report for New Virus indetected by avast [virus uploaded]

[jumperx]

it is a rootkit that create a worm in all local drive EX ("c:\p.exe") onligne scan is telling me that is clear but i m 1000 % sure thas is a virus so do you have any solution that users can upload virus in order to help avast to give an excelent service and to provide update faster then there competitors

virus to download

http://www.2shared.com/file/6659913/a44a728e/p_online.html
pass:007

report Hijackthis
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\ma-config.com\maconfservice.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\olhrwef.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\Administrateur\Mes documents\Downloads\Programs\microtorrent_torrent_1.8.3_build_15772_francais_18245.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Télécharger avec IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Télécharger le contenu de video FLV avec IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Télécharger tous les liens avec IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Ma-Config Service (maconfservice) - CybelSoft - C:\Program Files\ma-config.com\maconfservice.exe

--
End of file - 3504 bytes

and this is the report of virusTotal

 Fichier p.rar reçu le 2009.07.12 08:24:48 (UTC)
Situation actuelle: en cours de chargement ... mis en file d'attente en attente en cours d'analyse terminé NON TROUVE ARRETE
Résultat: 20/41 (48.79%)
en train de charger les informations du serveur...
Votre fichier est dans la file d'attente, en position: ___.
L'heure estimée de démarrage est entre ___ et ___ .
Ne fermez pas la fenêtre avant la fin de l'analyse.
L'analyseur qui traitait votre fichier est actuellement stoppé, nous allons attendre quelques secondes pour tenter de récupérer vos résultats.
Si vous attendez depuis plus de cinq minutes, vous devez renvoyer votre fichier.
Votre fichier est, en ce moment, en cours d'analyse par VirusTotal,
les résultats seront affichés au fur et à mesure de leur génération.
Formaté Formaté
Impression des résultats Impression des résultats
Votre fichier a expiré ou n'existe pas.
Le service est en ce moment, stoppé, votre fichier attend d'être analysé (position : ) depuis une durée indéfinie.

Vous pouvez attendre une réponse du Web (re-chargement automatique) ou taper votre e-mail dans le formulaire ci-dessous et cliquer "Demande" pour que le système vous envoie une notification quand l'analyse sera terminée.
Email:    
   
Antivirus    Version    Dernière mise à jour    Résultat
a-squared   4.5.0.18   2009.07.12   -
AhnLab-V3   5.0.0.2   2009.07.11   -
AntiVir   7.9.0.204   2009.07.11   TR/Drop.Agent.ahdz
Antiy-AVL   2.0.3.1   2009.07.10   -
Authentium   5.1.2.4   2009.07.11   -
Avast   4.8.1335.0   2009.07.11   -
AVG   8.5.0.387   2009.07.11   Worm/AutoRun.GV
BitDefender   7.2   2009.07.12   Trojan.PWS.OnlineGames.KCQB
CAT-QuickHeal   10.00   2009.07.10   -
ClamAV   0.94.1   2009.07.11   -
Comodo   1624   2009.07.12   TrojWare.Win32.Trojan.Agent.Gen
DrWeb   5.0.0.12182   2009.07.12   Trojan.Packed.191
eSafe   7.0.17.0   2009.07.09   Suspicious File
eTrust-Vet   31.6.6608   2009.07.10   -
F-Prot   4.4.4.56   2009.07.11   -
F-Secure   8.0.14470.0   2009.07.11   -
Fortinet   3.120.0.0   2009.07.12   SPY/Magania
GData   19   2009.07.12   Trojan.PWS.OnlineGames.KCQB
Ikarus   T3.1.1.64.0   2009.07.12   Worm.Win32.Taterf
Jiangmin   11.0.706   2009.07.12   -
K7AntiVirus   7.10.790   2009.07.11   -
Kaspersky   7.0.0.125   2009.07.12   Trojan-GameThief.Win32.Magania.bmwn
McAfee   5673   2009.07.11   Generic PWS!hv.az
McAfee+Artemis   5673   2009.07.11   Artemis!E12100B86574
McAfee-GW-Edition   6.8.5   2009.07.11   Heuristic.LooksLike.Win32.SuspiciousPE.B!82
Microsoft   1.4803   2009.07.12   Worm:Win32/Taterf.B
NOD32   4235   2009.07.11   -
Norman   6.01.09   2009.07.10   OnLineGames.IAPV
nProtect   2009.1.8.0   2009.07.12   -
Panda   10.0.0.14   2009.07.11   Suspicious file
PCTools   4.4.2.0   2009.07.11   -
Prevx   3.0   2009.07.12   High Risk Worm
Rising   21.37.61.00   2009.07.12   -
Sophos   4.43.0   2009.07.12   Mal/Frethog-B
Sunbelt   3.2.1858.2   2009.07.11   Worm.Win32.AutoRun
Symantec   1.4.4.12   2009.07.12   Trojan Horse
TheHacker   6.3.4.3.366   2009.07.12   -
TrendMicro   8.950.0.1094   2009.07.10   -
VBA32   3.12.10.8   2009.07.12   -
ViRobot   2009.7.11.1831   2009.07.11   -
VirusBuster   4.6.5.0   2009.07.11   -
Information
  

[FreewheelinFrank]

Send the file to virus[at]avast.com in a password protected archive- mentioning the password in the email of course.

You can also send the file to the virus Chest and submit it from there.

[jumperx]

the virus is in detected so it cant be send to chest + and if i want to send at avast.com where exactly

[.: L' arc :.]

 You can send it in a password-protected zip file to virus@avast.com making sure the password is included in the body of the email.

[micky77]

The entry O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\Administrateur\Mes documents\Downloads\Programs\microtorrent_torrent_1.8.3_build_15772_francais_182 45.exe
Do you know what that is ? Can you send 182 45.exe to virustotal

I would have HJT fix O4 - HKCU\..\Run: [cdoosoft] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\olhrwef.exe
http://www.bleepingcomputer.com/startups/olhrwef.exe-24654.html
Then reboot.
I would run Autorun Eater to check for bad autorun files, also inserting any flash/pen drives you have used.

You could then,from a clean pc download Avira rescue disc,burn to disc,insert into infected machine and reboot. http://forum.avira.com/wbb/index.php?page=Thread&threadID=82163 Renaming any threats found ( Avira is very good at rootkits ) if you have combofix on your pc,remove it before running disc

Then download and run MBAM and SAS http://filehippo.com/download_malwarebytes_anti_malware/  http://filehippo.com/download_superantispyware/ and run quick scans

[FreewheelinFrank]

the virus is in detected so it cant be send to chest + and if i want to send at avast.com where exactly

You can choose to send an undetected file to the Chest.

From the Chest, I think there's an option to add a file. (On Ubuntu right now so can't give you details about Windows.)

[.: L' arc :.]

 How to add samples to chest:

 Open avast's chest
 Navigate to user files
 Right click & select add files
 Select the file(s) you want to add
 Once the file(s) is added to chest, right click on it & select "Send to ALWIL"

[jumperx]

thanks every body virus is hunted but i think that avast campany should provide a space to upload virus in order to provide an excelent services to here clients ..

[.: L' arc :.]

thanks every body virus is hunted but i think that avast campany should provide a space to upload virus in order to provide an excelent services to here clients ..

 You may ask for it here.

[vlad tepes]

link that's sent by virus (it also offers to download it)

it's winrar SFX archive and within another winrar SFX archive (the second one is password protected)
- genius did this if i might say!



hxxp://thelongshotphotocontest.com/gallery2/upload/likeit.php?entire1.php

[polonus]

@jumperx

Can you break that link in your first posting, we do not want the unaware to click live links to malware. A link to a VT results scan is preferable as the malware sample already has reached virus AT avast dot com, I suppose,

@vlad tepes, same for you I get a windows security warning for the live link you give. See:
http://zulu.zscaler.com/submission/show/211d28939429dd2c725d346195cbedb1-1334357071

polonus

[Pondus]

That URL redirects my iPad to this URL.    badoo.com/signup/


OK...it is a fake scan site that will give you a rogue, see screen shot


VirusTotal
https://www.virustotal.com/file/0284f8e58630c51174bd07fb8fa46a1d60a12d541e1ed26669c60ee05ea372c3/analysis/1334360399/

[iroc9555]

@ Polunos

This thread is almost 3 years old and Jumperx has not been active in the forums for almost 2 years. That link has to be broken by a Uber or moderator.

[Pondus]

This thread is almost 3 years old and Jumperx has not been active in the forums for almost 2 years.

we know....and it was not jumperx that started posting again

the link is reported, and sample is on the way to avast lab