Avast WEBforum
Other => Viruses and worms => Topic started by: acuk on July 02, 2011, 03:55:46 PM
-
I keep getting alerts from Avast for Malicious URL's it seems to be rundll32.exe causing the problem but not sure.
The IP addresses it reports as Malware are 64.111.211.158 and 64.11.211.165
I have checked these at Virus Total and it reports the IP addresses as clean.
http://tinyurl.com/5vh4hmh
http://tinyurl.com/62xnm3p
Malwarebytes finds nothing
Ran full scan on c:/Windows/System32 Nothing.
The Alert is Frequent at least once/twice every couple of minutes.
Hope someone can help.
-
Hi acuk, welcome to the forum :)
First, there is no need for the tinyurl links, in fact I think that many would not click them, because they are shortened links. (I certainly don't just click them anyway)
The full links are fine, and are listed below (for the others)
http://www.virustotal.com/url-scan/report.html?id=45fd6d7f984afba10f5a1a81647c9963-1309605771
http://www.virustotal.com/url-scan/report.html?id=edf0f0531d591f4469df935e0cacc48f-1309605952
Now for the problem at hand, I would suggest starting here:
http://forum.avast.com/index.php?topic=53253.0
Post the logs back for those that can read them to help ;)
Scott
-
I don't like the shortened URLs either (always suspicious of what I can't see), so much so I have installed the LongURL Mobile Expander firefox add-on.
That said even though VT shows clean, I don't believe that for a second. It is highly suspect for this dll to be connecting to the internet and to sites that avast considers malicious.
This type of activity is often indicative of having a rootkit on your system.
-
Hi guys Thanks for the quick reply.
Soz about the shortened urls,i wasn't really thinking , innocent newbie mistake.
Actually thinking about it.. I wont be using it again , never really thought about the security issues that can arise from shortened URLs until now.. Learnt something useful already.
Funny thing also ... since coming to this forum the alerts seemed to have suddenly stopped ??? Fluke or What) but since i am very security conscious ie, run checks every week,I want peace of mind i would appreciate if someone can check the logs.
Cheers
Thanks in advance
acuk
-
Well MBAM clean but if as I suspect there might be a rootkit present, it could be hiding them.
I'm not familiar with the OTS log so someone else will have to investigate that.
In the meantime you can check if you have an MBR rootkit using this tool:
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 1.8MB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
(http://public.avast.com/~gmerek/aswMBR1.png)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://public.avast.com/~gmerek/aswMBR2.png)
-
Hi David your concerns about a rootkit got me very concerned , i did actually run this yesterday it also found nothing , but i will run it again now and report back.
As i said you got me a bit concerned so i ran Trends RookitBuster
Latest version http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=355®s=NABU&lang_loc=1#undefined
And it found a few things now im really worried
I havent deleted any of the found hooks ill wait for further instructions.
Here the Trends Log.
Thanks
acuk
-
Well nothing I can see that is suspect, but I would certainly use the aswMBR tool as that really has been very hot on MBR rootkit detections if present.
The hooked service mentioned, aswSnx.sys is the avast Sandbox driver. So I wouldn't go touching that ;D
-
Thanks Dave OK wont go touching those then.
Heres the latest aswmbr log
Also U mention LongURL Mobile Expander firefox add-on
Im running Firefox 5 , but cant seem to find it anywhere could you send me a link to that mate.
Cheers
acuk
Also im using a program called Hostman for extra security
http://www.abelhadigital.com/hostsman
But how would i enter the two suspious ip's into it so my computer would reject the sites.
Every search i'vs done on these Ip's i cant get a Hostname. ??
Any help would be appreciated.
The alerts in question have NOT re-occurred now for over 1Hr,Very Puzzling
Am i clean ? What was this i would love to know how i got this.
acuk
-
Well nothing unusual there either.
Strange that they stopped as that would only normally happen after some form of cleaning.
This is the whois of the IP address (see image, click to expand) and it doesn't seen your usual malicious site, does this ISPrime ring any bells to you (but still strange for this connection by rundll32.dll) ?
I will try and get someone to take a look at the OTS log.
-
A few bad boys have taken up residence
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > ->
YN -> HKEY_LOCAL_MACHINE\: URLSearchHooks\\"{1392b8d2-5c05-419f-a8f6-b9f15a596612}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1001\] > ->
YN -> HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1001\: URLSearchHooks\\"{1392b8d2-5c05-419f-a8f6-b9f15a596612}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1008\] > ->
YN -> HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1008\: "ProxyServer" -> http=127.0.0.1:49939
< Run [HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1001\] > -> HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "SystemAuthenticationCtrl" -> C:\Users\Pete\AppData\Local\BthHelpaudio\SystemAuthenticationCtrl.dll [rundll32.exe "C:\Users\Pete\AppData\Local\BthHelpaudio\SystemAuthenticationCtrl.dll",userPadTray BthMainvga]
< Run [HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1008\] > -> HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "java checksys" -> [%TEMP%\rtpmp.exe]
YN -> "java system update" -> [%TEMP%\eumlm.exe]
YN -> "windows updater" -> [%TEMP%\gaspci.exe]
YN -> "winupdate system" -> [%TEMP%\icvcc.exe]
[Files/Folders - Created Within 30 Days]
NY -> temp.01A -> C:\Windows\System32\temp.01A
NY -> temp.01C -> C:\Windows\System32\temp.01C
NY -> temp.01B -> C:\Windows\System32\temp.01B
NY -> temp.019 -> C:\Windows\System32\temp.019
NY -> temp.018 -> C:\Windows\System32\temp.018
NY -> temp.015 -> C:\Windows\System32\temp.015
NY -> temp.017 -> C:\Windows\System32\temp.017
NY -> temp.016 -> C:\Windows\System32\temp.016
NY -> temp.014 -> C:\Windows\System32\temp.014
NY -> temp.013 -> C:\Windows\System32\temp.013
NY -> temp.010 -> C:\Windows\System32\temp.010
NY -> temp.012 -> C:\Windows\System32\temp.012
NY -> temp.011 -> C:\Windows\System32\temp.011
NY -> temp.00F -> C:\Windows\System32\temp.00F
NY -> temp.00E -> C:\Windows\System32\temp.00E
NY -> temp.00D -> C:\Windows\System32\temp.00D
NY -> temp.00C -> C:\Windows\System32\temp.00C
NY -> temp.00B -> C:\Windows\System32\temp.00B
NY -> temp.00A -> C:\Windows\System32\temp.00A
NY -> temp.009 -> C:\Windows\System32\temp.009
NY -> 0 -> C:\Windows\System32\0
NY -> temp.004 -> C:\Windows\System32\temp.004
[Files/Folders - Modified Within 30 Days]
NY -> At2.job -> C:\Windows\tasks\At2.job
NY -> At1.job -> C:\Windows\tasks\At1.job
[Files - No Company Name]
NY -> At2.job -> C:\Windows\tasks\At2.job
[Custom Items]
:Files
C:\Windows\tasks\At*.job
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
-
Thanks for joining us essexboy.
-
Thanks for joining essexboy appreciate it.
Here the log .. Hope I'm Clean , from your investigations.. how or what did i do.. to get this .
i thought i was quite vigilant , with all my downloads / programs scanned first etc.?
I don't visit spurious websites never use facebook cautious on what i download.
I have Avast constantly running & updated
Same goes for MWBytes
I use peerblock and hostman programs.
Use CCLeaner everday. ATF Cleaner & Old Timers TFC.
How on earth did it get through ?.
Any help to lead me to preventing Cr%P like this from happening again would be useful.
Cheers Guys
Thanks to essexboy & dave :)
Ps: Dave ISPrime means nothing to me..
Why is there no Hostname ?
http://network-tools.com/default.asp?prog=express&host=64.111.211.158
-
These were the main bad boys
C:\Windows\tasks\At2.job
C:\Users\Pete\AppData\Local\BthHelpaudio\SystemAuthenticationCtrl.dll
Variants of a trojan downloader - they were helped by a proxy within IE
HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1008\: "ProxyServer" -> http=127.0.0.1:49939
The server was probably taken down, but no doubt it will reappear in another guise
Could you now run a Malwarebytes quick scan and post the log please as sometimes when I remove something other files are revealed... Also how is your computer behaving now ?
-
Thanks essexboy
Even stranger i dont even use Ie unless a program sometimes automatically opens it .
Strictly a Firefox Fan.
Thanks for all your Help
Am i clean then ?
Am i good to go.
Cheers
acuk
-
Let it run for a day or so - then when you are happy let me know and I will remove my tools and tidy you up
-
Been Quiet over weekend no alerts etc.
Think im Ok now..
essexboy do you want to run your cleanup tools.
Cheers
Thanks everyone
acuk
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup an select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
I have the same problem have posted already but just found this post here I am trying to remove this beast as it keeps redirecting which ever browser i use and the url block pops up 64.111.211.158
I have the OTL.exe so where to from here do I go
many thanks in advance
Charlie
-
The tool suggested is the latest one, OTS not OTL. However, ideally you should create your own 'New Topic' to avoid confusion/hijacking this one or the other topic you also posted in.
Please don't post in multiple topics on the same problem, it only duplicates the effort of those trying to help and hijacks those topics.
So stick with the one you created and post the full information on the detection in that, http://forum.avast.com/index.php?topic=81078.0 (http://forum.avast.com/index.php?topic=81078.0).
-
Essexboy thanks for all your help mate.
Everything now completed.
In regards to FileHippos Update Checker.
I'm running http://secunia.com/vulnerability_scanning/personal/
I would appreciate if you check this program out and inform me which one is best.
Secunia has been doing a fine job for me up-to press,but i will swap on your suggestion,if you think Filehippo's one is better.
The other security measures you mentioned I'm already on top of.
Cheers
Thanks Again
aCuk
-
In a way that is a 6 of one and half dozen of another, secunia concentrates on security holes whereas File hippo just looks for the latest version of the software - either which the choice is yours ;D
-
Thanks Essexboy,
Think I'll use both then,
Thanks goes to everyone who helped me with my problem
Seems a few other people are now having the same issues has me,hope this thread gives them some insight.
As i said before,I'm very security conscious when I'm on the internet,and it got me quite annoyed that this got through,just goes to sure you need to keep one-step head of them.
With that in mind,and reading a few more posts etc.
I have added a few more security tools to my arsenal and recommend the following to other like-minded people.
http://www.opendns.com/home (Cant believe this is free, I would of paid for it.It was simple to set up as-well,protects your home network)
http://www.threatfire.com/ (Again Free)
http://www.qfxsoftware.com/ (A key scrambler well worth the money)
Hope this is useful to someone.
Many Thanks
aCuK