TechSpot

Attempted connnection to malware site - Can't find the culprit

By CharlieJ
Jun 7, 2007
  1. PC attempts connnection to malware site - Can't find the culprit app

    My supervisor's PC is repeatedly trying to connect to:
    http://203. 121. 69. 232 /theif2 /parse.php?op=log &fn=07_06_2007.html &user=SYSTEM_PC67&str= [spaces added to keep the URL from being clickable]

    The only references I found for this IP are ramazun.com and registration from Australia.

    I have scanned with Ad-aware SE, Spybot S&D v1.4, Ewido v3.5, Housecall from Trend Micro and TrojanScan.com. Nothing major was found by ANY of these scanners.

    I looked at the processes with Sysinternals Process Explorer -- nothing odd looking there.

    The PC seems to try on a random time basis -- even if the web browser is closed. It will try more frequently when the browser is open, though. The same results seem to occur whether Firefox or IE6 are used.

    PC is a Gateway E-series workstation w/ Win XP Pro SP2 / Office 2003 SP? and a few other apps.

    I am attaching the HJT log for your review. Certain items are redacted so as not to expose personal information. I would appreciate ANY help you folks can offer.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    I can`t see anything obviously nasty in your HJT log. However, I am concerned at this entry O23 - Service: UpdateManager - Unknown owner - C:\WINDOWS\update.exe. Even if this turns out not to be nasty, there`s obviously cause for concern with the symptoms you describe.

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file C:\WINDOWS\update.exe

    * Click Open
    * Please let me know the results.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of CharlieJ only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. CharlieJ

    CharlieJ TS Rookie Topic Starter

    Online Scanner Results

    Here is the online scanner info on c:\windows\update.exe:

    Scan taken on 07 Jun 2007 18:33:44 (GMT)
    A-Squared
    Found nothing

    AntiVir
    Found TR/Delphi.Downloader.Gen

    ArcaVir
    Found nothing

    Avast
    Found Win32:Agent-DDN

    AVG Antivirus
    Found PSW.Generic4.NCL

    BitDefender
    Found Generic.FWB.0FC021B5

    ClamAV
    Found nothing

    Dr.Web
    Found MULDROP.Trojan (probable variant)

    F-Prot Antivirus
    Found nothing

    F-Secure Anti-Virus
    Found nothing

    Fortinet
    Found Maha.RO!tr

    Kaspersky Anti-Virus
    Found nothing

    NOD32
    Found probably a variant of Win32/PSW.Maha.A (probable variant)

    Norman Virus Control
    Found nothing

    Panda Antivirus
    Found nothing

    Rising Antivirus
    Found nothing

    VirusBuster
    Found nothing

    VBA32
    Found Malware.Delf.69 (paranoid heuristics) (probable variant)


    More to follow soon...
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Do continue with the steps Howard gave you and post the requested logs. We'll be able to provide more instructions upon seeing the logs.


    Regards,
    Your friendly momok =)

    This thread is for the use of CharlieJ only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, please do the following.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    UpdateManager

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    update.exe

    Close task manager.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\update.exe

    Reboot into normal mode and rehide your protected OS files.

    Follow the rest of the instructions and post the requested logfiles.

    Regards Howard :)

    This thread is for the use of CharlieJ only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. CharlieJ

    CharlieJ TS Rookie Topic Starter

    More results...

    Ad-aware already installed. Updated.
    Spybot S&D already installed. Updated.
    VirtuMonde / Look2Me removers run -- Nothing found.
    AVG Antirootkit installed and run -- Nothing found.
    Ad-aware run -- Nothing found.
    Spybot S&D -- Nothing found.

    Other logs attached.

    Update.exe already gone. No process running with that name.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I need you to post the Combofix log, rather than the Combofix quarantine log. Please do so in your next reply.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop. The Avenger script is attached to the bottom of this post.

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of CharlieJ only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...