Author Topic: Problems with a virus  (Read 30856 times)

0 Members and 1 Guest are viewing this topic.

chinhis13

  • Guest
Problems with a virus
« on: June 19, 2007, 05:10:21 AM »
Whenever I open the internet explorer,
there is always a virus called "Win.Small-EPO [trj].
from a website, [www.adxxxo.cn/bind_32.exe],
but i have never gone to this website..

Avast! 4 Home then will open a window tells me to click the disconnet button,
but after disconneted, another Win.Small-EPO[trj] is here again!

How to solve this problem? Thank you very much!
« Last Edit: October 12, 2008, 05:48:56 PM by chinhis13 »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67197
Re: Problems with a virus
« Reply #1 on: June 19, 2007, 05:17:04 AM »
Strange, I couldn't find that site... neither the file of course.
I couldn't scan the file with Dr. Web or even test it...
Can you post a screenshot?

To know how to post a screenshot, see http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).
The best things in life are free.

chinhis13

  • Guest
Re: Problems with a virus
« Reply #2 on: June 19, 2007, 05:30:42 AM »
Strange, I couldn't find that site... neither the file of course.
I couldn't scan the file with Dr. Web or even test it...
Can you post a screenshot?

To know how to post a screenshot, see http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).

Thanks very much.
This condition only occurs in another account in my computer.
Where can I find the virus record from Avast?

chinhis13

  • Guest
Re: Problems with a virus
« Reply #3 on: June 19, 2007, 05:40:57 AM »
Strange, I couldn't find that site... neither the file of course.
I couldn't scan the file with Dr. Web or even test it...
Can you post a screenshot?

To know how to post a screenshot, see http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).

Thanks very much.
This condition only occurs in another account in my computer.
Where can I find the virus record from Avast?

I have got it.

* VPS: 000749-1, 15/06/2007
*

hxxp://www.adonga.cn/233.exe\[Embedded#1]\[ASPack]\[Embedded#0f4664]\[Embedded#08040] [L] Win32:Adware-gen. [Adw] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)

These websites I have never gone before.
« Last Edit: October 12, 2008, 05:48:15 PM by chinhis13 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: Problems with a virus
« Reply #4 on: June 19, 2007, 01:54:29 PM »
Well it looks like you may have a trojan downloader on your system that is visiting the sites to download its payload. DrWeb link checker confirms 233.exe is infected although it doesn't detect anything for bind_50110.exe I would tend to believe the avast detection especially since 'you' didn't visit the site nor initiate the download.

You need to modify your post so the links aren't active to avoid accidental exposure, e.g. http :// www . adonga.cn /233.exe\ - http :// www . adonga.cn / bind_50110.exe

What is your firewall ?
It should be capable of blocking unauthorised outbound Internet Connections and winXp's doesn't provide outbound protection.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: Problems with a virus
« Reply #5 on: June 19, 2007, 02:05:02 PM »
Download ComboFix from Here or Here to your Desktop.
 
Double click combofix.exe and follow the prompts.
 
When finished, it shall produce a log for you. Post that log and a HiJackthis log (see instructions below) in your next reply
 
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.


Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

chinhis13

  • Guest
Re: Problems with a virus
« Reply #6 on: June 19, 2007, 05:03:20 PM »
Well it looks like you may have a trojan downloader on your system that is visiting the sites to download its payload. DrWeb link checker confirms 233.exe is infected although it doesn't detect anything for bind_50110.exe I would tend to believe the avast detection especially since 'you' didn't visit the site nor initiate the download.

You need to modify your post so the links aren't active to avoid accidental exposure, e.g. http :// www . adonga.cn /233.exe\ - http :// www . adonga.cn / bind_50110.exe

What is your firewall ?
It should be capable of blocking unauthorised outbound Internet Connections and winXp's doesn't provide outbound protection.

I use Comodo Firewall.
Whenever I log into msn/open the internet explore, it will bring out a window to let me choose "accept/no".
If I like "NO", I couldn't surf to the net.

chinhis13

  • Guest
Re: Problems with a virus
« Reply #7 on: June 19, 2007, 05:06:55 PM »
Thanks for your help.
« Last Edit: October 12, 2008, 05:51:22 PM by chinhis13 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: Problems with a virus
« Reply #8 on: June 19, 2007, 05:22:11 PM »
Just a quick post I'm on my way out.

This is suspect no google hits, run HJT again and tick the Fix box to the left of the entry.
O2 - BHO: (no name) - {C74CDF30-68C2-49B4-9918-EBD66B8D9FBF} - C:\WINDOWS\SYSTEM32\pvpkelepwc.dll
Suspect:
O21 - SSODL: kOOlcBW - {34FCC55B-9E56-6FF1-0736-9AA66414657F} - (no file)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file) (I don't know why you would need a DCOM Server, although the entry indicates no file, possibly SpySheriff)
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

chinhis13

  • Guest
Re: Problems with a virus
« Reply #9 on: June 19, 2007, 06:15:53 PM »
Log file by Combofix:

ComboFix 07-06-18.2 - C:\Documents and Settings\Anthony\桌面\ComboFix.exe
"Anthony" - 2007-06-19 23:12:19 - Service Pack 2  NTFS 


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\124.dll
C:\WINDOWS\19124.exe
C:\WINDOWS\227.dll
C:\WINDOWS\227.exe
C:\WINDOWS\233.exe
C:\WINDOWS\system32\1005_1016_0501_1-227.exe
C:\WINDOWS\system32\1005_1019_0501_1-233.exe
C:\WINDOWS\system32\dlh9jkdq8.exe
C:\WINDOWS\system32\msxml3a.dll


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NPF
-------\NPF


(((((((((((((((((((((((((   Files Created from 2007-05-19 to 2007-06-19  )))))))))))))))))))))))))))))))


2007-06-19 23:10   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-03 03:35   4,733,788   --a------   C:\WINDOWS\SYSTEM32\dmap_01200019124.exe
2007-05-29 02:08   581,632   --a------   C:\WINDOWS\SYSTEM32\pvpkelepwc.dll
2007-05-29 02:07   581,632   --a------   C:\WINDOWS\SYSTEM32\mrmnxjtiyd.dll
2007-05-29 02:07   0   --a------   C:\WINDOWS\resouese.dll
2007-05-29 01:28   4,096   --ahs----   C:\WINDOWS\SYSTEM32\Advpak.dll
2007-05-29 01:26   <DIR>   d--------   C:\Program Files\Autow
2007-05-26 17:39   <DIR>   d--------   C:\Program Files\peal


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-30 20:04:36   --------   d--h--w   C:\Program Files\WindowsUpdate
2007-05-17 11:07:24   --------   d-----w   C:\DOCUME~1\Anthony\APPLIC~1\Ulead Systems
2007-05-17 07:23:51   --------   d-----w   C:\DOCUME~1\Anthony\APPLIC~1\AdobeUM
2007-05-16 15:11:50   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2007-05-12 13:19:07   --------   d-----w   C:\DOCUME~1\Anthony\APPLIC~1\Comodo
2007-05-06 09:59:51   --------   d-----w   C:\Program Files\Comodo
2007-05-06 09:38:52   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-05-03 16:21:12   --------   d-----w   C:\Program Files\FinalBurner
2007-05-01 16:52:38   --------   d-----w   C:\Program Files\Alwil Software
2007-05-01 12:50:48   --------   d-----w   C:\Program Files\Kaspersky Lab
2007-04-30 15:46:10   745,600   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55   85,952   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42   94,552   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41   23,416   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51   43,176   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23   26,888   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28   95,872   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-04-28 10:47:39   319,112   ----a-w   C:\WINDOWS\system32\prfh0404.dat
2007-04-28 10:47:38   107,426   ----a-w   C:\WINDOWS\system32\prfc0404.dat
2007-04-25 14:22:29   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll
2007-04-18 16:14:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-16 14:47:36   33,624   -c--a-w   C:\WINDOWS\system32\wups.dll
2007-04-16 14:45:54   1,710,936   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2007-04-16 14:45:48   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll
2007-04-16 14:45:42   325,976   ----a-w   C:\WINDOWS\system32\wucltui.dll
2007-04-16 14:45:36   203,096   ----a-w   C:\WINDOWS\system32\wuweb.dll
2007-04-16 14:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-16 14:45:20   53,080   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2007-04-16 14:45:20   43,352   -c--a-w   C:\WINDOWS\system32\wups2.dll
2007-04-11 06:44:33   1,843,200   ----a-w   C:\WINDOWS\system32\win32k.sys
2007-03-20 14:34:29   102,440   -c--a-w   C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2005-07-14 04:31:20   27,648   --sha-r   C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 07:32:28   616,448   --sha-r   C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-21 14:37:42   45,568   --sha-r   C:\WINDOWS\SYSTEM32\cygz.dll
2005-02-28 05:16:22   240,128   --sha-r   C:\WINDOWS\SYSTEM32\x.264.exe


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:57 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"Boostweb"="C:\PROGRA~1\BoostWEB\bwc.exe" [1999-03-08 13:50]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2007-02-21 22:12]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 23:42]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-05-06 19:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:47]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2007-02-21 22:12]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-07-29 19:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll,


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs   BthServ
Usnsvc   usnsvc


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 23:31:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-06-19 23:53:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-19 23:53

   --- E O F ---

chinhis13

  • Guest
Re: Problems with a virus
« Reply #10 on: June 19, 2007, 06:17:18 PM »
Just a quick post I'm on my way out.

This is suspect no google hits, run HJT again and tick the Fix box to the left of the entry.
O2 - BHO: (no name) - {C74CDF30-68C2-49B4-9918-EBD66B8D9FBF} - C:\WINDOWS\SYSTEM32\pvpkelepwc.dll
Suspect:
O21 - SSODL: kOOlcBW - {34FCC55B-9E56-6FF1-0736-9AA66414657F} - (no file)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file) (I don't know why you would need a DCOM Server, although the entry indicates no file, possibly SpySheriff)
Oh I see..
What's DCOM Server mean?

My problem state before is still here, how can I solve it? Thank you all
« Last Edit: June 19, 2007, 07:30:51 PM by chinhis13 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: Problems with a virus
« Reply #11 on: June 19, 2007, 07:40:38 PM »
Windows has a DCOM service that generally no one needs, so I can't see a need to have a dedicated DCOM Server and the DCOM functionality is one which there were many vulnerabilities which were being exploited. So it is also important to ensure your Operating System is fully up to date.

http://www.updatexp.com/dcom-windows-xp.html
http://computing-dictionary.tfd.com/DCOM
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: Problems with a virus
« Reply #12 on: June 20, 2007, 02:17:29 PM »
I actually needed a HJT log run after ComboFix.  Could you post another HJT log for me?  :)

chinhis13

  • Guest
Re: Problems with a virus
« Reply #13 on: June 20, 2007, 06:34:42 PM »
Thanks for your help.
« Last Edit: October 12, 2008, 05:52:07 PM by chinhis13 »

chinhis13

  • Guest
Re: Problems with a virus
« Reply #14 on: June 20, 2007, 06:35:13 PM »
Windows has a DCOM service that generally no one needs, so I can't see a need to have a dedicated DCOM Server and the DCOM functionality is one which there were many vulnerabilities which were being exploited. So it is also important to ensure your Operating System is fully up to date.

http://www.updatexp.com/dcom-windows-xp.html
http://computing-dictionary.tfd.com/DCOM

Thanks for answering
« Last Edit: June 20, 2007, 06:48:46 PM by chinhis13 »