Today I was to my cousin’s house to see his computer, and I must say that the situation isn’t very good. To start:
First the Web Shield is causing some kind of problems: When the Web shield is on the PC don’t have internet - the Web Shield is scanning the required page but the browser shows “The connection was reset”(IE and Firefox), when I turn off the Web Shield everything is OK(Pausing the Shield doesn’t help) :-\ Any ideas?
Also avast! found some viruses: the one virus was with the name Win32:"some letters"popper(i don’t remember the whole name)
Also one very strange thing: when I made a Physical Memory Scan(Thorough) with avast! AEC, avast! finds the virus Win32:Sdbot-Gen in some rows of the memory, but the warning window is different - there are no available actions, only the option “continue” :-\ Any suggestions :
The PC is with WinXP SP1(I will install SP2 tomorrow), avast! Home
Well as for the first question it really sounds like the web shield is being blocked by a firewall to access the internet thus the browser cannot connect also, it could be that the firewall detected that the web shield components were changed(due to the last avast update) and automatically blocked access… Worth to take a look in the firewall.
Taka a boot time scan also and report back on the progress with the virus.Also when encoutering a virus ALWAYS write down the name of the virus(or malware) so that we can better assist you and you will also be able to research it on the net.
The PC doesn’t have installed firewall, so this can’t be the problem with the Web Shield - something other is blocking it(the i-net connection from the Shield to the browser), but I can’t find what :-\ That’s why I posted the theme in the virus forum, because I think that this might be a virus.
As I already said the boot-time scan didn’t found anything. Only the On-Demand scan found the virus mentioned in my previews post(later today I will post the full name).
And my second question is how to remove the virus Win32:Sdbot-Gen from the physical memory? Is there a way to remove it.
Also later today I will try an on-line scan with some others scanners, to see the results :-\
EDIT: I’ve just remembered one other thing: When I open the list with the running process in the task bar, there is one process which is flashing(appear and dissappearing) very fast(and I can’t see the name) :-\
That computer really needs a firewall. Maybe installing a firewall might slow down that process from working so quickly (on & off … as if maybe sending out email or other types of communication) so that you can see what it is.
I’ve just removed the Win32:Sdbot-Gen virus
Also the other virus name is Win32:Galapopper[Trj], I’ve removed it
Also I’ve found and a virus which avast! didn’t detect ( a variant of Win32:Galapopper), the virus was loaded in the memory, but Spybot removed it ;D (unfortunately I forgot to backup the virus file for sending it to Alwil )
I’ve installed SP2 on the PC, and in the moment the updates must be downloading. But I still think that there is some variant of the StartPage virus on the computer :-\ , because everytime the PC loads IE and Firefox loads automatically and open a web page ( I forgot the address)(I will run Kaspersky on-line scanner tomorrow, because it’s already too late here), also the Web Shield problem is still there :-\
I will explain it once again, hope anyone will have any suggestion :-
When the Web Shield is not running the internet connection is OK, but after I start the Shield, the web browser (IE and Firefox) don’t want to load the pages, they shows(IE and Firefox) that the connection was reset, meanwhile the Web Shied is showing that it is scanning the required page. Very strange. I think that some process is broking the connection between the browser and the Web Shield, but this is only my guess (pausing the Shield doesn’t help)
Still waiting any suggestions about the Web Shield problems :-\
Well the only suggestion i can give you is to try a repair of avast! and if that doesn’t work a complete reinstall.
It would also be nice if you could post your HijackThis log…
Heres and the HijackThisLog(just recieved the log from my cousin):
Logfile of HijackThis v1.99.1
Scan saved at 7:09:59 PM, on 2/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.skymasters.biz?301
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://de.search.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=10.0.1.1:8080;gopher=10.0.1.1:8080;http=10.0.1.1:8080;https=10.0.1.1:8080;socks=10.0.1.1:1080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D1AF3E68-18C7-424C-8DCD-D602C187B2D8} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM..\Run: [Systems] C:\WINDOWS\system32\sysmon.exe
O4 - HKLM..\RunServices: [MSN Messenger Plus] svchosl.exe
O4 - HKLM..\RunServices: [MSN Messenger Plus 1] svchost1.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE”
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip..{618508EA-1DEC-4A08-8436-1BC3206F1468}: NameServer = 10.0.1.1,193.68.5.65
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_13.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
I’ve found another virus Trojan.Sysmon (Dialogue Science) in the sysmon process, will fix it tomorrow when I go to my cousin’s house,
avast! didn’t detect it again
Also I think that this items are suspicious, but I’m not sure:
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_13.dll
C:\WINDOWS\Explorer.EXE
I think that the last one(Explorer.EXE) must be in system32 folder, or I’m wrong ?
Also after reinstalling avast! the Web Shield behave the same as before :-
Any suggestions?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.skymasters.biz?301
This one is the start page in IE(very nasty) you should fix it.
O2 - BHO: (no name) - {D1AF3E68-18C7-424C-8DCD-D602C187B2D8} - (no file)
This one is unnecessary and should be fixed also
This one O4 - HKLM..\RunServices: [MSN Messenger Plus] svchosl.exe and this one O4 - HKLM..\RunServices: [MSN Messenger Plus 1] svchost1.exe should go too(MSN Plus is filled with spyware BTW)
O17 - HKLM\System\CCS\Services\Tcpip..{618508EA-1DEC-4A08-8436-1BC3206F1468}: NameServer = 10.0.1.1,193.68.5.65 If this are the IP’s(DNS) of your ISP leave them otherwise delete them too
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_13.dll Well i am not 100% sure about this one but all i keep finding on this is posts on other forums and people advising to remove it and i really cannot find any info that it belongs to a legit program so i would say that this one goes too
Well as for explorer.exe it does reside in windows folder and DOES NOT belong in system32 so leave that one alone.
OK i see 2 programs that are known to contain spyware and that is FlashGet(yes i know it’s a good program but unfortunately has spyware bundled) ) and MSN Plus(this one rocks too i know).Well i’m telling you this just that you will know of this and be able to tell your cousin where he gets some of his spyware.But don’t get rid of these programs as now they will be cleaned(i have flashget too) hehe You should download ewido install it and run it in SAFE MODE(plus all the other scanners you have there) to be sure these nasties don’t keep coming back.Well to be on the safe side i would disable system restore(and delete the old restore points) again just to be sure the nasties don’t come back.
After you do all this run another HijackThis scan and post it…
P.S: As you see you should be reading the viruses&worms forum a little more instead of just being in the general forum all the time hihi ;D ;D ;D
Tomorrow I will do all the fixes and will report here. Also I will send Alwil the samples of the undetected viruses and will hope that the samples will be add to the VPS shortly
The entry www(dot)skymasters(dot)biz? is the sign of a trojan backdoor or a dialer. This is surely not good.
While researching this, Avast! gave me a trojan warning upon going to this Google search page. Clicking the link below should be safe since Avast caught this as it tried to enter my computer. BUT, click at your own risk!
No, I did not yet click on any links on that page. The warning came after clicking Next from the 5th search page and after the 6th search page started loading. The above link is for the 6th search page.
Is Google infected??? :o Or is this a false positive? ???
I was going to fill out a report form at the Avast website but, since Avast blocked it before it entered my computer, filling in the form would mean I would have to give incorrect data. There needs to be a way on the form to enter such info as I am giving here.
Well, I went back again today by clicking on the link for the Google search in my above post. Nothing bad happened by clicking on that link. Once the page was loaded, I scrolled down and clicked on search page number 5. Again once page 5 had loaded, I scrolled down and clicked on Next. As soon as page 6 started to load, I got the same virus warning from Avast! :o
And now everything is fine, Also I’ve found out what was causing the Web Shield problem - the sysmon.exe process, after I removed this from the PC the Web Shield started to work property ;D This process was infected with Trojan-Downloader.Win32.Vixup.b(according to Kaspersky), I’ve send this sample to Alwil and hope that it will be added soon ;D
Thanks to all of you who helped me 8)