hxxp://www.viralvideos.org/

This computer that I am posting from is normally only used to stream local TV through tuner card. The computer has updated successfully when taken to the web via 3G vodem – Vodafone removable 3G modem. I haven’t checked the sequencing to the updating instances - how soon, which apps, how vulnerable, and so on.

I think I am too busy and my first thought is to run a full clean out of anything not absolute needed. In case of any infection. For now, I have posted the computer’s hijackthis log at the end of the post.

I was attempting to send off a quick message email to my daughter via facebook email service. I typed the url hxxp://www.facebook.com into the address bar. I was taken to hxxp://www.viralvideos.org./

Here is the log entry in my event viewer – Sign of “HTML:Iframe-inf” has been found in “hxxp://www.viralvideos.org/” file.

Here is the hijackthis log. I was thinking of cleari out extra button, but haven’t had real close look yet.

Hi mkis, no logfile attached to this.

Sorry bout that. rush, rush.rush.

Here is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:27 PM, on 4/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\PhoneConnectorVMC.exe
F:\vmc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU..\Run: [ISUSPM] “C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe” -scheduler
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Advanced SystemCare 3] “C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe” /startup
O4 - HKCU..\Run: [SmartRAM] “C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe” /m
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://oracle-events.webex.com/client/T26L/event/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip..{71B0F4A6-552A-4146-BF7C-915313FAADDE}: NameServer = 202.73.198.16 202.73.206.16
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


End of file - 6116 bytes


A nice HJT log with one exception :

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.


I’m curious as to the apparent website redirect. You typed one thing and ended up somewhere else.
The event log viewer appears to be showing a malicious (or potentially malicious) item blocked from downloading; probably no worries there, the webshield did its job.
I didn’t spot anything malicious in the HJT log either, but then, I’m not formally trained in reading them.
@Charleyo did you analyse that, or use an automated analysis? (Just the way your post reads…seems 3rd party-ish.)

mkis Have you had any other web redirects? If you try typing in the facebock url, does it happen again?
I’d get a second opinion, from a scanner often used by members here (there and everywhere…)
MBAM http://www.malwarebytes.org/mbam.php is a very capable demand scanner, download, install, update, run a scan. See if it finds anything. Another excellent scanner is Superantispyware.
Both can be run while Avast is active.

I definitely would not rush in and “fix” anything reported in that HJT log, “extra” items or not. You could disable something that might be important.

Hi there CharleyO. Thanks for the response. I use Windows firewall and Defender with trouble-free updating up to present. :slight_smile:

Hi Tarq57
I also wonder bout the website redirect. I do understand that my computer may have instigated the redirect. So there is that to consider. Perhaps link to malware on facebook may have prompted malware on my computer to interrupt command-line. As an example. Im not too sure myself. I have tried the facebook url again and the link has run what is the normal routine each time.

I think I will run mbam and SAS to get second look. No I wont bother “fix”. I don’t think there is much left to work with let alone fix anyway (but maybe). Appreciate response. I will post further developments to the event on this thread.

I was a bit slow-thinking when alert was sounded. Avast detection came up but no capture option as malware was off my browser (I guess). I closed Avast screen and searched for the website or malware name which I found in the event viewer. I ran a quick internal search for further instances, then posted the event to Avast support forum.

My first instinct is normally to cleanse out infection and delete any instances from my system (after check in chest that they are odd-ball files). Then turn off System Restore, run fresh install of Avast at command line in Safe mode, followed by normal boot, link to internet and check for updates. Run thorough scan in Graphic mode if want. Then optimize and turn System Restore back on. I delete infected files. I cleanse operating systems and load antivirus for a database of clients, so to delete excess files is the most convenient option that my schedule will allow. And saves me from clients activating them accidently.

Nonetheless, I now think I will need to the devise a better default defence combo for my clients due to the current large volume and assortment of variants currently in the bitstream, or should that be the byte-stream. I am doing okay working out this new defence combo as I go, and any advice is always welcomed. Part of the work now involves turning malware over to the people who understand the capability of the malware instance, so I am also working on routines to do that. As much as time will allow anyway. I dealt to countless detections last winter (New Zealand, May to October) and I ran a standard default defence of Avast Home with Windows firewall and Windows auto updating, which proved mostly sufficient (with special directions for the kids, who suprised me with their restraint from upsetting the defence status quo, despite going hammer and tongs on the internet).

But previous practice not sufficient anymore, despite improvement in Windows defensive pattern and practice. This virus attack is prime example.

The only recommendation I’d make i based on your security protocol, which is pretty sound but with one significant shortfall; if you delete any detection, and it turned out to be a FP, you’re minus a maybe important file. There are reports of folk being unable to boot followint this sort of thing. Bit unlucky, but it can and does happen.
Always quarantine. The file can be deleted a week or two later when all remains well.

Yes I am bringing myself around to using quarantine, though I’m still not used to having live malware located on my hard drive even if it is in the chest. I think we have been lucky with our antivirus up until now - most of the regulars have kids so a computer down can mean disaster, and there hasn’t been a lot of downtime.

How long can this realistically last? Things have changed a bit now. I’m noticing a lot more activity in spyware and tracking cookies this year. I ran mbam on the PC for a clean sheet and SAS for 5 instances of tracker cookies, mainly from my usual haunts, advertising from the two local newspapers, a media network, from MSN, and from another source that I havent followed up yet. Not too bad. I’m frequently coming across these cookies nowdays even with defence against malware in place. I’ve got an infected PC meant to be coming in later today, maybe tomorrow, so we will see what comes of that. Thanks for the support. :slight_smile:

mkis

The chest can’t be accessed from outside applications. Yes you can look in the chest with windows explorer, but you won’t find the same file name of the malware in there as all names are changed, so an outside application can’t know what the file is to even try to run it.

All files in the chest are also encrypted, another level of protection, so files quarantined in the chest can do no harm.

Tracking cookies are a minor issue and not a security one, it is just that some anti-spyware make a big deal about announcing they found something. I have the tracking cookies check disanled in the SAS settings a waste of time. Don’t allow/accept third party cookies (those not originating at the site you are visiting) in your browser security settings and periodically clear all cookies.

Thanks DavidR

yes I try to keep my browser very standard without third party and I clean internet cache regularly. I thought perhaps the computer was carrying something but nothing untoward has come up in tests. Thats my second bad iframe this month, the first one in an email. Obviously, once on the internet, a computer without malware protection and program updates will quickly become infected.

A good idea, if you don’t do this already, is to make sure any kids using the computer do so from a standard user account, not an admin account. Password protect the admin account. If they are determined, they can get around that, but it then becomes a socio-behavioural issue, rather that purely a security one.

You’re welcome.

Good advice from Tarq57, where possible only limited accounts for children or those incapable of acting responsibly, wow that could be a big list ;D

The cookies are actually separate from the browser cache so you should ensure they are included in your clean-ups.


Hi Tarq -

Sorry for the delay. Yes, I did use an analyser for part of it. But, I also research some items when I do not think they are correct. It is always possible that i missed something. Did you see something I missed?


No. Heck no. My ability with this fella is knowing the more common entries, and googling anything else. Some of the sections I don’t know enough about to have much idea at all.
I just noticed your report style…“we detected etc”.
Does that come from the TM site?


It’s from the HijackThis.de Security site. I use to change it a bit so that it did not say “we” but I decided that it did not matter much. So, now that part is a copy & paste. When I read the analysis, I sometimes find entries that a marked questionable but research proves them good entries. And, once in a while, I find an entry rated as good that is actually bad. That does not happen often and I do a lot research on such an entry before I will say it is bad. Nine times out of 10, research proves the analysis to be correct. Like anything else, though, nothing is perfect. Least of all, me. :wink: (which is why I do so much research)


Good for you, and thanks.
I usually do a lot of Googling before venturing an opinion on these, and would generally rather leave it to the experts, unless something leaps out. Like two AV’s, or an out of date Java etc.

Howdy. Sorry for delay. Thanks for responses. Yeah kids can be a problem over and above any tech shortcomings. I recall early days when the defence worry was kids turning off the firewall so they could download files easily (then turn it back on after the session). I think the best option is provided when the oldest child is mature enough to administrate, after which, the user base begins to fall into a group practice. And granted that battles within communication channels are commonly evident even amongst home users and home networks.

I have noted that kids often, for what reason or other, got over deviant practices. And I have been surprised at times with their willingness to stick with the devised roadmap while still pursuing their own avenues of engagement with the web. In one case, where I noted strong adherence to devised plan, the parent provided the group with cd/dvds of good programs (games). The disks supplied links to the web for updates and guidances that generally cultivated good practice. The load of good software on default platform often allowed a user to run off reasonably at will without undermining other user’s activities, or group usage as a whole.

Of course, the defence plan is crucial to all of this.

Meant to have infected PC dropped off for checkup, but so far not turned up. So very quiet round here at the moment. And yet I feel there is lots of virus about. Perhaps because of the recession people do not put the PC so high on the priority list and over time the ambivalence feeds through to PC security.