Avast blocking malicious url redirects

Hi all, since some days I had the problem mentioned in http://forum.avast.com/index.php?topic=96143.0

Avast have blocked several attemps to hxxp://184. 171. 169. 131/ click.php?c=… and one to hxxp://trac imar div .com/go.php?id=. I have run various scan with different softwares but so far none was able to find and remove the problem.

Basically from what I understood this malware puts try to redirect visits to a site and probably put some cookies in [i]C:\Users\Istvan\AppData\Roaming\Microsoft\Windows\Cookies[/i]

The only program that found something suspicious was SUPERAntiSpyware on Friday

Heur.Agent/Gen-WhiteBox E:\PROGRAMMI\XEROBANK\APP\XBCONFIG.EXE C:\USERS\ISTVAN\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\XEROBANK\XB CONFIG.LNK

Trojan.Agent/Gen-Injector
C:\USERS\ISTVAN\APPDATA\LOCAL\XENOCODE\APPLIANCECACHES\ADVANCEDLINKFINDER.EXE_V53F640EB\NATIVE\STUBEXE@WINDIR@\MICROSOFT.NET\FRAMEWORK\V2.0.50727\DW20.EXE


Xerobank is an anonymous browser I have installed some years ago. The other I don’t know.

Another problem I noticed, not sure if related or not, is a sort of fake hard disk which appear in computer a couple of days ago.

Here attached:

  • mbam log (27.03)
  • OTL.tx (27.03) and Extras.txt (25.03 after today scan the program didn’t save it)
  • superantispyware (26.03)

To be honest today I haven’t got any notice from Avast but I suppose it haven’t disappered.

Any ideas on this?

Thanks

You can check it against: http://www.backgroundtask.eu/Systeemtaken/taakinfo/9059/DW20.EXE/
Do you have more than one resident av solution running?
Did you experiece errors from an Office application?
The filename XBCONFIG.EXE is used by objects that are classified as safe. It has not yet been seen to be associated with malicious software.

The logs should be analyzed by a qualified malware remover, to see it is really a false positive find,

polonus

@ polonus
It is in the first post, the quoted text and then it only relates to an SAS detection and not the avast detections.

@ ajeje

So I rather feel that the avast detections are unrelated to this file, but the misuse of the Process: C:\Windows\System32\rundll32.exe file by malware in the other topic you mentioned. If indeed it is exactly the same file ?

Please also post the full text of the alert by avast and for the time being forget the detection by SAS.

So these logs will need to be analysed by a malware removal specialist, unfortunately it is a bit late for essexboy 11:40pm in the UK. Unless one of the other specialists can pick it up it will be tomorrow before essexboy can get back to it.

Hi DavidR,

Thanks for informing me if I failed to see that initial info, and yes, I got notified that this needs cleansing up, and jeffc has been notified.
He is a qualified remover and he will be here shortly to have a look. Everything will be OK,

polonus

Hi,

Let’s get an aswMBR scan.

Please download aswMBR to your desktop.

[*]Right click and Run as Administrator the aswMBR icon to run it.
[*]Click the Scan button to start scan.
[*]When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

[URL=http://"http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png "]
http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png
[/URL]
Click the image to enlarge it

I don’t rememer exactly, will pay attention next time I see the alert

Forgot to say in my first post, that I tried this one too but it doesn’t run on my computer (WinVista). I have tried both as Administrator and in Compatibility mode.

Thanks all

You say aswMBR.exe can’t run, are you getting any error messages, if so what are they ?

Hi,

Please boot to Safe Mode and then attempt to run aswMBR there. If the log is produced, please post that in the next reply

No, I see the loading icon for a couple of seconds then nothing else

I tried also in safe mode both as User and Administrator but the program doesn’t work.

Hi,

Download GMER Rootkit Scanner from here or here.

[*] Extract the contents of the zipped file to desktop.
[*] Right-click and Run as Administrator GMER.exe. If asked to allow gmer.sys driver to load, please consent .
[*] If it gives you a warning about rootkit activity and asks if you want to run scan…click on NO.


http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[] In the right panel, you will see several boxes that have been checked. Uncheck the following …
[
] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[
] Show All (don’t miss this one)

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “Gmer.txt” or it will save as a .log file which cannot be uploaded to your post.

[*]Save it where you can easily find it, such as your desktop, and attach it in your reply.

Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
.

Meanwhile I was in Safe Mode, I have run a scan with SUPERAntiSpyware and SpyBot. The first found a couple of cookies (log attached), the second nothing.

We I try to run it, I get

LoadDriver( "C:\Users\Istvan\AppData\Local|Temp|krfcapob.sys" ) error 0xC000010E: Un'istanza del servizio è già in esecuzione
(the last phrase in English should be "An istance is already loaded".

Once loaded the program have most of the checks disabled. The only ones I can tick/untick are "Services, “Registry”, “Files”, hard drives, ADS.

Anyway I’m scanning with these options… will post log soon

Sounds good. :slight_smile:

Here attached Gmer’s log. I have also reloaded in safe mode, but the program gives the same error/warning.

I’m using my browser (Firefox) and Avast warning popped up. :frowning:

URL: hxxp:// 184. 171. 169. 131
Process: C:\Program Files\Mozilla Firefox\firefox.exe
Infection: URL:Mal

EDIT: I have run a scan with Trend Micro RootkitBuster too. Here attached its log.

Hi,

Please download TDSSKiller

[*]Right-click and Run as Administrator TDSSKiller.exe
[*]Press Change Parameters
[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
[*]Click on the Start Scan button

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

[*]Copy and paste the log in your next reply

[*]A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.


It doesn’t work :frowning:

Same problem of aswMBR…

Hi,

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

Note: It is important that it is saved directly to your desktop


IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here


Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.

Hi jeffce, here Combofix’s log.

Thanks for your time!

Hi,

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

DDS::
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

Folder::
C:\found.002

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

@jeffce: OK thanks, I will try it when I get home.

Not sure if is relavant or not, but during ComboFix scan two program stopped working: pev.3XE and PEV.exe