Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malware? - All commercial virus sites blocked

  • This topic is locked This topic is locked
4 replies to this topic

#1 camabee


  • Members
  • 3 posts
  • Local time:07:15 AM

Posted 30 November 2009 - 11:43 PM

Thanks in advance for your assistance.

First symptom was hard-hang while "loading personal settings".
Got past this by booting in Safe Mode, but only with 1 of 2 administrator users.
Using the one adminstrator user (I can now boot normally), I am getting strange browser behavior and occasional DEP errors (wants to close Windows Explorer) and a couple of svchost.exe application errors

IE yields HTTP 501 / HTTP 505 error when trying to access any Mcafee.com site, HTTP 400 when trying to get to symantic.com, HTTP 501 error when trying http://security.symantec.com .. etc.

Firefox just gives "The specified method is not supported" or "Bad Request" when trying to go to these sites.

Have tried:

.. but all they got was a few adware cookies and a couple of trojans (trojan.DNS.changer and gen-nullo(short)) found inside old backup files.

I am at the end of my knowledgebase and would appreciate any assistance that you can offer.


Additional Info.

Searching similar threads found that you need DDS.SCR outputs as well:

DDS (Ver_09-11-29.01) - NTFSx86
Run by camabee at 23:49:25.53 on 30/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.580 [GMT -5:00]

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
C:WINDOWSSystem32svchost.exe -k netsvcs
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesIntelModem Event MonitorIntelMEM.exe
C:Program FilesCyberLinkPowerDVDDVDLauncher.exe
C:Program FilesMusicmatchMusicmatch Jukeboxmmtask.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe
C:Program FilesScanSoftPaperPortpptd40nt.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilesAdobeAcrobat 6.0Distillracrotray.exe
C:Program FilesJavajre6binjucheck.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Documents and SettingscamabeeDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 6.0acrobatactivexAcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:windowssystem32dlaDLASHX_W.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
uRun: [OM_Monitor] c:program filesolympusolympus masterMonitor.exe -NoStart
uRun: [OM2_Monitor] "c:program filesolympusolympus master 2MMonitor.exe" -NoStart
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:program filesati technologiesati control panelatiptaxx.exe"
mRun: [IntelMeM] c:program filesintelmodem event monitorIntelMEM.exe
mRun: [DVDLauncher] "c:program filescyberlinkpowerdvdDVDLauncher.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [mmtask] c:program filesmusicmatchmusicmatch jukeboxmmtask.exe
mRun: [ISUSPM Startup] c:progra~1common~1instal~1update~1ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:program filescommon filesinstallshieldupdateserviceissch.exe" -start
mRun: [OM_Monitor] c:program filesolympusolympus masterFirstStart.exe
mRun: [SSBkgdUpdate] "c:program filescommon filesscansoft sharedssbkgdupdateSSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:program filesscansoftpaperportpptd40nt.exe
mRun: [IndexSearch] c:program filesscansoftpaperportIndexSearch.exe
mRun: [DLA] c:windowssystem32dlaDLACTRLW.EXE
mRun: [OM2_Monitor] "c:program filesolympusolympus master 2FirstStart.exe" /OM
mRun: [C2K] c:windowscyb10.exe
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
StartupFolder: c:docume~1alluse~1startm~1programsstartupacroba~1.lnk - c:program filesadobeacrobat 6.0distillracrotray.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:windowssystem32Shdocvw.dll
LSP: c:windowssystem32lspcs.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:docume~1camabeeapplic~1mozillafirefoxprofilesf7zln7q3.default
FF - plugin: c:program filesviewpointviewpoint experience technologynpViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:program filessuperantispywaresasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2009-11-23 74480]
R2 CCOMSVC;Communication Services;c:windowsCComSvc.exe [2008-6-26 2492648]
R2 WVCSWDSVC;Monitoring Service;c:windowsWVCSWD.exe [2008-6-26 1152744]
S3 SASENUM;SASENUM;c:program filessuperantispywareSASENUM.SYS [2009-11-23 7408]

=============== Created Last 30 ================

2009-12-01 03:12:16 0 d-----w- c:program filesTrend Micro
2009-12-01 02:56:14 0 d-----w- c:windowspss
2009-11-30 03:59:48 0 d-----w- c:docume~1alluse~1applic~1SUPERAntiSpyware.com
2009-11-30 03:59:39 0 d-----w- c:program filesSUPERAntiSpyware
2009-11-30 03:59:39 0 d-----w- c:docume~1camabeeapplic~1SUPERAntiSpyware.com
2009-11-30 03:59:07 0 d-----w- c:program filescommon filesWise Installation Wizard
2009-11-29 18:11:33 0 d-----w- C:ComboFix
2009-11-29 17:28:21 0 d-----w- c:docume~1camabeeapplic~1Malwarebytes
2009-11-29 17:28:17 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2009-11-29 17:28:16 0 d-----w- c:docume~1alluse~1applic~1Malwarebytes
2009-11-29 17:28:15 19160 ----a-w- c:windowssystem32driversmbam.sys
2009-11-29 17:28:15 0 d-----w- c:program filesMalwarebytes' Anti-Malware
2009-11-29 17:04:24 0 d-sha-r- C:cmdcons
2009-11-29 17:02:27 77312 ----a-w- c:windowsMBR.exe
2009-11-29 17:02:27 260608 ----a-w- c:windowsPEV.exe
2009-11-29 17:02:27 161792 ----a-w- c:windowsSWREG.exe
2009-11-29 17:02:26 98816 ----a-w- c:windowssed.exe
2009-11-29 16:21:35 0 d-----w- c:program filesSpybot - Search & Destroy
2009-11-29 16:21:35 0 d-----w- c:docume~1alluse~1applic~1Spybot - Search & Destroy
2009-11-22 14:53:21 52 ----a-w- c:windowsAA.INI
2009-11-22 14:53:20 0 d-----w- C:READCLUB
2009-11-08 15:26:37 54156 ---ha-w- c:windowsQTFont.qfn
2009-11-08 15:26:37 1409 ----a-w- c:windowsQTFont.for

==================== Find3M ====================

2009-10-22 09:19:04 5939712 ----a-w- c:windowssystem32dllcachemshtml.dll
2009-09-11 14:33:52 133632 ----a-w- c:windowssystem32msv1_0.dll
2009-09-11 14:33:52 133632 ------w- c:windowssystem32dllcachemsv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:windowssystem32msasn1.dll
2009-09-04 20:45:26 58880 ------w- c:windowssystem32dllcachemsasn1.dll
2007-03-06 04:37:36 0 ----a-w- c:program fileserror.dat

============= FINISH: 23:50:08.07 ===============

Merged posts. ~ OB

Attached Files

Edited by Orange Blossom, 01 December 2009 - 10:59 PM.

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:12:15 PM

Posted 13 December 2009 - 04:06 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 camabee

  • Topic Starter

  • Members
  • 3 posts
  • Local time:07:15 AM

Posted 13 December 2009 - 11:52 PM

Thanks for getting back but unfortunately my problems got a lot worse with increasing instability since my original post Nov 29.

Got some professional help and problem was unidentifiable as a specific malware by any of the scanning tools he had access to but tracing the behaviour included internal DNS blockage (not redirection) apparently managed locally (couldn't even force use of Whatever it was it even mangled files in the i386 directory and corrupted the Ghost partition so that I couldn't get back to the original Dell configuration without a complete rebuild.

What was really weird was that other than complete blocking of sites from commercial antivirus suppliers, there was no specific pattern of activity (no downloading, no adware behaviour, etc).

Bottom line, machine reset to Dell original and all problems are gone.

Thanks anyway.

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:12:15 PM

Posted 14 December 2009 - 05:21 AM

Thanks for letting me know. :(

It sounds like you had the polymorphic file infector Virut.

Virut is a virus program whose code is flawed which means when it injects that code into your files it corrupts them. Which means that it destroys your system to the extent that only a reformat and reinstall will bring the PC back.

This is the Virut information I post when I can identify the malware:

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.
Posted Image
m0le is a proud member of UNITE

#5 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:12:15 PM

Posted 19 December 2009 - 06:00 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users