Avast WEBforum
Other => General Topics => Topic started by: JimBodkins on July 22, 2011, 03:07:44 AM
-
Hi, Avast continually blocks attempts to open 64.111.211.172 - scans do nothing apparently.
What is causing this? Why is that IP considered a mal.url? Why does Avast block the attempt and seeminly do nothing about whatever is attempting to connect?
Just thought I would ask before trying a different solution.
Thanks
Jim
-
This is ISPrime, so if you do a forum search for it you will see the sort of thing that has to be done to resolve this. You shouldn't undertake any of this without guidance.
You didn't give the full information of the detection as it also gives the Process responsible for the connection attempt. Commonly there is a hidden element using a system file to try and connect to a malicious site.
Start the ball rolling by running this tool and posting the results.
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 1.8MB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
(http://public.avast.com/~gmerek/aswMBR1.png)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://public.avast.com/~gmerek/aswMBR2.png)
-
The calling dll's are either
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\oleobjNetM\DevCommondlg.dll
or
rundll32.dll
This is the saved log.
aswMBR version 0.9.8.945 Copyright(c) 2011 AVAST Software
Run date: 2011-07-21 18:49:07
-----------------------------
18:49:07.734 OS Version: Windows 5.1.2600 Service Pack 3
18:49:07.734 Number of processors: 2 586 0xF0D
18:49:07.734 ComputerName: HOME-PC UserName: bodkins
18:49:11.109 Initialize success
18:49:12.093 AVAST engine defs: 11072101
18:49:28.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
18:49:28.546 Disk 0 Vendor: WDC_WD10EACS-00D6B1 01.01A01 Size: 953869MB BusType: 3
18:49:28.578 Disk 0 MBR read successfully
18:49:28.578 Disk 0 MBR scan
18:49:28.640 Disk 0 unknown MBR code
18:49:28.640 Disk 0 scanning sectors +1953520065
18:49:28.734 Disk 0 scanning C:\WINDOWS\system32\drivers
18:49:45.218 Service scanning
18:49:47.125 Modules scanning
18:49:51.359 Disk 0 trace - called modules:
18:49:51.375 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync02.sys atapi.sys pciide.sys PCIIDEX.SYS
18:49:51.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b1b0ab8]
18:49:51.375 3 CLASSPNP.SYS[f7667fd7] -> nt!IofCallDriver -> \Device\0000009b[0x8b216d38]
18:49:51.375 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-5[0x8b1b2d98]
18:49:51.375 \Driver\atapi[0x8b21ac00] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> sfsync02.sys[0xf76388b4]
18:49:52.453 AVAST engine scan C:\WINDOWS
18:50:24.609 AVAST engine scan C:\WINDOWS\system32
18:53:05.187 AVAST engine scan C:\WINDOWS\system32\drivers
18:53:38.750 AVAST engine scan C:\Documents and Settings\HP_Owner
20:39:31.156 AVAST engine scan C:\Documents and Settings\All Users
20:55:50.406 Scan finished successfully
20:56:21.546 Disk 0 MBR has been saved successfully to "G:\MBR.dat"
20:56:21.546 The log file has been saved successfully to "G:\aswMBR.txt"
Thanks
Jim
-
The rundll32.dll is one that is commonly used in these attempts to connect to malicious URLs.
Whilst there isn't a 100% detection of an MBR rootkit, there is evidence that the MBR code has been modified (why and by what is the question), in the "18:49:28.640 Disk 0 unknown MBR code" line, so this will require further investigation/action.
This line, could account for the unknown MBR code: "AVAST engine scan C:\Documents and Settings\HP_Owner"
This essentially says that you have an HP system (is this correct ?) and if so may have a unique MBR code to be able to access its recovery console and recovery partition in the event of a problem. So care has to be taken in any advice given or action taken as that could replace the unique code with a default MBR, this would mean losing access to the HP recovery console/partition to restore to factory settings.
Were there any lines in Red (or other coloured lines) in the log displayed on the screen ?
####
Another analysis tool to run and gather information for a malware removal specialist (when they can take a look at this) to analyse and suggest a fix.
Unfortunately no two attacks are the same so first I will need to see what you have.
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop and double-click on it to run it
- Make sure you close all other programs and don't use the PC while the scan runs.
- Select All Users
- Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT
- Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
- When the scan is complete Notepad will open with the report file loaded in it.
- Please attach the log in your next post.
Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.
-
18:49:51.375 \Driver\atapi[0x8b21ac00] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> sfsync02.sys[0xf76388b4]
Was in Yellow.
Preparing to run OTS.
Thanks
-
Yes that is a suspicion and something to be look at further.
Probably not good that you have it in Yellow in the post as it is almost invisible against the light forum background.
18:49:51.375 \Driver\atapi[0x8b21ac00] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> sfsync02.sys[0xf76388b4]
If you can proceed with running OTS and posting the log we can try to get someone to look at it, but you have to hurry as essexboy who generally looks at these has limited time on the forums; normally around 7pm - 11pm UK time, now 7:45pm in the UK.
-
That is part of Starforce protection and will always give a suspicious result
-
Thanks essexboy, for the info and joining the topic.
-
The file OTS.txt is over 192k and wont attach.
Jim
-
upload to Mediafire (http://www.mediafire.com/) and post the sharing link please.
-
http://www.mediafire.com/?uxku761ozpouljv
ignore attachment. (the post attachment - which I removed)
Thanks
-
On completion of this could you let me know if you still get the alerts
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\] > ->
YN -> HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\: "ProxyServer" -> http=127.0.0.1:53111
< HOSTS File > ([2011/05/04 12:25:12 | 000,001,161 | R--- | M] - 32 lines) -> C:\WINDOWS\system32\drivers\etc\hosts
YN -> Reset Hosts ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\] > -> HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "net64" -> [C:\WINDOWS\svhoster.exe]
YN -> "netzip" -> [C:\WINDOWS\svzip.exe]
[Files - No Company Name]
NY -> 1488860941.dat -> C:\WINDOWS\System32\1488860941.dat
[Custom Items]
:Files
C:\WINDOWS\tasks\At*.job
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
-
OTS finished its work, rebooted ... and I got an alert. :(
This is the log (with the temp filenames moved removed)
All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\\ProxyServer deleted successfully.
HOSTS file reset successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ not found.
Registry value HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\Software\Microsoft\Internet
Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\Software\Microsoft\Internet
Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\net64 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\netzip deleted successfully.
[Files - No Company Name]
C:\WINDOWS\System32\1488860941.dat moved successfully.
[Custom Items]
========== FILES ==========
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
[Empty Temp Folders]
User: Administrator
->Temp folder emptied: 125787 bytes
->Temporary Internet Files folder emptied: 183161 bytes
User: All Users
User: Default User
->Temp folder emptied: 81765 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41 bytes
User: HP_Owner
->Temp folder emptied: 5480455087 bytes
->Temporary Internet Files folder emptied: 169198426 bytes
->Java cache emptied: 134150925 bytes
->FireFox cache emptied: 2631041501 bytes
->Google Chrome cache emptied: 63784580 bytes
->Apple Safari cache emptied: 36241408 bytes
->Flash cache emptied: 2516168 bytes
User: jim
->Temp folder emptied: 294313 bytes
->Temporary Internet Files folder emptied: 896712 bytes
->FireFox cache emptied: 8076356 bytes
->Flash cache emptied: 405 bytes
User: LocalService
->Temp folder emptied: 568350 bytes
->Temporary Internet Files folder emptied: 224605 bytes
User: NetworkService
->Temp folder emptied: 147456 bytes
->Temporary Internet Files folder emptied: 277814 bytes
User: postgres
->Temp folder emptied: 81765 bytes
->Temporary Internet Files folder emptied: 32902 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2318655 bytes
%systemroot%\System32 .tmp files removed: 1599537 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10873887 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 15750242 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 8,162.00 mb
[EMPTYFLASH]
User: Administrator
User: All Users
User: Default User
->Flash cache emptied: 0 bytes
User: HP_Owner
->Flash cache emptied: 0 bytes
User: jim
->Flash cache emptied: 0 bytes
User: LocalService
User: NetworkService
User: postgres
Total Flash Files Cleaned = 0.00 mb
Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07222011_145315
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\vmware-SYSTEM\vmware-usbarb-SYSTEM-8592.log moved successfully.
Registry entries deleted on Reboot...
-
Ok, now I'm puzzled.
I ran the OTS fix, rebooted, it finished its work, I got a desktop and a mal.url alert.
I put this weasle in hybernation, go to the hardware store, come back, restart and no alerts in over 30 minutes. Which included the use of IE, opera and firefox.
As a note - I believe this all started when I foolishly decided to try ad-aware. During that period I was visited three times by a windows security center virus/trojan. Ad-aware was oblivious to it. (At one point I used pidgin for all my chat needs and am convinced that pidgin is typhoid mary. I have since stopped using it).
-
Ok. Took a break. Came back and was cruising news sites and got a mal.url alert while visiting huffingtonpost using IE 7. Huffingtonpost is a very active site - ads, scripts etc.
I'm tempted to say that this is occuring with less frequency, but I'm just likely to be proven wrong so I wont. :)
-
The main malware was the Vundo jobs - now history. You may have got the Avast alert as OTS was doing the last part of the temp file removal. Are the alerts as frequent or just on high intensity ad sites ?
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
-
downloading mbam now.
the mal.url isnt infrequent. I didnt keep records and the timing is subjective. :(
will report later.
thanks
Jim
Edit:
During install:
I"m getting vbaccelerator errors on a SGrid II control. Run-time error '0'
I may not have something involving visual basic installed.
and a runtime error '440' automation error.
During execution:
Run-time error '372'
Failed to load control 'vbalGrid' from vbalsgrid6.ocs. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application.
Run-time error '0'
It didnt run.
I'll try to find those errors.
Edit 2:
It appears I am missing regsvr32.exe
Edit 3:
I got regsvr32.exe here http://support.microsoft.com/kb/267279
-
log of mbam run
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7253
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13
7/23/2011 12:17:57 PM
mbam-log-2011-07-23 (12-17-57).txt
Scan type: Quick scan
Objects scanned: 237610
Time elapsed: 16 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{16406580-14ce-4441-b904-ad56cc8064ca} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WinApp.WinSafe.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WinApp.WinSafe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa\UpdateWin (Backdoor.Sdbot) -> Value: UpdateWin -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
c:\documents and settings\HP_Owner\application data\86855640 (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
c:\icinst.exe (Adware.EShoper) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\Desktop\antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\microsoft\internet explorer\quick launch\antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\start menu\Programs\security shield.lnk (Rogue.SecurityShield) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\~tmp.html (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully.
c:\Bots.zip (Trojan.Agent) -> Quarantined and deleted successfully.
c:\calculator.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\SETUP.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\start menu\xp police antivirus.lnk (Rogue.XPPolice) -> Quarantined and deleted successfully
Notes.
Upon reboot I received a mal.url alert.
I was warned that I had no firewall - even though comodo was running. Comodo tray icon indicated it was disabled - the defense+ setting was disabled. it is now training mode.
I havent received another mal.url alert in 15 minutes of surfing using three different browser.
I'll update this post later.
Update 1:
as of this edit, no new mal.urls
Update 2:
there is a curse. I no sooner than saved that edit than I got a mal.url. :(
-
Yep I will put his on hold until you are happy
-
Lower frequency perhaps, but still generating mal.urls
-
Lower frequency perhaps, but still generating mal.urls
How about some scree shots ???
-
Its a red popup on the lower right that says it just blocked a malicious url and it gives the calling dll and the ip.
I tried using mwsnap but your popup vanished while mwsnap was active only to return when mwsnap completed.
... sorry, it said URL.mal not mal.url
-
Its a red popup on the lower right that says it just blocked a malicious url and it gives the calling dll and the ip.
I tried using mwsnap but your popup vanished while mwsnap was active only to return when mwsnap completed.
is the popup happening while you're browsing on the web ???
-
OK this would suggest that there is some residue I am missing
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://"http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216")
- Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
(http://img.photobucket.com/albums/v706/ried7/RC1.png)
- Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v706/ried7/RC2-1.png)
- Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Let me ask a question first.
I was just nosing around with WhatsRunning.exe and noticed that DevCommondlg was started at startup using rundll32. It resides in oleobjnetm (see an early post for exact names/paths). rundll32 was running.
Here is the curious thing. Startpage can only find references to DevCommondlg and oleobjnetm in this thread - it apparently doesnt appear anywhere else on the internet. Do you find that interesting? I do. I reconfigured to not run DevCommondlg at startup and stopped the associated rundll32. I'm curious if this stops the URL.mal.
What do you know about DevCommondlg and/or oleobjnetm (that is a folder name in the path that contains DevCommondlg)?
I would like to quickly discuss this before doing the next test/fix.
Thanks
-
I think this is related. Not absolutely certain.
At a point - DevCommondlg relaunch rundll32 and URL.mal reoccured. I repeated this sequence several times. Then I move DevCommondlg to a hold folder elsewhere, kill rundll32 again and so far URL.mal hasnt reoccured (in terms of restarting that rundll32 process). This file that is unknown may be a trojan (DevCommondlg). Not entirely sure as yet though. But it did URL.mal when DevCommondlg restarted (rundll32) but hasnt since I move it.
-
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\oleobjNetM\DevCommondlg.dll
OK a new one to add to the long list of malware
Rather than running combofix could you run a fresh OTS log and I will take it out that way (along with the folder ) I will also zip it as I would like a copy
-
As I mentioned, I moved it to a hold folder. I also marked that process not to start using whatsrunn.exe . Something just tried to run it. I received a dialog box indicating that something tried to run it but failed.
I have a habit of using hibernate - so something may still be scheduled. Give me a while to run a couple of tests to narrow that down. In the meantime I can send you the file as it is in a hold folder. Where should I send it? (I would rather not attach it publicly)
-
No it still has a run key associated with it - which will need removal
Could you upload the offending file to Avast as potential malware please
With the OTS I can safely delete the run key
-
Two things. I renamed it *.lld to help defeat its identification. It is in a zip that I will send, with the modified name. It is no longer in its original folder.
-
OK thanks - do you want the run key removed ?
-
Sure, that would help. I uploaded the file as a support ticket. (Zip file which contains a txt explanation file)
-
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\] > -> HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "DevCommondlg" -> C:\Documents and Settings\HP_Owner\Local Settings\Application Data\oleobjNetM\DevCommondlg.dll [rundll32.exe "C:\Documents and Settings\HP_Owner\Local Settings\Application Data\oleobjNetM\DevCommondlg.dll",CvtMapCtrl appobjServ]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
-
I hope this is the correct file ...
All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer deleted successfully.
HOSTS file reset successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ not found.
Registry value HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\net64 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\netzip deleted successfully.
[Files - No Company Name]
C:\WINDOWS\System32\1488860941.dat moved successfully.
[Custom Items]
========== FILES ==========
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
[Empty Temp Folders]
User: Administrator
->Temp folder emptied: 125787 bytes
->Temporary Internet Files folder emptied: 183161 bytes
User: All Users
User: Default User
->Temp folder emptied: 81765 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41 bytes
User: HP_Owner
->Temp folder emptied: 5480455087 bytes
->Temporary Internet Files folder emptied: 169198426 bytes
->Java cache emptied: 134150925 bytes
->FireFox cache emptied: 2631041501 bytes
->Google Chrome cache emptied: 63784580 bytes
->Apple Safari cache emptied: 36241408 bytes
->Flash cache emptied: 2516168 bytes
User: jim
->Temp folder emptied: 294313 bytes
->Temporary Internet Files folder emptied: 896712 bytes
->FireFox cache emptied: 8076356 bytes
->Flash cache emptied: 405 bytes
User: LocalService
->Temp folder emptied: 568350 bytes
->Temporary Internet Files folder emptied: 224605 bytes
User: NetworkService
->Temp folder emptied: 147456 bytes
->Temporary Internet Files folder emptied: 277814 bytes
User: postgres
->Temp folder emptied: 81765 bytes
->Temporary Internet Files folder emptied: 32902 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2318655 bytes
%systemroot%\System32 .tmp files removed: 1599537 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10873887 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 15750242 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 8,162.00 mb
[EMPTYFLASH]
User: Administrator
User: All Users
User: Default User
->Flash cache emptied: 0 bytes
User: HP_Owner
->Flash cache emptied: 0 bytes
User: jim
->Flash cache emptied: 0 bytes
User: LocalService
User: NetworkService
User: postgres
Total Flash Files Cleaned = 0.00 mb
Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07222011_145315
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\vmware-SYSTEM\vmware-usbarb-SYSTEM-8592.log moved successfully.
Registry entries deleted on Reboot...
If you have a need for me to do anything let me know.
Thanks for the help.
Jim
-
No that was the initial run, but the main thing is did the run key remove cleanly, i.e. no more dll loading errors
-
I havent seen any.
-
If you are happy tomorrow I will remove my tools ;D
-
I havent had a problem. This may be a good thing. :)
Thanks for the help, I will let you know if this reappears. I have no idea where this came from, but I suggest avast examine this.
Thanks again
Jim
-
If you uploaded the file they will carry out an anlysis of it to see how it ticks and then add the relevant data