Author Topic: Is this a virus?  (Read 9196 times)

0 Members and 1 Guest are viewing this topic.

Offline kimandalle

  • Newbie
  • *
  • Posts: 8
Is this a virus?
« on: March 29, 2011, 02:23:09 PM »
I keep getting the message that the computer is being blocked from communicating with a dangerous site:

the object is 62.122.73.203/545/getcfg.php

The path is in the C: Asus/Appdata/Local/Temp/DAT827F.tmp.exe

Apparently it's related to a async file, as it's named Async Trace DLL

What do I do with this?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33998
  • malware fighter
Re: Is this a virus?
« Reply #1 on: March 29, 2011, 03:28:27 PM »
You might have been infected with either TR/Kazy.8389.7/6 or TR/DyCode.B.9 or TR/Malagent.A.536 or Trojan-Dropper.Win32.Mudrop.as this domain is alive and spreading these kinds of malware:
I think it is the Mudrop one, because no av detects this as yet there: http://forum.avast.com/index.php?topic=61867.0  and for cleansing: http://forum.avast.com/index.php?topic=61867.0 (use safe mode and disable/enable system restore),

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline kimandalle

  • Newbie
  • *
  • Posts: 8
Re: Is this a virus?
« Reply #2 on: March 29, 2011, 03:36:01 PM »
Okay, as I am a complete and total newbie, is there a step-by-step detail for me to follow, somewhere? I am very nervous about trying to do anything with the computer's "innards", as it were.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37648
  • F-Secure user
Re: Is this a virus?
« Reply #3 on: March 29, 2011, 05:56:32 PM »
Okay, as I am a complete and total newbie, is there a step-by-step detail for me to follow, somewhere? I am very nervous about trying to do anything with the computer's "innards", as it were.

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs HERE in this topic and not in the guide )


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )


Essexboy will look at the log`s when he arrives here later today


Offline kimandalle

  • Newbie
  • *
  • Posts: 8
Re: Is this a virus?
« Reply #4 on: March 29, 2011, 06:37:52 PM »
Okay, I've followed that stuff - the logs are attached.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37648
  • F-Secure user
Re: Is this a virus?
« Reply #5 on: March 29, 2011, 06:40:19 PM »
Essexboy will be here in about 2 - 3 hours

Offline kimandalle

  • Newbie
  • *
  • Posts: 8
Re: Is this a virus?
« Reply #6 on: March 29, 2011, 06:45:35 PM »
 Knock wood - but so far the problem hasn't been huge, just highly annoying. Unfortunately, the reports I could understand said nothing was wrong.  ???

Thank you for all your help.


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37648
  • F-Secure user
Re: Is this a virus?
« Reply #7 on: March 29, 2011, 06:53:17 PM »
Quote
C: Asus/Appdata/Local/Temp/DAT827F.tmp.exe
you may try this while waiting, it sometimes work


Temp File Cleaner by OldTimer
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Is this a virus?
« Reply #8 on: March 29, 2011, 07:12:08 PM »
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Processes - Safe List]
YY -> dat827f.tmp.exe -> C:\Users\Asus\AppData\Local\Temp\DAT827F.tmp.exe
[Registry - Safe List]
< FireFox Extensions [Program Folders] > ->
YY -> Java Console   -> C:\Programmi\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
YY -> Java Console   -> C:\Programmi\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
YY -> Java Console -> C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
< Run [HKEY_USERS\S-1-5-21-350271379-3965886678-2468626992-1000\] > -> HKEY_USERS\S-1-5-21-350271379-3965886678-2468626992-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "DAT827F.tmp.exe" -> C:\Users\Asus\AppData\Local\Temp\DAT827F.tmp.exe [C:\Users\Asus\AppData\Local\Temp\DAT827F.tmp.exe]
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Offline kimandalle

  • Newbie
  • *
  • Posts: 8
Re: Is this a virus?
« Reply #9 on: March 29, 2011, 07:21:08 PM »
I tried the latest suggestion by Pondus, and for the time being, I haven't had any more pop-up messages. Should I still try the fix, or will it cause a new problem if the issue has been cleared up already?
« Last Edit: March 29, 2011, 07:23:21 PM by kimandalle »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37648
  • F-Secure user
Re: Is this a virus?
« Reply #10 on: March 29, 2011, 07:22:25 PM »
follow Essexboy advice

Offline kimandalle

  • Newbie
  • *
  • Posts: 8
Re: Is this a virus?
« Reply #11 on: March 29, 2011, 07:29:46 PM »
Here's the latest log.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Is this a virus?
« Reply #12 on: March 29, 2011, 07:54:23 PM »
TFC killed the file and I removed the reg key  ;D

How is it running now ?

Offline kimandalle

  • Newbie
  • *
  • Posts: 8
Re: Is this a virus?
« Reply #13 on: March 29, 2011, 07:56:30 PM »
Running smoothly and there's no pop-up panic. Yay! :)

I do believe y'all are geniuses. Heh. I can't thank you enough, honestly. I know it's ridiculous, but even with all the backups in the world - remote or otherwise - my whole blinkin' world is on this thing. I tend to panic easily, so you'll probably hear from me again.

I apologize in advance for that, of course.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Is this a virus?
« Reply #14 on: March 29, 2011, 07:59:51 PM »
No probs - just run OTS and hit the cleanup button