New virus schannel32.exe....need help removing

Viruses and worms
1

Hi
I need some help with this malware…
I’ve been getting messages from avast about it: “ding!ding! ding!..Threat Detected!!!”

Infection Details

URL: 91.217.153.48/where/mJKV_1IbPEOfcbQTfPId…
Process: file://C:\WINDOWS\system32\schannel32.ex…
Infection: url:Mal

every couple of minutes but avast cannot remove it. I did a quick, full, and boot-scan with avast and avast has not removed it from my system. Tried using MBAM and it keeps finding bad files…quarantines them but they keep coming back.

Also did a VirusTotal scan and it came up with this:

http://www.virustotal.com/file-scan/report.html?id=d25774b876df0f17c7766f5da9fe07cf689c3c0278a1ddb4a366452b625e3ce6-1313770375

File name: schannel32.exe
Submission date: 2011-08-19 16:12:55 (UTC)
Current status: finished
Result: 3/ 44 (6.8%)

Here is latest scan copy of MBAM:
Malwarebytes’ Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7445

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/19/2011 8:23:03 AM
mbam-log-2011-08-19 (08-23-03).txt

Scan type: Quick scan
Objects scanned: 149418
Time elapsed: 13 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT.fsharproj (Trojan.BHO) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\localservice\application data\02000000f1ccc7e81406c.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\02000000f1ccc7e81406o.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\02000000f1ccc7e81406p.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\02000000f1ccc7e81406s.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000f1ccc7e81406c.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000f1ccc7e81406o.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000f1ccc7e81406p.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\WINDOWS\system32\02000000f1ccc7e81406s.manifest (Malware.Trace) → Quarantined and deleted successfully.

I also noticed it creates a google redirect virus/file on firefox and IE under ADD-ONs of Xul Cache 1.0 and BulletStorm respectively

looks like a company called: People Can Fly created it

please research this and help me remove it from my computer…thank you for reading this.

2

Seen another instance of this today, though it is a different file that is being used to try and connect to that malicious site. The IP address being in the Ukraine.

See image3 and this earlier post I made about this, http://forum.avast.com/index.php?topic=83343.msg679254#msg679254.

There may well be a rootkit involved in this URL:MAL alert.

You can check if you have an MBR rootkit using this tool:

3

OK…did the scan
here is results:
aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-19 12:30:46

12:30:46.406 OS Version: Windows 5.1.2600 Service Pack 3
12:30:46.406 Number of processors: 2 586 0xF0D
12:30:46.406 ComputerName: OWNER-40ED09E46 UserName: OWNER
12:30:52.984 Initialize success
12:30:54.781 AVAST engine defs: 11081900
12:31:02.640 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP1T0L0-e
12:31:02.656 Disk 0 Vendor: WDC_WD2500BEKT-00A25T0 01.01A01 Size: 238475MB BusType: 3
12:31:04.734 Disk 0 MBR read successfully
12:31:04.734 Disk 0 MBR scan
12:31:04.750 Disk 0 Windows XP default MBR code
12:31:04.765 Disk 0 scanning sectors +488376000
12:31:04.843 Disk 0 scanning C:\WINDOWS\system32\drivers
12:31:23.625 Service scanning
12:31:26.375 Modules scanning
12:31:36.843 Disk 0 trace - called modules:
12:31:36.859
12:31:39.093 AVAST engine scan C:\WINDOWS
12:31:51.062 AVAST engine scan C:\WINDOWS\system32
12:34:56.453 AVAST engine scan C:\WINDOWS\system32\drivers
12:35:47.531 AVAST engine scan C:\Documents and Settings\OWNER
12:49:53.656 AVAST engine scan C:\Documents and Settings\All Users
12:56:49.109 Scan finished successfully
13:01:53.218 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\OWNER\My Documents\Downloads\tdsskiller\MBR.dat”
13:01:53.250 The log file has been saved successfully to “C:\Documents and Settings\OWNER\My Documents\Downloads\tdsskiller\aswMBR.txt”

4

OK next stage is to check the system files

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

5

Thanks for joining the topic essexboy.

I think we are going to be seeing more of this as this is the second instance I have seen today.

6

Something new for me to find… Keeps the old grey matter ticking over ;D

7

hi guys,
While I was waiting for your reply I searched google regarding audiosrv32.exe…which is another file that was also in task manager (that I could not delete) and came from the same malware-from: people can fly. I looked in avast virus chest and noticed it was placed there by avast in previous scans on july 14, july 18 and august 15 in 2011. But this time with schannel32.exe…Avast did not know it was a virus and audiosrv.exe got thru your scans and stayed a system file on my computer.

So, could schannel32.exe be some sort of masking program to help hide audiosrv32.exe from antivirus scans and continue to stay on an infected computer?

I also typed in schannel32 to google and only came up with prevx.com webaddress that wanted me to download their software…Is PREVX.com a legitimate site for antivirus software or is it a scam site?

8

Hi boggled1,

The worm you have there is a Slenfbot variant and essexboy will help you get rid of it, you probably got it from getting a keygen somewhere, well additionally you could have also a form of the google redirect malware. Your Java could also be outdated. Follow essexboy’s instructions to the dot,

polonus

9

If you give me the OTL log I will remove it and its associated files

10

Hi, it seems I also have the same problem.

I did the OTL scans and was wondering what I should do next.

11

dorkyboy You should really start your own thread - however

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL PRC - [2011/08/20 21:49:33 | 000,713,728 | ---- | M] (People Can Fly) -- C:\ProgramData\DeviceMetadataParsers32.exe PRC - [2011/08/20 21:49:33 | 000,713,728 | ---- | M] (People Can Fly) -- C:\ProgramData\api-ms-win-core-fibers-l1-1-032.exe SRV - [2011/08/20 21:49:33 | 000,713,728 | ---- | M] (People Can Fly) [Auto | Running] -- C:\ProgramData\DeviceMetadataParsers32.exe -- (SampleCollector32) Intel(R) IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 98 41 B4 18 06 90 AC 45 AD FB 5C 5C 15 C0 12 97 [binary data] IE - HKU\S-1-5-21-890508536-2974132032-3903241618-1000\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 98 41 B4 18 06 90 AC 45 AD FB 5C 5C 15 C0 12 97 [binary data] IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 98 41 B4 18 06 90 AC 45 AD FB 5C 5C 15 C0 12 97 [binary data] IE - HKU\S-1-5-21-890508536-2974132032-3903241618-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:53657 FF - prefs.js..network.proxy.http: "127.0.0.1" FF - prefs.js..network.proxy.http_port: 53657 FF - prefs.js..network.proxy.type: 1 O2 - BHO: (no name) - {18B44198-9006-45AC-ADFB-5C5C15C01297} - File not found O2 - BHO: (no name) - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {872b5b88-9db5-4310-bdd0-ac189557e5f5} - No CLSID value found. O4 - HKLM..\Run: [conhost] File not found O20 - AppInit_DLLs: (C:\ProgramData\api-ms-win-core-fibers-l1-1-032.dll) - C:\ProgramData\api-ms-win-core-fibers-l1-1-032.dll (People Can Fly) [2011/08/20 23:05:56 | 000,713,728 | ---- | C] (People Can Fly) -- C:\ProgramData\DeviceMetadataParsers32.exe [2011/08/20 21:49:46 | 000,713,728 | ---- | C] (People Can Fly) -- C:\ProgramData\api-ms-win-core-fibers-l1-1-032.exe [2011/08/20 21:49:46 | 000,156,160 | ---- | C] (People Can Fly) -- C:\ProgramData\api-ms-win-core-fibers-l1-1-032.dll [2011/08/20 21:49:46 | 000,156,160 | ---- | M] (People Can Fly) -- C:\ProgramData\api-ms-win-core-fibers-l1-1-032.dll [2011/08/20 21:49:33 | 000,713,728 | ---- | M] (People Can Fly) -- C:\ProgramData\DeviceMetadataParsers32.exe [2011/08/20 21:49:33 | 000,713,728 | ---- | M] (People Can Fly) -- C:\ProgramData\api-ms-win-core-fibers-l1-1-032.exe

:Reg
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-21-890508536-2974132032-3903241618-1000\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

12

I have done what you told me and have the new logs.

The problem looks like it is still there. I’m still getting notifications of a tracur trojan being blocked every fifteen minutes.

Sorry about not making my own thread, I searched around the net to find problems similar to mine and decided to make a post. I really do appreciate the help.

Edit: Ok, new problem. Now my computer says that my version of windows is not genuine.

I’m thinking of reformatting my computer if that will fix the problem.

13

Could you rerun the fix as it did not appear to take, the service is still there

THEN

Download and Install CombofixDownload ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

14

Sorry, I decided to reformat my computer. Just thought it might have been easier and quicker that way.

Thank you for time and help.

15

No problem - enjoy ;D