Author Topic: Very stealthy redirect  (Read 16472 times)

0 Members and 1 Guest are viewing this topic.

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11249
  • No support PM's thanks
Re: Very stealthy redirect
« Reply #15 on: August 02, 2011, 03:16:24 PM »
Shreyas Murali has been banned for trying to circumvent an existing ban on com155. Based on forum information, they are one and the same.
Little bugger, i did have my suspicion's.
Good job David  :)

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89328
  • No support PMs thanks
Re: Very stealthy redirect
« Reply #16 on: August 02, 2011, 03:36:52 PM »
I have spent a lot of time investigating this, so I'm sure we have found our doppelgänger and also cleaning up some of his mess without leaving topics totally disjointed.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Very stealthy redirect
« Reply #17 on: August 02, 2011, 04:01:10 PM »
The problem being is deleting 'all' the posts will leave many topics looking disjointed.
I think it's better that let them misleading and misinformation...
The best things in life are free.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89328
  • No support PMs thanks
Re: Very stealthy redirect
« Reply #18 on: August 02, 2011, 04:05:55 PM »
Not something which we should really discuss here.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Very stealthy redirect
« Reply #19 on: August 02, 2011, 04:18:33 PM »
Not something which we should really discuss here.
You're right. Open forum. Sorry.
The best things in life are free.

FrankW

  • Guest
Re: Very stealthy redirect
« Reply #20 on: August 02, 2011, 04:28:18 PM »
I though the newbie status was suspicious, but figured I'd give him the benefit of the doubt. I assume you guys know what you're talking about.

Can anyone suggest how to proceed in dealing with this virus?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37608
  • Not a avast user
Re: Very stealthy redirect
« Reply #21 on: August 02, 2011, 04:35:10 PM »
a sorry, see you have posted the logs

Essexboy will look at them when he arrive here in 3-4 hours
« Last Edit: August 02, 2011, 04:36:54 PM by Pondus »

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48645
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Very stealthy redirect
« Reply #22 on: August 02, 2011, 05:12:45 PM »
a sorry, see you have posted the logs

Essexboy will look at them when he arrive here in 3-4 hours
He has already notified and asked to take a look at this thread.
Welcome to the forum FrankW.  :)
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v24H2 64bit, 32 Gig Ram, 1TB SSD, Avast Free 24.4.6112, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Very stealthy redirect
« Reply #23 on: August 02, 2011, 08:54:16 PM »
Hi the swreg files are legitimate and are used by many antimalware programmes, they are created by a known antimalware programmer Bobbi Fleckman, in fact he assisted me in my registry training  http://fstaal01.home.xs4all.nl/swreg-us.html

There are some odd entries in your Host file - did you set them ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Win32 Services - Safe List]
YY -> (CLODXGH) CLODXGH [On_Demand | Stopped] -> C:\Documents and Settings\Administrator\Local Settings\Temp\CLODXGH.exe
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1317887185-193083965-3581033737-500\] > ->
YN -> HKEY_USERS\S-1-5-21-1317887185-193083965-3581033737-500\: SearchURL\\"provider" -> gogl
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Administrator\Application Data\Mozilla\FireFox\Profiles\pb886ok7.default\prefs.js
YN -> network.proxy.http_port -> 8800
[Files/Folders - Modified Within 30 Days]
NY ->  Grajamum.bin -> C:\WINDOWS\Grajamum.bin
NY ->  Vrutanug.dat -> C:\WINDOWS\Vrutanug.dat
[Files - No Company Name]
NY ->  Grajamum.bin -> C:\WINDOWS\Grajamum.bin
NY ->  Vrutanug.dat -> C:\WINDOWS\Vrutanug.dat
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

FrankW

  • Guest
Re: Very stealthy redirect
« Reply #24 on: August 02, 2011, 11:02:36 PM »
Here is the log from OTS.

BTW immediately after OTS finished this message appeared:
"The Catalyst Control Center is not supported by the driver version of your enabled graphics adapter. Please update your ATI graphics adapter driver"


FrankW

  • Guest
Re: Very stealthy redirect
« Reply #25 on: August 02, 2011, 11:13:41 PM »
Yes the HOSTS entries are all good, I put them there myself.

Here is a GMER log from about 8 hours ago which has some questionable entries.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Very stealthy redirect
« Reply #26 on: August 02, 2011, 11:33:49 PM »
They are legitimate services however, they are no normally hidden
If necessary then run combofix from safe mode, it will complain but ignore that

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FrankW

  • Guest
Re: Very stealthy redirect
« Reply #27 on: August 03, 2011, 12:57:32 AM »
I did try to run Combofix a few days ago. The following lines appeared on screen:
"Scanning for infected files...
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double"
Then it stayed like that for about 90 mins after which I rebooted and tried to run it in safe mode with a similar result. As I guess you know, this left the disk in a bit of a state so I ran "combofix /uninstall" which seemed to undo the disk changes.
Anyway I'm trying it again now and it seems to be doing the same thing. The three lines are on the screen, the HD light is on (no flickering), but I can't hear any disk activity. What do you suggest?
« Last Edit: August 03, 2011, 01:17:04 AM by FrankW »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89328
  • No support PMs thanks
Re: Very stealthy redirect
« Reply #28 on: August 03, 2011, 02:15:38 AM »
After you rebooted or after running it from safe mode, etc. did you actually check to see if it actually created the C:\ComboFix.txt ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

FrankW

  • Guest
Re: Very stealthy redirect
« Reply #29 on: August 03, 2011, 03:18:29 AM »
After you rebooted or after running it from safe mode, etc. did you actually check to see if it actually created the C:\ComboFix.txt ?

Good point. I just killed it with the power switch. There does not appear to be a ComboFix.txt either on C:\ or on the Desktop. Since the log window didn't show the 50 stages shown on the combofix tutorial over at bleeping computer, I assume it hangs pretty early in it's process.