The object is always some variation on ‘dativism.com’. The odd thing is that despite being a url alert it seems to occur when I access the My Computer directory on my machine. I have also had Explorer crash on start-up a few times. Other very odd things have been happening too…
Running scannow might have helped, since my most recent start-up didn’t result in any problems.
Here is my aswMBR result:
[b]aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-08 19:30:11
19:30:11.546 OS Version: Windows 5.1.2600 Service Pack 3
19:30:11.546 Number of processors: 1 586 0x401
19:30:11.546 ComputerName: CHRISPC UserName: Chris
19:30:12.875 Initialize success
19:30:26.406 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
19:30:26.406 Disk 0 Vendor: HDS722580VLAT20 V32OA69A Size: 76293MB BusType: 3
19:30:26.406 Disk 0 MBR read error 0
19:30:26.406 Disk 0 MBR scan
19:30:26.406 Disk 0 unknown MBR code
19:30:26.406 MBR BIOS signature not found 0
19:30:26.421 Disk 0 scanning sectors +156232125
19:30:26.421 Disk 0 scanning C:\WINDOWS\system32\drivers
19:30:35.734 Service scanning
19:30:37.734 Disk 0 trace - called modules:
19:30:37.765 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys span.sys hal.dll >>UNKNOWN [0x87385944]<<
19:30:37.765 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x873375b0]
19:30:37.765 3 CLASSPNP.SYS[f75d6fd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x87306b00]
19:30:37.765 Scan finished successfully[/b]
When I try and run OTS Avast wants to start it in the sandbox, and for some reason claims that it’s being opened by C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (I believe this is a system dll, something to do with drive letter access). I did a scan, but no log seemed to have been generated.
I am running XP SP3 on a Dell Dimension. I’ve had this for about five years, and have never encountered any serious problems before (and I’ve never used any antivirus software other than Avast). Recently, though, I have had some memory issues - the machine has been giving me a 1-3-2 beep code on start-up. I resolved this by removing one of the memory cards - whether this is related to my current problems I don’t know, but I thought it best to mention it.
You are right to exercise caution. For the time being I would leave the ones relating to Worm.Alcra in the system32 folder.
c:\WINDOWS\SYSTEM32\cmd.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\netstat.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\ping.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\regedit.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\taskkill.com (Worm.P2P) -> No action taken.
c:\WINDOWS\SYSTEM32\tasklist.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\tracert.com (Worm.Alcra) -> No action taken
Only select the other entries that are infected for Removal.
MBAM does not just delete them but sends files to its Quarentine, so there are copies just in case. So run it again select the other entries I mentioned and click Remove Selected.
Run MBAM again and post the contents.
Interestingly these memory modules infected, don't appear to have been found a files infected.
<blockquote>Memory Modules Infected:
c:\WINDOWS\xtoduig.dll (Trojan.Hiloti) -> No action taken.</blockquote>
Do those files actually exist in the c:\WINDOWS folder ?
####
I will try to get a malware removal specialist to check out this problem as we don't want to go messing with the system files without a plan (replacing infected files with clean ones or repairing them).
Hi lets check the system first and see what that reveals
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.
Thanks essexboy. I ran OTS with the settings you suggested, but this time with Avast disabled (since the first time I tried Avast wanted to open it in the sandbox). The log was slightly too big to attach so you can find it at http://www.mediafire.com/?h9jrlz2u7er5q11.
DavidR - many thanks for your reply, but I’ll wait until essexboy gets back to me before I do anything else.
Oh, and I got an Explorer crash on start-up again. Yuk…
Ok when you reboot after this let me know if the explorer problem hasa gone
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Modules - Safe List]
YY -> epuhibazu.dll -> C:\WINDOWS\epuhibazu.dll
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > ->
YN -> HKEY_LOCAL_MACHINE\: SearchURL\\"provider" -> gogl
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Chris\Application Data\Mozilla\FireFox\Profiles\newl0piy.Default User\prefs.js
YN -> network.proxy.type -> 1
YN -> network.proxy.http -> "127.0.0.1"
YN -> network.proxy.http_port -> 81
YN -> network.proxy.socks -> "127.0.0.1"
YN -> network.proxy.socks_port -> 81
YN -> network.proxy.ssl -> "127.0.0.1"
YN -> network.proxy.ssl_port -> 81
YN -> keyword.URL -> "http://home.speedbit.com/search.aspx?aff=106&q="
YN -> browser.startup.homepage -> "http://home.speedbit.com/?aff=105"
< FireFox Extensions [Program Folders] > ->
YY -> Java Console -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
YY -> Java Console -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
< HOSTS File > ([2007/05/12 23:35:48 | 000,000,757 | ---- | M] - 20 lines) -> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
YN -> Reset Hosts ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {9030D464-4C02-4ABF-8ECC-5164760863C6} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> Reg Error: Value error. [Google Toolbar Notifier BHO]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{BA52B914-B692-46c4-B683-905236F6F655}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{119DBEDA-9C41-4F97-94B4-B6BCD01133CF}" [HKLM] -> [Morpheus Toolbar]
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{119DBEDA-9C41-4F97-94B4-B6BCD01133CF}" [HKLM] -> [Morpheus Toolbar]
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\] > -> HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{119DBEDA-9C41-4F97-94B4-B6BCD01133CF}" [HKLM] -> [Morpheus Toolbar]
YN -> WebBrowser\\"{119DBEDA-9C41-4F97-94B4-B6BCD01133CF}" [HKLM] -> [Morpheus Toolbar]
YY -> WebBrowser\\"{A58686ED-FC46-44C3-95C6-4A812AB776F1}" [HKLM] -> C:\Program Files\FerretSoft\WebFerret\FerretBand.dll [WebFerret]
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Fvecetuwef" -> C:\WINDOWS\epuhibazu.dll [rundll32.exe "C:\WINDOWS\epuhibazu.dll",Startup]
< Run [HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\] > -> HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "AV Care" -> [C:\Program Files\AV Care\AVCare.exe]
YY -> "Xxacumusetubetog" -> C:\WINDOWS\xtoduig.dll [rundll32.exe "C:\WINDOWS\xtoduig.dll",Startup]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{119DBEDA-9c41-4F97-94B4-B6BCD01133CF}" [HKLM] -> [Morpheus Toolbar]
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{119DBEDA-9c41-4F97-94B4-B6BCD01133CF}" [HKLM] -> [Morpheus Toolbar]
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\] > -> HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{119DBEDA-9c41-4F97-94B4-B6BCD01133CF}" [HKLM] -> [Morpheus Toolbar]
YN -> CmdMapping\\"{7A2EFD41-E6B3-11D2-89E3-00E0292EE574}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{7A2EFD41-E6B3-11D2-89E3-00E0292EE575}" [HKLM] -> [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY -> Udabadiyuregad.dat -> C:\WINDOWS\Udabadiyuregad.dat
NY -> Qqovezibahaqev.bin -> C:\WINDOWS\Qqovezibahaqev.bin
NY -> rezyn1.job -> C:\WINDOWS\tasks\rezyn1.job
[Files - No Company Name]
NY -> Udabadiyuregad.dat -> C:\WINDOWS\Udabadiyuregad.dat
NY -> Qqovezibahaqev.bin -> C:\WINDOWS\Qqovezibahaqev.bin
NY -> MBR.dat -> C:\Documents and Settings\Chris\Desktop\MBR.dat
[File - Lop Check]
NY -> rezyn1.job -> C:\WINDOWS\Tasks\rezyn1.job
[Alternate Data Streams]
NY -> @Alternate Data Stream - 872 bytes -> C:\Found.009:C2YRDjIZNYSJxfxBnSO
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
I applied the fix as you instructed and on reboot (OTS apparently needed to reboot to finish the operation) I didn’t get the Explorer crash. I did, however, get a dialog box headed RUNDLL with the following message:
Error loading C:\WINDOWS\xtoduig.dll
The specified module could not be found.
Indeed, there’s no sign of that dll in the WINDOWS folder.
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > ->
YN -> HKEY_LOCAL_MACHINE\: SearchURL\\"provider" -> gogl
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\] > ->
YN -> HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\: Main\\"Start Page" -> http://home.speedbit.com/?aff=105
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{A58686ED-FC46-44C3-95C6-4A812AB776F1}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\] > -> HKEY_USERS\S-1-5-21-1534998221-2138010193-684253111-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Xxacumusetubetog" -> [rundll32.exe "C:\WINDOWS\xtoduig.dll",Startup]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
I ran the fix, but after setting the restore point the whole system froze. I rebooted the machine manually, and on start-up the log appeared - so I’m assuming the fix was applied correctly. I certainly didn’t see that RUNDLL error - and again no Explorer crash. Oh, and the original ‘Malicious URL’ alert hasn’t reappeared for a while…
Please find the OTS log attached. I also did another quick scan with Malwarebytes, which is still finding some infections. Here’s its latest log:
09/06/2011 23:01:02
mbam-log-2011-06-09 (23-00-38).txt
Scan type: Quick scan
Objects scanned: 206307
Time elapsed: 8 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 16
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F919FBD3-A96B-4679-AF26-F551439BB5FD} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\AV Care (Rogue.AVCare) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AV Care (Rogue.AVCare) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
c:\program files\AV Care (Rogue.AVCare) -> No action taken.
c:\program files\winupdates (Worm.P2P) -> No action taken.
c:\documents and settings\Chris\start menu\Programs\AV Care (Rogue.AVCare) -> No action taken.
Files Infected:
c:\WINDOWS\SYSTEM32\bszip.dll (Worm.P2P) -> No action taken.
c:\documents and settings\Chris\Desktop\AV Care.lnk (Rogue.AVCare) -> No action taken.
c:\WINDOWS\SYSTEM32\cmd.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\netstat.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\ping.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\regedit.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\taskkill.com (Worm.P2P) -> No action taken.
c:\WINDOWS\SYSTEM32\tasklist.com (Worm.Alcra) -> No action taken.
c:\WINDOWS\SYSTEM32\tracert.com (Worm.Alcra) -> No action taken.
c:\documents and settings\Chris\application data\Adobe\shed\thr1.chm (Malware.Trace) -> No action taken.
c:\documents and settings\Chris\application data\Adobe\plugs\mmc45.exe (Trojan.Agent.Gen) -> No action taken.
c:\documents and settings\Chris\application data\Adobe\plugs\mmc718070656.txt (Trojan.Agent.Gen) -> No action taken.
c:\documents and settings\Chris\application data\Adobe\plugs\mmc90.exe (Trojan.Agent.Gen) -> No action taken.
c:\program files\AV Care\avc.ico (Rogue.AVCare) -> No action taken.
c:\program files\AV Care\uninstall.exe (Rogue.AVCare) -> No action taken.
c:\documents and settings\Chris\start menu\Programs\AV Care\AV Care.lnk (Rogue.AVCare) -> No action taken.
OK, all done. MBAM now reports no infections. ;D Will do a full scan with Avast later, just to be on the safe side…
You, sir, are a star. I am so grateful for your help - a million thanks! ;D ;D ;D
Oh, just one last observation - some of my folder options have changed. For instance hidden files and known file extensions are now not shown. Was that the result of some of the OTS fixes?