Hello.
I got a message that Avast has blocked this page: 62.122.73.203/545/getcfg.php.
What is this? Is it a dangerous site?
This is Grum spambot or BlackEnergy DDos bot calling home.
It seems that unfortunately we’re not catching the binary of the malware :-/
What is the process that avast lists as responsible?
(in the popup alert)
Maybe it could be submitted to avast
Aside from the advise/question asked by Scott.
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
-
- MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware (SAS). On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Also available, a portable version of SAS, http://www.superantispyware.com/portablescanner.html, no installation required.
Now the idea of using these other tools is hopefully they will find the other spambot, if it does then what we will try to get you to do is send that file to avast for analysis.
So it is important not to take any action after these scans but to post their log/report findings so we can advise.
http://img219.imageshack.us/img219/5457/avastzt.jpg
I did a scan. 21 infections
Look attachment.
Thank You!
This is trying to circumvent windows product activation c:\WINDOWS\system32\antiwpa.dll and there are often accompanied by something unwanted.
So if you installed this trying to avoid product activation you could be inviting along guests.
The (PUM.Disabled.SecurityCenter) Potentially Unwanted Modification (PUM part) essentially mean the registry has been modified to block notification if your firewall, AV or windows update are disabled. Essentially these should be reversed, e.g. running MBAM again and selecting Remove selected.
The (Malware.Packer) .exe files should be sent to avast, see ~~~~ below.
This is the one that is doing the hiding, a rootkit, c:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent). This one is essential to send to avast as that has been hiding what otherwise might have been detected by avast.
Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.
Or
Send the sample to [b]virus (at) avast (dot) com[/b] zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
####
Once you have sent the samples to avast, run MBAM again and this time allow MBAM to deal with the detections (Remove Selected, image1)
Then Run an avast scan again and the SAS scan and post the results.
Where is (Malware.Packer). Exe ?
I can’t send c:\WINDOWS\system32\drivers\str.sys to avast. This file is used
@kubecj:
It seems that unfortunately we’re not catching the binary of the malware :-/
Very likely because that link is dead…
Cześć ZagubionyPL,
Site should be blocked do because of live malware here…
htxp://62.122.73.203/errdiag.php?tm=48
virustotal: http://www.virustotal.com/file-scan/report.html?id=020fa7336a9c46f44be6d0cc5906c935e296bb0cf22ffa47557e73ced26a0a33-1302165627
htxp://62.122.73.203/549.exe
http://www.virustotal.com/file-scan/report.html?id=020fa7336a9c46f44be6d0cc5906c935e296bb0cf22ffa47557e73ced26a0a33-1302165627 detected by avast
htxp://62.122.73.203/547.exe
detected by avast: http://www.virustotal.com/file-scan/report.html?id=bc5c4695c814465317f8d787a72260461f34799be81b2ed22bbcb7f0a3c6ae66-1301042167
hxtp://62.122.73.203/546.exe
detected by avast: http://www.virustotal.com/file-scan/report.html?id=901d7c79293ff22ec06087e1c1ff786a9787bed9f4354e268310792530ead824-1301136757
hxtp://62.122.73.203/
NOT detected by avast, Trojan-Dropper.Win32.Mudrop.as RSS-feed
Good write up about RSS feed malware hacks: http://it.toolbox.com/blogs/managing-infosec/hacking-rssatom-feeds-malware-delivery-from-a-trusted-connection-15638 (author article: Dan Morril, source: http://it.toolbox.com/people/rmorril/)
Removal instructions for
Use Task Manager to terminate the Trojan processes
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the following files:
%WinDir%\svchost.exe
C:\pass.bin
%Temp%\patch.exe
Update your antivirus databases and perform a full scan of the computer
http://www.virustotal.com/file-scan/report.html?id=f2dcc96deec8bca2facba9ad0db55c89f3c4937cd6d2d28e5c4869216ffa81cf-1302188529
htxp://62.122.73.203/548.exe Is this the one you got?
detected by avast: http://www.virustotal.com/file-scan/report.html?id=aa0f1e1db158089dabd63e2930da296322a42bb3d94c54e4732504bd3b627750-1300916628
Norton Safe Web also flags this threat on that Ukrainian site:
Threatname W32.Pilleuz alias has Win32:Kryptik-ARJ (avast name)
Filename: c:\nismanager\data\89f195c0-8848-4a37-89e2-f6653f905cb7_546564411\548.exe
Location: htxp://62.122.73.203/548.exe
Apart from the Trojan-Dropper avast detects all live malware there, as far as I can establish via Clean MX data,
pozdrawiam,
polonus
Cześć ZagubionyPL,
As you report str.sys, you might have a rootkit infection and you could need a malware cleansing routine from essexboy,
I will inform him, wait for his instructions,
pozdrawiam,
polonus
Hi - lets see what you have first
Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif
Click the “Scan” button to start scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif
On completion of the scan click save log, save it to your desktop and post in your next reply
THEN
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.
That is normally a hidden folder so you need to display hidden files and folders.
- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.
I restarted the computer and the file ‘str.sys’ disappeared :o
Witam Można tutaj rozmawiać w innym języku niż angielski?
I don’t understand what I do with it?
I don’t know, probably not.
aswMBR scan:
Hi ZagubionyPL,
This is mainly an English speaking forum, but I just wanted to be friendly.
There is an International board, but there does not exist a Child Board “po polsku”.
You say str.sys was not found (meant became hidden again)
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) → Delete on reboot.
Do you see any other suspicious files like for instance C:\WINDOWS\system32\drivers\akjeegljvlv.sys
(could be another combination of random letters before sys) or can this file be opened? C:\WINDOWS\system32\drivers\sptd.sys
Should establish you have Rootkit Agent
Scan these specific files:
C:\Windows\System32
&
C:\Program Files\Common Files
&
C:\Documents and Settings
Do a full scan with Sophos Anti Rootkit scanner from here:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit/download/
Version 1.5.4
MD5 Checksum:
3f31b720e715a52950deb2cd9ef76d68
And give us a log txt attached to your next posting, and also follow essexboy’s instructions,
polonus
Hi.
Are you sure? I don’t see this file. Maybe have been deleted by Malwarebytes Anti-Malware?
I don’t see.
I did a scan, but did not get the log in the form of txt. Sophos Anti Rootkit has detected 1 file - photo in .jpg