Avast WEBforum
Other => Viruses and worms => Topic started by: haqzaf on September 29, 2010, 12:50:47 AM
-
Hi,
Long time user of Avast virtus protection software.
Last three days,I had the following observation in my XP home addition task manager.
Two malicious executible files running.
1. dwm.exe
2. shell.exe
I removed these files from Task manager list,also deleted it in registery,it reappears in task manager and in registery and also in temporary file.
I observe that before appearing in task manager another file "sf.bin" appear briefely,disappear and make way for these two files mentioned.
sf.bin is located at Avast5\defs\10092801\sf.bin
shell.exe located at
C:\Documents & Settings\Owner\Application data\Microsoft\Windows\Shell.exe
at Microsoft folder, I also observe a lone svchost.exe file present.
Unable to find location for dwm.exe after performing search operation many time.
In registery dwm.exe occurance found at HKey_Current_User\Software\Microsoft\Search Assistant\ACMru\5603,5604.
When I search google web page, It redirect my search to unwanted pages.
Please help.How to remove these viruses.Why Avast sf.bin also help run these files.
dwm.exe file geniun microsoft file used in window 7,window vista versions not in XP
size of these files approx 3.884k in task manager.
Thanks
-
Have you tried scanning with Malwarebytes ?
Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always update so you have latest database before you scan
click the remove selected button to quarantine anything found
you may post the scan log here if anything is found
-
Hi, Pondus,
Thanks for your prompt reply.
Not yet used or scan any external anti-malware software.(afraid to use any unknown software,they might help and then stay in my computer for any reason).I totally relied on Avast firmly, to first block these viruses,raise alarm to notify me about their presence.Nothing happened by Avast.Also as I pointed out, there is a file "sf.bin" located in Avast folders also take part in facilitating to these viruses.I expect an answer from Avast team.what is happening so thousands of other users including myself to clean this problem.
-
No AV have 100% detection, with the amount of new malware found every day that is a mission impossible
Malwarebytes is a totaly safe program to use, if you look in the signatur to all the evangelist`s in here you will see that everyone is using it. you will also see it in use in all the other posts here where a computer is infected
www.malwarebytes.org
So if you want a second opinion, run Malwarebytes
-
Sf.bin
http://www.pc1news.com/virus/file-sf-bin-379059.html
http://forum.avast.com/index.php?topic=50510.0
dwm.exe
http://www.processlibrary.com/directory/files/dwm/
shell.exe
http://www.threatexpert.com/files/shell.exe.html
-
Hi , I too am having the same 'malicious url attack blocked' appearing consistently during day. This also started for me yesterday. It is driving me mad. Seeing the dwm.exe, shell.exe and svchost.exe files as flagged etc.. same as you reported
Tried the Malware link as suggested but not sure what it actually does - does it just run in background ?
Been using avast for many years now and never had a problem before.
I know avast is blocking the malicious url, which is good of course, but what can i do to get rif of these messages ?
HELP !!!
Thanks in advance.
Nick
-
@nickj15 you should start your own topic asking for help, so we don't have to help multiple people in the same tread ...
Tried the Malware link as suggested but not sure what it actually does - does it just run in background ?
??? you have to open the program and run the scanner ......
-
Hi Pondus,
After reporting my virus status here last night,I removed above mentioned files manually from my folders and from registery. Files were "shell.exe","dwm.exe","svchost.exe" and another file namely "stor.cfg" located with svchost. resulting, I was unable to connect to internet.I also uninstall avast 5 from my system and nothing happened.Just 15 minutes ago, I placed those removed files back to their respective folders and my interent connection re-established immediately.My task manager shows again "shell.exe" and "dwm.exe"running.I'm posting this reply without avast running in background.When I try to download free avast from your site,it re-direct me to a site"Cnetdownload.com".Is this normal.or it is due to viruses.
Thanks for helping.
Please note.If I run your mentioned malware removal and remove unwanted files,my internet will stop again.
-
download free avast from your site,it re-direct me to a site"Cnetdownload.com".Is this normal.or it is due to viruses.
Normal
upload the files to www.virustotal.com and test them with 43 malware scanners, when you have the result copy the URL in the address bar and post it here
Please note.If I run your mentioned malware removal and remove unwanted files,my internet will stop again.
maybe depends what it detect if anything ? and you dont have to remove what it finds ....thats up to you
-
resulting, I was unable to connect to internet.
That's due to the malware adjusting your proxy server config to use its' own process that it runs locally. You killed and deleted the files, so it was no longer "listening" hence, you have no proxy server (good thing since who knows what it was collecting).
Open IE, go to Tools -> Internet Options. Then the Connections tab and see if it's set to use a proxy. I'm betting it is.
And to stop a "well I'm using Firefox reply"... Firefox, by default, uses your "system proxy" settings, which is whatever your IE tab indicates.
Keep us updated though, I'm still trying to get them from coming back...
-
Hi,xtremesparx
Sir, you are right.I never thought about it.I checked, proxy was tick marked to be active.
update: after de-activating,proxy server become active again.
-
Hi,Pondus
Thanks,
After your recommendation,I make my mind to quick scan my system using MalwareBytes software.
Attach is my log file generated.
....................
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4719
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
9/29/2010 9:40:35 PM
mbam-log-2010-09-29 (21-40-35).txt
Scan type: Quick scan
Objects scanned: 136675
Time elapsed: 9 minute(s), 46 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 4
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 9
Memory Processes Infected:
C:\Documents and Settings\Owner\Local Settings\temp\dwm.exe (Trojan.Downloader.Gen) -> No action taken.
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> No action taken.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> No action taken.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ytasfwhdtjdqwk (Rootkit.TDSS) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\monopod (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> No action taken.
Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
C:\Documents and Settings\All Users\Application Data\13291564 (Rogue.Multiple) -> No action taken.
Files Infected:
C:\Documents and Settings\Owner\Local Settings\temp\dwm.exe (Trojan.Downloader.Gen) -> No action taken.
C:\Documents and Settings\Owner\Desktop\dwm.exe (Trojan.Downloader.Gen) -> No action taken.
C:\Documents and Settings\Owner\Desktop\txt (Trojan.Downloader.Gen) -> No action taken.
C:\Documents and Settings\All Users\Application Data\13291564\13291564 (Rogue.Multiple) -> No action taken.
C:\WINDOWS\system32\ytasfwdaerseuo.dat (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\ytasfwuoyifyxe.dat (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> No action taken.
Hope something positive may result for everyone having this difficulty.
update:one and half hour passed after the quick scan and removal .Malicious virus not yet appear in task manager.Seems like ship sails in smooth water after the storm.
-
update:one and half hour passed after the quick scan and removal .Malicious virus not yet appear in task manager.Seems like ship sails in smooth water after the storm.
Well i see your log say " No Action Taken " so i hope you did a new scan and clicked the " Remove Selected " button to quarantine this ?
-
after reading the preceding posts I managed to removed dwm.exe successfully:
removed files:
documents & settings\username\local settings\temp\dwm.exe (found under several users)
documents & settings\username\Application Data\microsoft\svchost.exe (found under several users)
documents & settings\username\Application Data\microsoft\windows\shell.exe (found under several users)
registry entries deleted
hkey_current_user\software\microsoft\windows nt\currentversion\windows\load:dwm:[path to dwm.exe]
hkey_local_machine\software\microsoft\windows\currentversion\run:shell:[path to shell in app data folder]
hkey_local_machine\software\microsoft\windows\currentversion\run:svchost:[path to svchost in app data folder]
after changes no internet connection as the virus had set the proxy server:
For FireFox select Tools/Options/Advanced/Network and click settings: change proxy No proxy/Auto-detect or system proxy settings
-
i doubt if the TDSS rootkit completely left.TDSS is the most complicated rootkit ever,only tdss-killer can remove this rootkit,wait for essexboy
-
Depends on whether it was TDL3 or 4
Please read carefully and follow these steps.
- Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
- If an infected file is detected, the default action will be Cure, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png)
- If a suspicious file is detected, the default action will be Skip, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png)
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png)
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
ONCE DONE
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop and double-click on it to run it
- Make sure you close all other programs and don't use the PC while the scan runs.
- Select All Users
- Under additional scans select the following
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan
- Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
- When the scan is complete Notepad will open with the report file loaded in it.
- Please attach the log in your next post.