Avast WEBforum
Other => Viruses and worms => Topic started by: mb7317 on August 20, 2011, 06:23:47 PM
-
Hi. I'm not sure if this is the place to post this, but if it isn't I would appreciate information about where to go.
I have an HP computer with XP Media Center, and I'm running Avast free and Malwarebytes Pro.
During the last week, Avast has been blocking a lot of Malicious URLs with ips from ISprime, and Maywarebytes has been blocking Trojans, many from System32\authz32.dll
Yesterday, the ISprime problems stopped, and I thought things were back to normal.
However, when I booted up this morning, the bottom third of the screen looked like a spreadsheet: 10 rows and 10 columns, each with NVSVCPMMWindowClass written in it.
CPU usage was 100%, but I managed to close the NVSVCPMMWindowClass, which were listed in the Applications window of Task Manager.
When Firefox finally opened, none of the opened tabs was listed in the task bar, and when I hovered over the task bar, the arrow became an hourglass, and I was unable to click on any of the icons in my quick-launch toolbar, the system tray, or on the start button.
Rebooting brought up the same situation.
I tried to restore the system to several past points, but all were unsuccessful.
I've Googled but can't find anything that comes close to this problem.
Over the past week, I've done repeated scans with Avast and Malwarebytes, but they only find cookies.
As I said, I will be grateful for any help you can offer, or if you can steer me to the proper forum or help site.
Thanks!
Rob
-
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here and not in the guide )
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTL log ) save OTL log as ANSI
Essexboy will look at the logs when posted...
-
Help!
I ran the Malwarebytes scan, but when I try to download the OTC file, Avast blocks it with this message:
Infection Details
URL: http://oldtimer.geekstogo.com/OTL.exe
Process: file://C:\Program Files (x86)\Mozilla Fi...
Infection: win32:Rootkit-gen [Rtk]
Warn your friends to avoid this website
What do I do?
Rob
-
ignore, it is a false positive detection from avast...
OTL is a analysis tool....
-
Well funny Pondus, because the FP is also found up by DrWeb's:
Checking: -http://oldtimer.geekstogo.com/OTL.exe
Engine version: 5.0.2.3300
File size: 566.50 KB
File MD5: 6e33d273cb098f6bfe9ab5c57292e57e
-http://oldtimer.geekstogo.com/OTL.exe infected with Trojan.Siggen3.1755
and more detect the packer....and SavedLegacySettings 0x3c00etc.
A whole series of av solutions flag it: http://www.virustotal.com/file-scan/report.html?id=deed2ed5f51ec938dfee9f58300e490cc08a03bf0ae5f90e95fa38277c172c74-1313956813
15 /43 (34.9%) See: http://anubis.iseclab.org/?action=result&task_id=1a2445238971c52c491a2a27eed175e06
See: http://www.threatexpert.com/report.aspx?md5=6e33d273cb098f6bfe9ab5c57292e57e
But as far as I can establish it is the packer, PE_Patch.PECompactm flagged as trojan, but actually it is goodware,
polonus
-
yep we have seen this before.....
i will upload an FP case to Avira... to see what they say ;)
-
I have uploaded it again as a FP
-
I have run Malwarebytes and OTL, but I cannot open Malwarebytes to get to the log. Is it ok to run both programs in Safemode tomorrow and post them then? Also, OTL generated only OTL.txt but no Extras.Txt
-
I have uploaded it again as a FP
I have just downloaded it and no alert by the web shield or file system shield or right click scan. So looks like it may have been resolved.
-
A safe mode run will be OK - The extras is only generated on the first run
-
yep we have seen this before.....
i will upload an FP case to Avira... to see what they say ;)
The file 'OTL.exe' has been determined to be 'FALSE POSITIVE'.In particular this means that this file is not malicious but a false alarm.Our analysts named the threat TR/Swisyn.bsgf.1.The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.11.13.154.Detection will be removed from our virus definition file (VDF) with the next updates.
-
Here are the Malwarebytes and OTL logs. The aswMBR scan seemed to stall after 1 hour and 40 minutes. I'm rerunning it and will post the log when it finishes.
Rob
-
Only one file got attached. Trying again.
-
People can fly - must be the new malware company ;D
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
PRC - [2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) -- C:\WINDOWS\system32\kbdfc32.exe
PRC - [2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) -- C:\WINDOWS\system32\authz32.exe
SRV - [2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) [Auto | Running] -- C:\WINDOWS\system32\kbdfc32.exe -- (GearSecurity32)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 213.27.237.144:80
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 213.27.237.144:80
IE - HKU\S-1-5-21-3940758362-3715129102-3176117121-1007\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-3940758362-3715129102-3176117121-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 213.27.237.144:80
IE - HKU\S-1-5-21-3940758362-3715129102-3176117121-1013\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.defaulturl: "http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..network.proxy.backup.ftp: "77.125.76.62"
FF - prefs.js..network.proxy.backup.ftp_port: 11033
FF - prefs.js..network.proxy.backup.gopher: "77.125.76.62"
FF - prefs.js..network.proxy.backup.gopher_port: 11033
FF - prefs.js..network.proxy.backup.socks: "77.125.76.62"
FF - prefs.js..network.proxy.backup.socks_port: 11033
FF - prefs.js..network.proxy.backup.ssl: "77.125.76.62"
FF - prefs.js..network.proxy.backup.ssl_port: 11033
FF - prefs.js..network.proxy.ftp: "82.29.254.40"
FF - prefs.js..network.proxy.ftp_port: 11022
FF - prefs.js..network.proxy.gopher: "82.29.254.40"
FF - prefs.js..network.proxy.gopher_port: 11022
FF - prefs.js..network.proxy.http: "82.29.254.40"
FF - prefs.js..network.proxy.http_port: 11022
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "82.29.254.40"
FF - prefs.js..network.proxy.socks_port: 11022
FF - prefs.js..network.proxy.ssl: "82.29.254.40"
FF - prefs.js..network.proxy.ssl_port: 11022
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - File not found
O4 - HKU\S-1-5-21-3940758362-3715129102-3176117121-1007..\Run: [updateMgr] File not found
[2011/08/21 16:13:20 | 000,158,208 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\authz32.dll
[2011/08/19 10:23:55 | 000,711,680 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\authz32.exe
[2011/08/19 10:23:43 | 000,711,680 | ---- | C] (People Can Fly) -- C:\WINDOWS\System32\kbdfc32.exe
[2011/08/21 16:13:24 | 000,000,100 | ---- | M] () -- C:\WINDOWS\System32\581566835
[2011/08/21 16:13:20 | 000,158,208 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\authz32.dll
[2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\kbdfc32.exe
[2011/08/19 10:23:16 | 000,711,680 | ---- | M] (People Can Fly) -- C:\WINDOWS\System32\authz32.exe
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
The aswMBR scan was successful. Attached in the log.
-
OK a couple of files there to kill, OTL was not quite strong enough to get them
Download and Install CombofixDownload ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216")
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Here's the OTL quick scan.
-
After closing down AVAST and MALWAREBYES, ComboFix "Warning" stated Adaware and Norton Internet Security 2006 were still active. I closed Adaware, but I have no knowledge of Norton running. It isn't listed in Control Panel Add or Remove programs, and in Program Files, likewise, no Norton folder. There was a Symantec folder with Web Controls, which I uninstalled.
What do I do now?
Rob
-
Run Combofix - we will remove the remnants later
-
After ComboFix rebooted the computer, the msg: "Preparing Log Report. Do not run any programs until ComboFix has finished." has remained on the monitor for about 30 minutes.
(the Start Up Menu starts Firefox, and after it started, I closed it.)
And now a "Windows - No Disk" message has popped-up:
"Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c
Cancel Try Again Continue "
What do I do?
(sent from another computer)
-
Reboot the computer please
-
OK System rebooted
-
Rebooted a second time, and this time Malwarebytes warning: Authz32.dll
Quarantined and then removed it.
What now?
Rob
-
Download AVPTool from Here (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
Click the cog in the upper right
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPfront.gif)
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpsettings.gif)
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif)
On completion click the link to locate the zip file to upload and attach to your next post
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif)
-
This morning, the computer booted up without the serious NVSVCPMMWindowClass problems, and the cursor works normally on the Taskbar.
But Malwarebytes now blocks System32\Shell32.exe I clicked on Quarantine, but when I checked the Quarantine area, nothing was there.
I downloaded the Kaspersky, but when I ran it, the computer shut down and displayed this message:
A problem has been detected and windows has been shut down to prevent damage to your computer. The problem seems to be caused by the following file: 9213716drv.sys The driver unloaded without cancelling pending operation.
What should I do?
Rob
-
Shell32 is a legitmate file in the right location, the driver referencesd is the Kaspersky one, but I really want the analysis log so if you want jump straight to that portion.
Also could you upload the zip file to Megaupload (http://www.megaupload.com/) now as I am having problems with mediafire
-
But I can't get Kaspersky to open. The computer always shuts down before it loads the program.
-
OK something is blocking it so - I will need to approach this differently
Can you get to safe mode ?
If so try the analysis scan there- If that should fail then try combofix again from safe mode
Meanwhile I will dig out another tool to use
-
I have Kaspersky running in safe mode now.
-
The scan has been running 25 minutes and only 1% complete. Looks like it's going to take a long time.
-
That in a way is good as it suggests that the MBR is OK
-
Kaspersky scan in Safe Mode finally finished after 7 hours. Attached is the Detected Threat Log. Here is the link to the Sysinfo Log:
http://www.megaupload.com/?d=VNTQIWP1
-
OK lets try to shift it with this
- Re-run AVPTool
- Select the Manual Disinfection tab and press Script execution
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpmanual.gif)
- Where it states Insert text script in the following box copy the below script and press Run script
Copy from Begin until End
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpscript.gif)
begin
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
DelBHO('{01C80681-2DF8-49BB-85F7-D32911D35B20}');
DeleteFile('C:\WINDOWS\system32\authz32.dll');
BC_DeleteFile('C:\WINDOWS\system32\authz32.dll');
BC_ImportDeletedList;
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.- Your system will reboot on completion, if it does not please do so yourself
- On completion please run another analysis scan and attach the zip file
-
I have a question about the AVPTool script execution. I can only run AVP in Safe Mode. I ran the script execution and the computer rebooted into regular mode. AVP tried to open but failed.
I again executed the script in Safe Mode and rebooted into Safe Mode. The AVP didn't open automatically. What I am asking is if I execute the script in Safe Mode, reboot in Safe Mode, and then have to reopen AVP, will that negate the script? And if I then run another analysis scan will it lack the script it needs to complete its task?
I hope this makes sense :-\
-
If you are still getting the problem then I will remove it using my really big hammer
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger2/download.php) by Swandog46 to your Desktop.
- Right click on the Avenger.zip folder and select "Extract All..."
- Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Files to delete:
C:\WINDOWS\system32\authz32.dll
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.(http://i1224.photobucket.com/albums/ee362/Essexboy3/Avenger%20shots/avengerico.gif)
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Avenger%20shots/avengerdisclaimer.gif)
- Right click on the window under Input script here:, and select Paste.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Avenger%20shots/avengerfront.gif)
- You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
- Click on Execute
- Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
-
I ran the avenger. When the computer rebooted a
"Windows - No Disk" message popped-up:
"Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c
This is the txt file generated by avenger:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "C:\WINDOWS\system32\authz32.dll" not found!
Deletion of file "C:\WINDOWS\system32\authz32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
I have rebooted a couple of times and neither Avast nor Malwarebytes flashes any warnings about infections.
-
OK that is confirmation that AVP killed it
Could you now reboot and let me know what problems as still around
-
I rebooted and no problems were found by avast or malwarebytes
-
OK if all is still well tomorrow let me know and I will remove my tools