Hi, Avast continually blocks attempts to open 64.111.211.172 - scans do nothing apparently.

What is causing this? Why is that IP considered a mal.url? Why does Avast block the attempt and seeminly do nothing about whatever is attempting to connect?

Just thought I would ask before trying a different solution.

Thanks
Jim

This is ISPrime, so if you do a forum search for it you will see the sort of thing that has to be done to resolve this. You shouldn’t undertake any of this without guidance.

You didn’t give the full information of the detection as it also gives the Process responsible for the connection attempt. Commonly there is a hidden element using a system file to try and connect to a malicious site.

Start the ball rolling by running this tool and posting the results.

The calling dll’s are either

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\oleobjNetM\DevCommondlg.dll

or

rundll32.dll

This is the saved log.

aswMBR version 0.9.8.945 Copyright(c) 2011 AVAST Software
Run date: 2011-07-21 18:49:07

18:49:07.734 OS Version: Windows 5.1.2600 Service Pack 3
18:49:07.734 Number of processors: 2 586 0xF0D
18:49:07.734 ComputerName: HOME-PC UserName: bodkins
18:49:11.109 Initialize success
18:49:12.093 AVAST engine defs: 11072101
18:49:28.546 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP2T0L0-5
18:49:28.546 Disk 0 Vendor: WDC_WD10EACS-00D6B1 01.01A01 Size: 953869MB BusType: 3
18:49:28.578 Disk 0 MBR read successfully
18:49:28.578 Disk 0 MBR scan
18:49:28.640 Disk 0 unknown MBR code
18:49:28.640 Disk 0 scanning sectors +1953520065
18:49:28.734 Disk 0 scanning C:\WINDOWS\system32\drivers
18:49:45.218 Service scanning
18:49:47.125 Modules scanning
18:49:51.359 Disk 0 trace - called modules:
18:49:51.375 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll sfsync02.sys atapi.sys pciide.sys PCIIDEX.SYS
18:49:51.375 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8b1b0ab8]
18:49:51.375 3 CLASSPNP.SYS[f7667fd7] → nt!IofCallDriver → \Device\0000009b[0x8b216d38]
18:49:51.375 5 ACPI.sys[f75ae620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP2T0L0-5[0x8b1b2d98]
18:49:51.375 \Driver\atapi[0x8b21ac00] → IRP_MJ_INTERNAL_DEVICE_CONTROL → sfsync02.sys[0xf76388b4]
18:49:52.453 AVAST engine scan C:\WINDOWS
18:50:24.609 AVAST engine scan C:\WINDOWS\system32
18:53:05.187 AVAST engine scan C:\WINDOWS\system32\drivers
18:53:38.750 AVAST engine scan C:\Documents and Settings\HP_Owner
20:39:31.156 AVAST engine scan C:\Documents and Settings\All Users
20:55:50.406 Scan finished successfully
20:56:21.546 Disk 0 MBR has been saved successfully to “G:\MBR.dat”
20:56:21.546 The log file has been saved successfully to “G:\aswMBR.txt”

Thanks
Jim

The rundll32.dll is one that is commonly used in these attempts to connect to malicious URLs.

Whilst there isn’t a 100% detection of an MBR rootkit, there is evidence that the MBR code has been modified (why and by what is the question), in the “18:49:28.640 Disk 0 unknown MBR code” line, so this will require further investigation/action.

This line, could account for the unknown MBR code: “AVAST engine scan C:\Documents and Settings\HP_Owner”

This essentially says that you have an HP system (is this correct ?) and if so may have a unique MBR code to be able to access its recovery console and recovery partition in the event of a problem. So care has to be taken in any advice given or action taken as that could replace the unique code with a default MBR, this would mean losing access to the HP recovery console/partition to restore to factory settings.

Were there any lines in Red (or other coloured lines) in the log displayed on the screen ?

Another analysis tool to run and gather information for a malware removal specialist (when they can take a look at this) to analyse and suggest a fix.

Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.

18:49:51.375 \Driver\atapi[0x8b21ac00] → IRP_MJ_INTERNAL_DEVICE_CONTROL → sfsync02.sys[0xf76388b4]
Was in Yellow.

Preparing to run OTS.

Thanks

Yes that is a suspicion and something to be look at further.

Probably not good that you have it in Yellow in the post as it is almost invisible against the light forum background.

18:49:51.375 \Driver\atapi[0x8b21ac00] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> sfsync02.sys[0xf76388b4]

If you can proceed with running OTS and posting the log we can try to get someone to look at it, but you have to hurry as essexboy who generally looks at these has limited time on the forums; normally around 7pm - 11pm UK time, now 7:45pm in the UK.

That is part of Starforce protection and will always give a suspicious result

Thanks essexboy, for the info and joining the topic.

The file OTS.txt is over 192k and wont attach.

Jim

upload to Mediafire and post the sharing link please.

http://www.mediafire.com/?uxku761ozpouljv

ignore attachment. (the post attachment - which I removed)

Thanks

On completion of this could you let me know if you still get the alerts

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\] > -> 
YN -> HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\: "ProxyServer" -> http=127.0.0.1:53111
< HOSTS File > ([2011/05/04 12:25:12 | 000,001,161 | R--- | M] - 32 lines) -> C:\WINDOWS\system32\drivers\etc\hosts
YN -> Reset Hosts -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\] > -> HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "net64" -> [C:\WINDOWS\svhoster.exe]
YN -> "netzip" -> [C:\WINDOWS\svzip.exe]
[Files - No Company Name]
NY ->  1488860941.dat -> C:\WINDOWS\System32\1488860941.dat
[Custom Items]
:Files 
C:\WINDOWS\tasks\At*.job
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

OTS finished its work, rebooted … and I got an alert.

This is the log (with the temp filenames moved removed)

All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\ProxyServer deleted successfully.
HOSTS file reset successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ not found.
Registry value HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\Software\Microsoft\Internet

Explorer\Toolbar\ShellBrowser\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_USERS\S-1-5-21-2083572570-772297448-3889614674-1009\Software\Microsoft\Internet

Explorer\Toolbar\WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net64 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netzip deleted successfully.
[Files - No Company Name]
C:\WINDOWS\System32\1488860941.dat moved successfully.
[Custom Items]
========== FILES ==========
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.
[Empty Temp Folders]

User: Administrator
->Temp folder emptied: 125787 bytes
->Temporary Internet Files folder emptied: 183161 bytes

User: All Users

User: Default User
->Temp folder emptied: 81765 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41 bytes

User: HP_Owner
->Temp folder emptied: 5480455087 bytes
->Temporary Internet Files folder emptied: 169198426 bytes
->Java cache emptied: 134150925 bytes
->FireFox cache emptied: 2631041501 bytes
->Google Chrome cache emptied: 63784580 bytes
->Apple Safari cache emptied: 36241408 bytes
->Flash cache emptied: 2516168 bytes

User: jim
->Temp folder emptied: 294313 bytes
->Temporary Internet Files folder emptied: 896712 bytes
->FireFox cache emptied: 8076356 bytes
->Flash cache emptied: 405 bytes

User: LocalService
->Temp folder emptied: 568350 bytes
->Temporary Internet Files folder emptied: 224605 bytes

User: NetworkService
->Temp folder emptied: 147456 bytes
->Temporary Internet Files folder emptied: 277814 bytes

User: postgres
->Temp folder emptied: 81765 bytes
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2318655 bytes
%systemroot%\System32 .tmp files removed: 1599537 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10873887 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 15750242 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 8,162.00 mb

[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: HP_Owner
->Flash cache emptied: 0 bytes

User: jim
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: postgres

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07222011_145315

File move failed. C:\WINDOWS\temp_avast_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\vmware-SYSTEM\vmware-usbarb-SYSTEM-8592.log moved successfully.

Registry entries deleted on Reboot…

Ok, now I’m puzzled.

I ran the OTS fix, rebooted, it finished its work, I got a desktop and a mal.url alert.

I put this weasle in hybernation, go to the hardware store, come back, restart and no alerts in over 30 minutes. Which included the use of IE, opera and firefox.

As a note - I believe this all started when I foolishly decided to try ad-aware. During that period I was visited three times by a windows security center virus/trojan. Ad-aware was oblivious to it. (At one point I used pidgin for all my chat needs and am convinced that pidgin is typhoid mary. I have since stopped using it).

Ok. Took a break. Came back and was cruising news sites and got a mal.url alert while visiting huffingtonpost using IE 7. Huffingtonpost is a very active site - ads, scripts etc.

I’m tempted to say that this is occuring with less frequency, but I’m just likely to be proven wrong so I wont.

The main malware was the Vundo jobs - now history. You may have got the Avast alert as OTS was doing the last part of the temp file removal. Are the alerts as frequent or just on high intensity ad sites ?

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

downloading mbam now.

the mal.url isnt infrequent. I didnt keep records and the timing is subjective.

will report later.

thanks
Jim

Edit:
During install:

I"m getting vbaccelerator errors on a SGrid II control. Run-time error ‘0’
I may not have something involving visual basic installed.

and a runtime error ‘440’ automation error.

During execution:

Run-time error ‘372’

Failed to load control ‘vbalGrid’ from vbalsgrid6.ocs. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application.

Run-time error ‘0’

It didnt run.

I’ll try to find those errors.

Edit 2:

It appears I am missing regsvr32.exe

Edit 3:

I got regsvr32.exe here http://support.microsoft.com/kb/267279

log of mbam run

Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7253

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/23/2011 12:17:57 PM
mbam-log-2011-07-23 (12-17-57).txt

Scan type: Quick scan
Objects scanned: 237610
Time elapsed: 16 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{b6b571fb-b71d-449c-ad70-82e966328795} (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib{16406580-14ce-4441-b904-ad56cc8064ca} (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WinApp.WinSafe.1 (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WinApp.WinSafe (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Adware.ISTBar) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{7C559105-9ECF-42B8-B3F7-832E75EDD959} (Adware.ISTBar) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa\UpdateWin (Backdoor.Sdbot) → Value: UpdateWin → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (PUM.Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (PUM.Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (PUM.Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\HP_Owner\application data\86855640 (Rogue.Multiple) → Quarantined and deleted successfully.

Files Infected:
c:\icinst.exe (Adware.EShoper) → Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\Desktop\antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) → Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\microsoft\internet explorer\quick launch\antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) → Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\start menu\Programs\security shield.lnk (Rogue.SecurityShield) → Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data~tmp.html (Malware.Trace) → Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\config.cfg (Malware.Trace) → Quarantined and deleted successfully.
c:\Bots.zip (Trojan.Agent) → Quarantined and deleted successfully.
c:\calculator.exe (Trojan.Agent) → Quarantined and deleted successfully.
c:\SETUP.EXE (Trojan.Agent) → Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\start menu\xp police antivirus.lnk (Rogue.XPPolice) → Quarantined and deleted successfully

Notes.

Upon reboot I received a mal.url alert.

I was warned that I had no firewall - even though comodo was running. Comodo tray icon indicated it was disabled - the defense+ setting was disabled. it is now training mode.

I havent received another mal.url alert in 15 minutes of surfing using three different browser.

I’ll update this post later.

Update 1:

as of this edit, no new mal.urls

Update 2:

there is a curse. I no sooner than saved that edit than I got a mal.url.

Yep I will put his on hold until you are happy

Lower frequency perhaps, but still generating mal.urls