, gmer, mbr, etc.), and the suggestion was made to reformat and reinstall the operating system. That user noted that by doing that two things happened: 1) the infection is lost so a solution becomes impossible; 2) the bad guys win. He was fighting on. I'd like to do that too. That is, I'm not particularly interested in the 'reformat' solution yet.
Thanks for all help to this point. Anyone have any other ideas?
-
One other thing that's very odd...the device manager no longer has an entry for Disk Drives (as if the machine has no hard disk). It seems to me that this points to some sort of nasty living in the mbr. Gmer shows a 'suspicious' alteration to atapi.sys and shows an unknown device (as in http://forum.avast.com/index.php?topic=58496.0).
I've attempted unpacking a fresh copy of atapi.sys (as per instructions in above) with no love (much as in the above). tdsskiller doesn't get this either.
-
I have sort of the same problem, scvhost.exe is trying to launch malicious URL's but avast is blocking it.