multiple infection!!!!!

[sasin44]

see as i suspected the exe file is rigged extract the zip file and scan it
and note none of the top anti virus softs detect it so if avast detects it ..it'll be great
and  none of them detected
Hidden file: c:\WINDOWS\system32\cswxl.exe
in the orginal exe file it is mostly encrypted in the exe


STATUS: FINISHEDComplete scanning result of "RapidShare_Premium_Accounts_Gener", received in VirusTotal at 06.22.2007, 00:41:09 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007  no virus found
AntiVir 7.4.0.34 06.21.2007 BDS/Bifrose.NU
Authentium 4.93.8 06.21.2007  no virus found
Avast 4.7.997.0 06.21.2007  no virus found
AVG 7.5.0.467 06.20.2007  no virus found
BitDefender 7.2 06.21.2007  no virus found
CAT-QuickHeal 9.00 06.21.2007  no virus found
ClamAV devel-20070416 06.21.2007 Trojan.Pakes-248
DrWeb 4.33 06.21.2007  no virus found
eSafe 7.0.15.0 06.21.2007  no virus found
eTrust-Vet 30.8.3731 06.21.2007  no virus found
Ewido 4.0 06.21.2007  no virus found
FileAdvisor 1 06.22.2007  no virus found
Fortinet 2.91.0.0 06.21.2007  no virus found
F-Prot 4.3.2.48 06.21.2007  no virus found
F-Secure 6.70.13030.0 06.20.2007  no virus found
Ikarus T3.1.1.8 06.21.2007 Backdoor.VB.EV
Kaspersky 4.0.2.24 06.22.2007  no virus found
McAfee 5058 06.21.2007  no virus found
Microsoft 1.2607 06.21.2007  no virus found
NOD32v2 2343 06.21.2007  no virus found
Norman 5.80.02 06.21.2007  no virus found
Panda 9.0.0.4 06.22.2007  no virus found
Sophos 4.18.0 06.21.2007  no virus found
Sunbelt 2.2.907.0 06.21.2007 VIPRE.Suspicious
Symantec 10 06.22.2007  no virus found
TheHacker 6.1.6.136 06.20.2007  no virus found
VBA32 3.12.0.2 06.21.2007  no virus found
VirusBuster 4.3.23:9 06.21.2007  no virus found
Webwasher-Gateway 6.0.1 06.21.2007 Trojan.Bifrose.NU

[rdmaloyjr]

and here is the link from where i got the malware....
http://rapidshare.com/files/37754284/RapidShare_Premium_Accounts_Generator.zip.html

I checked "http://rapidshare.com/files/37754284/RapidShare_Premium_Accounts_Generator.zip.html" with Dr. Web Link Checker and it was clean.  Maybe Dr.Web is wrong?

[sasin44]

na ..i downloaded the zip file and extracted it and sent to virustotal for anaysis..
u can see the results ur self..and this was a link given in one of the forums so i guess it is delibrate
so i have to look up info on the bifrose torjan

and jus a reminder i am having multiple infections as the topic  reads..
1.the rpcc.dll infection which ii knew was there for the pst few days
2.the rootkit infection which fsecure removed whic came from this exe
3.and the current dialer problem i am still having the process running as firefox.exe

[DavidR]

and here is the link from where i got the malware....
http://rapidshare.com/files/37754284/RapidShare_Premium_Accounts_Generator.zip.html

and it does not generate any valid keys

i guess 2.56 mb is packed with multiple malware one of them a root kit which fsecure detected and the other yet undetected one which has my firefox running.
some one pass it on to avast... godknows how many malware i am infected
 with..

Is this the name of the file you uploaded 'RapidShare_Premium_Accounts_Generator.zip' which would seem very strange to me. I more appropriate name suspect-files.zip, etc would be more appropriate.

I also doubt 'RapidShare.com' was that the source of your malware, or did you mean here is the link where I have stored the malware.... ?

Sorry I'm totally confused now.

I though you were talking about the rpcc.dll and cswxl.exe that you did the virustotal/jotti checks on. If that were the case I would be happy to help, but downloading a 2.5MB file and then sending it by email, whilst on dial-up is going to take too long.

[DavidR]

I don't know what you have been trying to do but you shouldn't need to download anything from rapidshare, just create a free account, when you first try to upload a file it will ask you to create an account. You don't have to create a premium account, click the Browse and select the file you want to upload (like VirusTotal), once selected, click Upload, at this point you will be asked to create an account.

So there should be absolutely no need to download anything from rapidshare. I didn't have an account but created one just for the creation steps and uploaded the first image you see below, http://rapidshare.com/files/38609337/b1134.gif.

So the free account is setup and working and no download required.

[sasin44]

well that was confusing i guess
ok let me clear it for u ..
1.came to know i was infected when avg-anti spyware picked up a memory resident malware..which it could not remove..so i analysed hijack log my self and found out that the rpcc.dll was the cause
but i ignored it
2.i downloaded the zipped file from a link (rapidshare was the server on which the file was uploaded)
and after i clicked on the downloaded file 
got infected with a rootkit which fsecure removed
and still have the dialer problem...

normal rapidshare accounts have download limitations ..
i was trying to get a premier account without paying for it 

[DavidR]

I really doubt you need a premium account, certainly not for this instance free would be fine.

#

Which DOWNLOAD RULES have to be followed? (Terms of use)
    * Free users have to enter some letters before the downloads start in order to have the permission to use the infrastructure of RapidShare for free.
    * Free users may only download a certain amount of Megabytes per hour. If this amount is exceeded, a message will appear.
    * If a free user violates this terms of use, RapidShare has the right to permanently ban the free user from the RapidShare network.
    * People writing programs with the goal to violate our terms of use will be made fully responsible for the financial losses/damages.

So the download restriction doesn't seem punitive, x MB per hour, so if you aren't trying to set-up some file sharing cartel you shouldn't have a problem for occasional use.

[sasin44]

 
super good news i got rid of the rpcc.dll infection..
1>>booted in safe mode with command prompt and made sure rpcc.dll did not load..
2>>deleted the reg entries it created
3>> moved and renamed the file so that i can send it to awil for analysis
4>> booted in normal mode scanned with AVG anti spyware

and the system was clean;)
now i will post my new hi jack log so that i can remove the malware that is excuting firefox.exe

and coming to the download issue i chose to enter a few letters to start the download ;(
and about the i had a more illegal purpose(MAYBE to download m0v1es and tv shows which are more that the free limit  ) in mind so i want a premium account..
and dravid i asked about the software u use to take screenshots of ur windows
 

[sasin44]

Logfile of HijackThis v1.99.1
Scan saved at 6:06:13 AM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Azureus\Azureus.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE >>>>>>>>>>>>>>>>>>>>>>>>>>i am not using firefox the  malware is using it 
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
F:\softwares\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{E594B39C-D9A5-4E09-B363-7CBDDD2066EE}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{178C0656-FCBD-49E1-B814-78C382BF7F38}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O20 - Winlogon Notify: hggedbx - hggedbx.dll (file missing)
O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\system32\dmlnh.exe (file missing)


and can someone enlighten me why  some files reported as missing??/

[sasin44]

malware poisonivy
infection time 11:39 pm IST
nailed at 8:30 am next day
3rd longest infection!!!!                         

ha ha ha ha ha ha aha ah ..
nailed that little bugger ..jus super

well here i was infected with poisonivy this little bugger is 1.14 mb
here is where i found it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0F4D3821-12C5-C8D5-0208-080506020803}

path c:\windows\system32\patch.exe
nailed em nailed em

[sasin44]

STATUS: FINISHEDComplete scanning result of "Patch.exe", received in VirusTotal at 06.22.2007, 04:52:40 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007  no virus found
AntiVir 7.4.0.34 06.21.2007 BDS/Bifrose.NU
Authentium 4.93.8 06.22.2007  no virus found
Avast 4.7.997.0 06.21.2007  no virus found
AVG 7.5.0.467 06.20.2007  no virus found
BitDefender 7.2 06.21.2007  no virus found
CAT-QuickHeal 9.00 06.21.2007  no virus found
ClamAV devel-20070416 06.22.2007 Trojan.Pakes-248
DrWeb 4.33 06.21.2007  no virus found
eSafe 7.0.15.0 06.21.2007  no virus found
eTrust-Vet 30.8.3733 06.22.2007  no virus found
Ewido 4.0 06.21.2007  no virus found
FileAdvisor 1 06.22.2007  no virus found
Fortinet 2.91.0.0 06.21.2007  no virus found
F-Prot 4.3.2.48 06.21.2007  no virus found
F-Secure 6.70.13030.0 06.22.2007 PoisonIvy.gen15
Ikarus T3.1.1.8 06.21.2007 Backdoor.VB.EV
Kaspersky 4.0.2.24 06.22.2007  no virus found
McAfee 5058 06.21.2007  no virus found
Microsoft 1.2701 06.22.2007  no virus found
NOD32v2 2343 06.21.2007  no virus found
Norman 5.80.02 06.21.2007 PoisonIvy.gen15
Panda 9.0.0.4 06.22.2007  no virus found
Sophos 4.18.0 06.21.2007  no virus found
Sunbelt 2.2.907.0 06.21.2007 VIPRE.Suspicious
Symantec 10 06.22.2007  no virus found
TheHacker 6.1.6.136 06.20.2007  no virus found
VBA32 3.12.0.2 06.21.2007  no virus found
VirusBuster 4.3.23:9 06.21.2007  no virus found
Webwasher-Gateway 6.0.1 06.21.2007 Trojan.Bifrose.NU

[sasin44]

hi can any of u get ur mail id some one with broad band so i can mail the a whole bunch of malware to u [encrypted}and u can mail them to awil thru ur virus chest

and thanks for ur help dravid
u still havent told me what siftware u use to take screenshots ..its pretty good
 
and i hope i can send it to avast thru some one as soon as possible

[FreewheelinFrank]

You need to remove the DNS hijack entries. Submit the file for analysis here:

http://www.hijackthis.de/

In the results, look at the 017 entries. Click on the domain to get more info.

Do a Google search to see if that domain/host is associated with a DNS hijack.

(The analysis highlights some as bad, some as questionable. They all seem to resolve to Inhoster in the Ukraine, which sets off alarm bells in my head, but check for yourself.)

If you haven't run all of the anti-rootkit scanners I mentioned, I suggest trying the other two, as they sometimes find different things. This goes for the anti-malware scanners as well.

Dr Web CureIT! is another good scanner to try.

And downloading cracks and keygens is like having unprotected sex with a Brazilian transvestite street hooker: you're going to get infected. 

[sasin44]

gee frankie come on dont be so sour
 :'(
different people have different computer ethics

AVG-antispy>>>>>>complete systemscan >>>>no threats found
avast boot time scan>>> 0 files infected
fsecure backight>>>>>clean
panda antirootkit >>>>>no rootkits found
AVG anti rootkit >>>>>>no root kits found
panda nano scan >>> error connecting to server
ad aware>>>>>>> clean
root kit reavler>>>>no rootkits found
 
 home free 

[FreewheelinFrank]

gee frankie come on dont be so sour

Just a bit of advice, that's all. If you want to hand your computer over to the bad guys again, feel free.

At least use VirusTotal in future so you have the best chance of catching any malware.