Unidentified network

[whl_lim]

Hi all,

I am a newbie to fighting malware and viruses, and I've just heard about the iframe malware. I am not sure if I've got it in my computer, but there is an extra network being connected whenever I am online. I do not have this network until this week. The name of the network cannot be changed, and I cannot delete it off somehow.

...

I am currently using avast! antivirus free version, will it detect malware whenever I visit any of the internet websites? So far, I have not received any malware / virus warnings regarding the websites I've visited.

...


Many thanks.

[.: L' arc :.]

I am not sure if I've got it in my computer

-= I guess it wont hurt to try to have a scan with avast.. or extend your security by scanning with Malwarebytes too.. A Hijack This Log may also help us get a better overview of the problem..

[DavidR]

The iframe malware is inserted into web pages that are generally on-line not your system.

This looks like you read an avast iNews message and it is because there is a huge increase in this method of attack. So what you might have previously though to be a safe/good site could just as easily be hacked. All it is doing is to make you aware of it and not to take things for granted.

Fortunately avast's web shield is very good at detecting these hacked sites, were a small piece of code is inserted into legit pages. This code tries to redirect you to another site or run malware from another site.

So in the future you may well start getting these avast web shield detections, so you will have a better idea of why you are getting it/them.

[whl_lim]

Hi all,

Thank you for the clarification. I posted my HJT log yesterday but it seems it is not here. This is my HJT log file on 03 May 2009 (my country's time):-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:19 PM, on 3/5/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\system32\WgaTray.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=71&bd=PRESARIO&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=71&bd=PRESARIO&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) -  - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\System32\msconfig.exe" /auto
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDEAB0F3-2544-4B72-BEA0-02B3B98B3F83}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6657 bytes


*****

Thank you very much   


P/s: I changed the "http" into "hxxp".

[whl_lim]

I'm sorry to post again, but I was just wondering: If any link (excluding search results in search engines) containing the word "iframe", is it safe for us to use it? Because there is one when I was using one of the apps in Facebook (Please see the attached picture, the line at the bottom of the pic "Waiting for http...").

Millions of thanks

[.: L' arc :.]

-= We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.

-= R3 - URLSearchHook: (no name) - - (no file)
    could possibly be one of the cause of weird networks connecting when you are online..
    this has been classified as bad..

-= O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
     this is already deactivated & can be fixed..

-= O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
     this is already deactivated & can be fixed..

-= O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
     Spyware.. A part of DownloadWare located in Program FilesKFH..

[whl_lim]

Thank you very much, chronoboi001 for pointing out the spyware and baddies

May I know on how to remove them? For I have scanned my computer with MBAM and avast!, none of them showed there's any spyware in the said computer.

[micky77]

-= O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
     Spyware.. A part of DownloadWare located in Program FilesKFH..

This entry may not bad, some say its related to HP, others say a backdoor trojan.

http://www.hijackthis.de/rating.php?hjteintrag=TzQgLSBIS0xNXFwuLlxcUnVuT25jZTogW0xhdW5jaGVyXSAlV0lORElSJVxcU01JTlNUXFxsYXVuY2hlci5leGU=


Locate launcher.exe and send it to virus total

http://www.virustotal.com/

[polonus]

Hi micky77,

It may not be bad at all, because launcher.exe is also the name of the file you get on your desktop as you download DrWebCureIT, the non-resident free scanner made by DrWeb, but it could be something else, re: http://www.threatexpert.com/files/launcher.exe.html
So I propose a upload to virustotal.com to make certain about the file on that machine being legit or fraudulent, by the way what was the website with the malcoded iFrame on it, you can mention it like: hxtp://www.malcoded-frame.org for instance, so the curious won't click it and get infected,

polonus

[whl_lim]

Okay, upload the said file to virustotal.com, checked.

And below is the result:-

File Launcher.exe received on 04.28.2009 05:29:37 (CET)Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Antiy-AVL - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
Comodo - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - -
K7AntiVirus - - -
Kaspersky - - -
McAfee - - -
McAfee+Artemis - - -
McAfee-GW-Edition - - -
Microsoft - - -
NOD32 - - -
Norman - - -
nProtect - - Trojan/W32.Agent.44168
Panda - - -
PCTools - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - Trojan.Win32.Agent.44168
VirusBuster - - -
 
Additional information
MD5: 50ecaa360582260acc5e1495cc34a22e
SHA1: 49ac00e85310e4ca0004dcfd89d49b8f864f42c7
SHA256: f9d3eb40b802b7092b34b636b89258934420cda7daaa1497312fcd11b5a91490
SHA512: 76c29d4bf3593098ce941bf1f898645c02fafdd7c599905fee17d5cd3b084f6185657c97f7b5e50f537cd34f3ebeca6015322279af693d3b87c03fcee818250b


*************
So this means it's a virus?



P/s: Thank you to micky77 and polonus for the replies 

[whl_lim]

I'm sorry to post again, but I was just wondering: If any link (excluding search results in search engines) containing the word "iframe", is it safe for us to use it? Because there is one when I was using one of the apps in Facebook (Please see the attached picture, the line at the bottom of the pic "Waiting for http...").

Millions of thanks

Anyone has any idea for this? Is it safe to continue to use this app?

Thanks in advance.

[micky77]

It means its not a virus, only 2 programs picked it 2/39. Also the two AV's that found it are unknown to me.If it was a virus some of the big AV's would have picked it up.
Because the date was 04.28.2009, that file has already been sent before,you could try again,and  choose re-analyse
You have nothing to worry about  

[whl_lim]

Re-analysis, checked.

File Launcher.exe received on 05.04.2009 16:02:00 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.04 -
AhnLab-V3 5.0.0.2 2009.05.04 -
AntiVir 7.9.0.160 2009.05.04 -
Antiy-AVL 2.0.3.1 2009.04.30 -
Authentium 5.1.2.4 2009.05.04 -
Avast 4.8.1335.0 2009.05.04 -
AVG 8.5.0.327 2009.05.04 -
BitDefender 7.2 2009.05.04 -
CAT-QuickHeal 10.00 2009.05.04 -
ClamAV 0.94.1 2009.05.04 -
Comodo 1149 2009.05.03 -
DrWeb 4.44.0.09170 2009.05.04 -
eSafe 7.0.17.0 2009.05.03 -
eTrust-Vet 31.6.6488 2009.05.04 -
F-Prot 4.4.4.56 2009.05.04 -
F-Secure 8.0.14470.0 2009.05.04 -
Fortinet 3.117.0.0 2009.05.04 -
GData 19 2009.05.04 -
Ikarus T3.1.1.49.0 2009.05.04 -
K7AntiVirus 7.10.723 2009.05.04 -
Kaspersky 7.0.0.125 2009.05.04 -
McAfee 5604 2009.05.03 -
McAfee+Artemis 5604 2009.05.03 -
McAfee-GW-Edition 6.7.6 2009.05.04 -
Microsoft 1.4602 2009.05.04 -
NOD32 4051 2009.05.04 -
Norman 6.01.05 2009.04.30 -
nProtect 2009.1.8.0 2009.05.04 -
Panda 10.0.0.14 2009.05.03 -
PCTools 4.4.2.0 2009.05.03 -
Prevx1 3.0 2009.05.04 -
Rising 21.28.04.00 2009.05.04 -
Sophos 4.41.0 2009.05.04 -
Sunbelt 3.2.1858.2 2009.05.03 -
Symantec 1.4.4.12 2009.05.04 -
TheHacker 6.3.4.1.318 2009.05.03 -
TrendMicro 8.950.0.1092 2009.05.04 -
VBA32 3.12.10.4 2009.05.04 suspected of Win32.BrokenEmbeddedSignature  (paranoid heuristics)
ViRobot 2009.5.4.1719 2009.05.04 Trojan.Win32.Agent.44168
VirusBuster 4.6.5.0 2009.05.04 -
 
Additional information
File size: 44128 bytes
MD5...: 50ecaa360582260acc5e1495cc34a22e

*****
Big thankies, micky77