Hi,
Yesterday my computer crashed twice while in hotmail, so today I ran Avast Home virus scan on it. The result, virus found: Win32:Trojan-gen {other}. Infected file: wsrdw.exe. Original location: C:\users\Ray\AppData\Local\Temp\Low\Google. The infected file was succesfully moved into the Virus Chest. I then ran a new scan, this time on thorough mode, a scheduled boot scan, and Windows Defender spyware scan. All these were clean.
Now my virus file sits in the chest with skull and crossbones, and I have no clue, how my sensitive data may be compromised, or is this one of those false alarms?
I would appreciate if someone more knowledgeable enlightened me; should I just continue as before with my banking etc., or should I run the system restore or even install the whole operating system anew from the dvd?
I am also baffled by the fact that I am running Avast Resident Protection. Why did it not detect the virus?
Thanks for your advice.
I searched this file on Google and it appears to be a keylogger.
Trojan-Keylogger.WIN32.Fung
Download and run HiJackThis, then post a log here.
This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586
Thank you for your advice Jtaylor83 and Tech.
I have now run the HiJack on my computer and the reslting log is as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:33 p.m., on 20/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\PROGRA~1\MICROS~2\WkDStore.exe
C:\PROGRA~1\MICROS~2\wkgdcach.exe
C:\PROGRA~1\MICROS~2\WksWP.exe
C:\PROGRA~1\MICROS~2\WksWP.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=83&bd=Presario&pf=cndt
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=83&bd=Presario&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_nz&c=83&bd=Presario&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM..\Run: [DPService] “C:\Program Files\HP\DVDPlay\DPService.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-NZ\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
–
End of file - 6558 bytes
This is all Greek to me, and your further assistance is duly appreciated. Thank you.
I don’t see anything obvious in your log.
However, You don’t appear to have an active firewall, or the outbound protection in the vista firewall is still disabled. Even when enabled it is rules based, you have to set the rules and isn’t very friendly.
Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0
Your JAVA is way out of date and so to is Acrobat PDF Reader.
Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp
Or JRE version 6 update 10 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html
A visit to this site would be well worthwhile, http://secunia.com/software_inspector/ it checks for software that require security updates.
Thank you DavidR, your help is greatly appreciated.
You say that you don’t see anything obvious in my log. I know this may be a judgment call, but do you think that, the virus now safely in its chest, I can continue with my banking etc. as before ( after changing the passwords ) without running a system restore or some other drastic measures. I set the vista firewall on standard since I was afraid that making it too tight would make it difficult to communicate with the internet sites that I visit. I will now check the sites you recommend in order to understand more about the firewall. Thanks again.
If this was, as suggested a keylogger, I would say yes you should change your passwords for any on-line banking or security/sensitive log-ons that you have as a precautionary measure.
I would also suggest running some different anti-spyware/malware tools:
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
- SUPERantispyware On-Demand only in free version.
- MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
I wouldn’t recommend running system restore it can have some unexpected results.
Thanks DavidR for the answer.
I installed the SuperAntiSpyware and ran it. The result was 74 adware cookies, but otherwise nothing. As the suspected virus-infected file is in the Avast Virus Chest, I suppose the SuperAntiSpyware did not scan that one(?)
I am planning to send the infected file to Avast technical support but am unable to send it directly from the Chest. I have been reading posts about this and understand that I have to compress the file first, if I want to send it as a normal e-mail attachment. My dilemma is: is it safe to extract the file (in zip format) to a place outside the Chest for the purpose of attaching it to a normal e-mail?
By and by, now that I have the SuperAntiSpyware installed and plan to run it regularly, is there any reason to continue running Windows Defender?
Thanks again for your time and support.
Modify: I just read your answer to Goodgrace about taking the virus out of the Chest, and I think that answered that part of my question, as well. Out of curiosity: does extracting the infected file in zip-format make the whole process safer or is it just to fool the antivirus programs in the e-mail?
Files into Chest are encrypted and safe. Can’t be scanned by outside.
Why? Which is your avast version? 4.8.1290?
In zip format, yes.
Some users will say yes. A lot of others won’t see usefulness on it.
You’re not fooling the antivirus. Just making the file smaller and avoiding the blocking of sending exe files, for instance. Zip archive files are inert by their nature, the virus must be extracted from it to be active, then the antivirus will catch it.
Thanks, Tech, for your answers. The infected file now safely out of the way, it is time to reflect. If I understand this correctly, there is no way to know, for sure, whether the virus left some nasties hidden behind, or, indeed, whether a new undetected virus is logging on to my typing as we speak (I did have Avast resident protection running when the virus first appeared, and even the scanning did not detect it right away).
I am especially concerned about internet banking, and my solution seems to be: Buy a laptop, run it with Ubuntu and Firefox, and use this laptop exclusively for the banking. Any comments on this?
Also, I would appreciate comments on the security issues a) at home, where I have a single user modem, which I would disconnect from my desktop and connect to the laptop when doing the banking, and b) at the library or McCafe using their WiFi.
Thanks again for your support.
That was the purpose of running the other tools to check if there was anything else and why a multi-application approach gives a better overall level of protection. Those applications however, have to compliment each other rather than conflict with each other and those we suggested work well with avast. No single application is likely to provide 100% protection, like life nothing is 100%.
A firewall is another essential application in your security, but one that provides outbound protection takes that level a stage further, you wouldn’t call a fire door a fire door if it only protected from fire from one side.
The same IMHO is true of a firewall as any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
Thanks DavidR for your firewall advice. I did enable outbound protection in Vista Firewall the first time you mentioned the topic, but forgot to mention it in my reply. Sorry.
There is one thing about the firewall that puzzles me, though. How do I know that a program that appears legitimate, actually is so? For example, every day I see Cyberlink Power Director and DVD-play in my firewall log. I disable them, but the next day, when I boot the computer, there they are again, and enabled! Now, this certainly appears to be part of the Cyberlink program that came with the Windows. But…Would not a virus program do exactly this: try to appear as legitimate as possible and then gain access through the firewall in this manner?
Thanks again.
You’re welcome.
I think you need some help with the Vista firewall as it isn’t very user friendly.
Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0
Unfortunately there is no easy rout to knowing what to do, it does require a little knowledge of what is on your computer and their possible need to connect, some have Auto Update where they would be trying to check for updates. Personally there are very few things I let connect automatically, avast being a notable exception. I prefer to keep my programs up to date, being on dial-up I’m very picky about what connects and when, so most programs have settings which control that sort of thing and auto update can be disabled. But you have to dig into the program to see why it wants to connect.
As to why your choice/decision/answer isn’t stored in the Vista Firewall, sorry I haven’t got a clue as I don’t use Vista and consequently the firewall.