virus

Viruses and worms
1

hi, i’ve a problem in my pc. It’s impossibile to reinstall avast or install a new version, i see only an icon with the link but the ashavast.exe is disappeared so as ather files in c:\programms\avast…
here my log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17.23.30, on 27/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Programmi\QuickTime\bak\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\DOCUME~1\antonio\IMPOST~1\Temp\1188211393.dat.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Temp\explorer.exe
C:\WINDOWS\System32\alg.exe
C:\Programmi\No-IP\DUC20.exe
C:\Programmi\Azureus\Azureus.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmi\a-squared Free\a2free.exe
C:\Documents and Settings\antonio\Documenti\new prog\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programmi\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Programmi\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Programmi\FlashFXP\IEFlash.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programmi\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM..\Run: [Opware12] “C:\Programmi\ScanSoft\OmniPagePro12.0\Opware12.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Programmi\Java\jre1.6.0_01\bin\jusched.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Programmi\QuickTime\bak\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Programmi\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\Programmi\File comuni\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM..\Run: [crtfmon] C:\DOCUME~1\antonio\IMPOST~1\Temp\1188211393.dat.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Programmi\File comuni\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [WMPNSCFG] C:\Programmi\Windows Media Player\WMPNSCFG.exe
O4 - HKLM..\Policies\Explorer\Run: [5T19I3B27A] C:\WINDOWS\svchost.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVIZIO LOCALE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SERVIZIO DI RETE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: &Windows Live Search - res://C:\Programmi\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programmi\ICQ6\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programmi\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O17 - HKLM\System\CCS\Services\Tcpip..{C6F86076-F9B5-4A2A-9E19-D7C53D798110}: NameServer = 85.37.17.39 85.38.28.71
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programmi\File comuni\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: DirectX Service (DirectJaxc) - Unknown owner - C:\WINDOWS\system32\directx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE


End of file - 8349 bytes

help me please

2

Ah This is the log after aswclnr

28/08/2007, 2.33.35
Memory scanning started…
No virus body found in memory.
Memory scanning finished (11,9s).

Files scanning started…
C:\Documents and Settings\antonio\Documenti\prog\wmp11-windowsxp-x86-it-it\wmp11\update\update.exe… file could not be scanned!
C:\Documents and Settings\antonio\Impostazioni locali\Temporary Internet Files\Content.IE5\09QZKPUZ.…4_zampe[1].jpg… file could not be scanned!
C:\WINDOWS\system32\CatRoot2\edb.log… file could not be scanned!
C:\WINDOWS\system32\CatRoot2\tmp.edb… file could not be scanned!
No virus body found.
Files scanning finished (83420 files, 0 infected, 1573,6s).
Drives scanned: C: D:

3

Hi aquilanera73,

Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, and upload the files below to VirusTotal for analysis. Post the results here.

C:\DOCUME~1\antonio\IMPOST~1\Temp\1188211393.dat.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\directx.exe

Do you know these sites?
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com

Remove them from the Trusted Zone if you don’t know them.

Trusted Sites Zone This zone contains Web sites that you trust as safe (such as Web sites that are on your organization's intranet or that come from established companies in whom you have confidence). When you add a Web site to the Trusted Sites zone, you believe that files you download or that you run from the Web site will not damage your computer or data. By default, there are no Web sites that are assigned to the Trusted Sites zone, and the security level is set to Low.

http://support.microsoft.com/kb/174360

4

in the case of positive virus detection at virtotal, copy&paste the results also to mail, add the files (packed to pw-protected archive) to attachment and don’t forget to mention the password somewhere in the mail body… send this mail to virus[at]avast[dot]com :wink:

5

i sent this at virus@avast.com and at analysis@norman.no (with zipped files and psw)

in refering at http://forum.avast.com/index.php?topic=30165.0

password: virus

after virtual total

118211393.dat.zip :

Antivirus Versione Ultimo aggiornamento Risultato
AhnLab-V3 2007.8.28.2 2007.08.28 -
AntiVir 7.4.1.63 2007.08.28 DIAL/Generic
Authentium 4.93.8 2007.08.28 -
Avast 4.7.1029.0 2007.08.27 -
AVG 7.5.0.484 2007.08.27 -
BitDefender 7.2 2007.08.28 BehavesLike:Trojan.HangUp
CAT-QuickHeal 9.00 2007.08.25 -
ClamAV 0.91 2007.08.28 -
DrWeb 4.33 2007.08.28 -
eSafe 7.0.15.0 2007.08.26 suspicious Trojan/Worm
eTrust-Vet 31.1.5091 2007.08.28 -
Ewido 4.0 2007.08.27 -
FileAdvisor 1 2007.08.28 -
Fortinet 2.91.0.0 2007.08.28 -
F-Prot 4.3.2.48 2007.08.28 -
F-Secure 6.70.13030.0 2007.08.28 W32/Dialer
Ikarus T3.1.1.12 2007.08.28 BehavesLikeTrojan.HangUp
Kaspersky 4.0.2.24 2007.08.28 -
McAfee 5106 2007.08.27 -
Microsoft 1.2803 2007.08.28 -
NOD32v2 2488 2007.08.28 -
Norman 5.80.02 2007.08.28 W32/Dialer
Panda 9.0.0.4 2007.08.28 Dialer.KOM
Prevx1 V2 2007.08.28 Trojan.Nudos
Rising 19.38.12.00 2007.08.28 -
Sophos 4.21.0 2007.08.28 -
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.28 -
TheHacker 6.1.9.175 2007.08.28 -
VBA32 3.12.2.3 2007.08.28 -
VirusBuster 4.3.26:9 2007.08.27 -
Webwasher-Gateway 6.0.1 2007.08.28 Dialer.Generic
Informazioni addizionali
File size: 6148 bytes
MD5: 64fe1ea12b33a51346db2659942c6605
SHA1: 64e02a9c1b02ebbf04b7d7fab09c7b5f977b57bb
packers: UPX
packers: UPX
packers: UPX
norman sandbox: [ General information ]

  • IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD).
  • Decompressing UPX.
  • File length: 6148 bytes.

[ Changes to registry ]

  • Creates value "crtfmon"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
  • Creates key "HKLM\Software\Microsoft\AdversCalls".
  • Sets value "TimeOne"="
  • -fe" in key "HKLM\Software\Microsoft\AdversCalls".
  • Sets value "TimeTwo"="_A_" in key "HKLM\Software\Microsoft\AdversCalls".

[ Changes to system settings ]

  • Enumerates RAS devices.
  • Read RAS entry properties.
  • Enumerates RAS connections.
  • Set dialer properties to dial () secret.

[ Process/window information ]

  • Will automatically restart after boot (I’ll be back…).

Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=64B680A604AE137D18F4001322ED22001430FABC

directx.exe:

AhnLab-V3 2007.8.28.2 2007.08.28 -
AntiVir 7.4.1.63 2007.08.28 -
Authentium 4.93.8 2007.08.28 W32/Rukap.B
Avast 4.7.1029.0 2007.08.27 -
AVG 7.5.0.484 2007.08.27 Agent.2.G
BitDefender 7.2 2007.08.28 Trojan.Munk.XA
CAT-QuickHeal 9.00 2007.08.25 -
ClamAV 0.91 2007.08.28 -
DrWeb 4.33 2007.08.28 -
eSafe 7.0.15.0 2007.08.26 suspicious Trojan/Worm
eTrust-Vet 31.1.5091 2007.08.28 -
Ewido 4.0 2007.08.27 -
FileAdvisor 1 2007.08.28 -
Fortinet 2.91.0.0 2007.08.28 -
F-Prot 4.3.2.48 2007.08.28 W32/Rukap.B
F-Secure 6.70.13030.0 2007.08.28 Backdoor.Win32.Rukap.gen
Ikarus T3.1.1.12 2007.08.28 Backdoor.Win32.Rukap
Kaspersky 4.0.2.24 2007.08.28 Backdoor.Win32.Rukap.gen
McAfee 5106 2007.08.27 -
Microsoft 1.2803 2007.08.28 Backdoor:Win32/Rukap.gen
NOD32v2 2488 2007.08.28 probably a variant of Win32/Agent.NFM
Norman 5.80.02 2007.08.28 -
Panda 9.0.0.4 2007.08.28 Bck/DService.gen
Prevx1 V2 2007.08.28 Generic.Malware
Rising 19.38.12.00 2007.08.28 -
Sophos 4.21.0 2007.08.28 Mal/Behav-092
Sunbelt 2.2.907.0 2007.08.25 Trojan.Monicker
Symantec 10 2007.08.28 Trojan.Monicker
TheHacker 6.1.9.175 2007.08.28 -
VBA32 3.12.2.3 2007.08.28 suspected of Trojan-Downloader.Obfuscated.2 (paranoid heuristics)
VirusBuster 4.3.26:9 2007.08.27 Adware.DService.Gen
Webwasher-Gateway 6.0.1 2007.08.28 -
Informazioni addizionali
File size: 58880 bytes
MD5: 6abf9738eb1f98aadf6bbb197099321a
SHA1: 3e28d53cbeaad499dbdc79a746fa81946eeb118a
packers: UPX
packers: UPX
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=32F9E96B00B669A9E6160048B3D49E00BEF28F14

what i’ve to do now? Wait for them?

6

Those two are bad. You can run HijackThis! again, tick the box next to those entries, close all other windows and click ‘Fix’. Reboot into Safe Mode and delete the files. Boot normally and run HijackThis! again to check they’re gone. (If the entries are still there, we can recommend some more powerful removal methods.)

But what about C:\WINDOWS\svchost.exe? Did you submit that? It looks like a malicious file.