Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

active-x warning from local html files containing no scripts


  • This topic is locked This topic is locked
33 replies to this topic

#1 sato_

sato_

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 24 May 2011 - 11:41 PM

hello all, i hope you'll help me out with a problem (or remnants of one) that i've been having.

earlier today just in the middle of ordinary document writing (an html file with notepad) AVG (free edition) popped up with a malware warning. the apparent culprit was an old installation file (.exe) which i thought was weird since it had been sitting on my disk for over a year with no trouble or even use beyond the first time i used it.

later i found that local html files were causing an active-x warning to pop up whenever i opened them, which is even stranger since the files are very basic, just text and a little formatting such as tables, and occasional images. although the messages were annoying i decided to leave fixing the problem till later in the day, and continued with my documents and the occasional net browse to check facts etc.

later still suddenly another AVG warning came up, this time saying that iexplore.exe was infected with blackhole. AVG cleaned up, but the active-x warnings from local pages that have no active-x or any script of any kind are continuing which has left me worried. my guess is that my iexplore.exe file got infected, but i don't what infected it, how to fix it, or if the infection is completely gone. i find it hard to believe that the original culprit was an old installation file.

i ran a full malwarebytes scan which turned up nothing, ran hijackthis also which showed nothing i couldn't identify, looked thru the current version - run entries in my registry which also had no anomalies, then turned to here. i ran DDS and GMER as instructed, the DDS log i can paste, but since i run the japanese version of windows more than half of it is in japanese which will probably be a bit tricky for most to read even if it displays properly, so for now i hope that my word that i checked through it and found nothing that caused me any doubt at all will suffice. the GMER log though contains some entries i don't understand (and it's all in english) so i'll paste it in below.

running IE 8 on windows XP.

thank you for your time and assistance!

logfile starts:

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-25 13:39:45
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HTS543232L9A300 rev.FB4OC40C
Running: gmer.exe; Driver: C:\DOCUME~1\Ben\LOCALS~1\Temp\pwryypoc.sys


---- System - GMER 1.0.15 ----

SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwClose [0xB7F8DC58]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwCreateKey [0xB7F8DC10]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwCreatePagingFile [0xB7F81C70]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xB7F824FE]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xB7F8DD50]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwOpenKey [0xB7F8DBD4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB83C1738]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwQueryKey [0xB7F8251E]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwQueryValueKey [0xB7F8DCA6]
SSDT Vax347b.sys (Plug and Play BIOS Extension/ ) ZwSetSystemPowerState [0xB7F8D4F0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB83C17DC]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB83C1878]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB83C1914]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6FB0360, 0x33BA3D, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB3986300, 0x3ACC8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB83D8300, 0x1B7E, 0xE8000020]
? C:\DOCUME~1\Ben\LOCALS~1\Temp\mbr.sys 指定されたファイルが見つかりません。 !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxParamW 77D047AB 5 Bytes JMP 40B754BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!CreateWindowExW 77D0D0A3 5 Bytes JMP 40C4DB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxIndirectParamW 77D12072 5 Bytes JMP 40D45117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxIndirectA 77D1A082 5 Bytes JMP 40D45049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxParamA 77D1B144 5 Bytes JMP 40D450B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxExW 77D30838 5 Bytes JMP 40D44F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxExA 77D3085C 5 Bytes JMP 40D44F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxIndirectParamA 77D36D7D 5 Bytes JMP 40D4517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxIndirectW 77D464D5 5 Bytes JMP 40D44FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!DialogBoxParamW 77D047AB 5 Bytes JMP 40B754BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!SetWindowsHookExW 77D0820F 5 Bytes JMP 40C49B01 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!CallNextHookEx 77D0B3C6 5 Bytes JMP 40C3D125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!CreateWindowExW 77D0D0A3 5 Bytes JMP 40C4DB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!UnhookWindowsHookEx 77D0D5F3 5 Bytes JMP 40BB4664 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!DialogBoxIndirectParamW 77D12072 5 Bytes JMP 40D45117 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!MessageBoxIndirectA 77D1A082 5 Bytes JMP 40D45049 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!DialogBoxParamA 77D1B144 5 Bytes JMP 40D450B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!MessageBoxExW 77D30838 5 Bytes JMP 40D44F1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!MessageBoxExA 77D3085C 5 Bytes JMP 40D44F7C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!DialogBoxIndirectParamA 77D36D7D 5 Bytes JMP 40D4517A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!MessageBoxIndirectW 77D464D5 5 Bytes JMP 40D44FDE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] ole32.dll!CoCreateInstance 7698F1AC 5 Bytes JMP 40C4DBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3920] ole32.dll!OleLoadFromStream 769B981B 5 Bytes JMP 40D4547F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AEE2378

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Cdrom \Device\CdRom0 8A9B6BF8
Device \FileSystem\Rdbss \Device\FsWrap 8A8C6950
Device \Driver\atapi \Device\Ide\IdePort0 8AB90008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8AB90008
Device \Driver\atapi \Device\Ide\IdePort1 8AB90008
Device \Driver\atapi \Device\Ide\IdePort2 8AB90008
Device \Driver\atapi \Device\Ide\IdePort3 8AB90008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8AB90008
Device \FileSystem\Srv \Device\LanmanServer 87029848

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A8C6278
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A8C6278
Device \FileSystem\Npfs \Device\NamedPipe 8A8B6A58
Device \FileSystem\Msfs \Device\Mailslot 8A8A0238
Device \Driver\Vax347s \Device\Scsi\Vax347s1 8A9C71A8
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8A874230
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8A874230
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8A874230
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8A874230
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8A874230
Device \FileSystem\Cdfs \Cdfs 87D9A9F8

---- Modules - GMER 1.0.15 ----

Module _________ B7F0A000-B7F22000 (98304 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@Microsoft TV/\x30d3\x30c7\x30aa接続 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@RAS 非同期\x30a2\x30c0\x30d7\x30bf 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (L2TP) 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (PPTP) 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (PPPOE) 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xe326\xff65c\xff910\x30fb\x30fb\x30fb\0\0\0 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (IP) 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xff910\xff710\xff830\xff880 \0\xff790\xff710\xff780\x30fb\x30fb\x30fb \0\xff9f0\xff8b0\xff9d0\x30fb\xff880\0\0\0 1?2?3?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@1394 \x30cd\x30c3\x30c8 \x30a2\x30c0\x30d7\x30bf 1?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40@ljej40 0xDE 0xD8 0x86 0x55 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg41@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg41@ljej40 0xC8 0xD8 0x86 0x55 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg42
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg42@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg42@ljej40 0xB7 0xD8 0x86 0x55 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg43
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg43@ujdew 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg43@ljej40 0x71 0xD8 0x86 0x55 ...
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@Microsoft TV/\x30d3\x30c7\x30aa接続 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@RAS 非同期\x30a2\x30c0\x30d7\x30bf 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (L2TP) 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (PPTP) 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (PPPOE) 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xe326\xff65c\xff910\x30fb\x30fb\x30fb\0\0\0 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@WAN \x30df\x30cb\x30dd\x30fc\x30c8 (IP) 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\xff910\xff710\xff830\xff880 \0\xff790\xff710\xff780\x30fb\x30fb\x30fb \0\xff9f0\xff8b0\xff9d0\x30fb\xff880\0\0\0 1?2?3?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@1394 \x30cd\x30c3\x30c8 \x30a2\x30c0\x30d7\x30bf 1?
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}@DisplayName Alcohol 120%
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@-\xf8f33\xf8f3 \0\16f\35g 49280
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@-\xf8f33\xf8f3 \0000\xf8f3\16f\35g 16512
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@-\xf8f33\xf8f3 \0\xff740\xff770\xff830\xff6f0 32896
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@-\xf8f33\xf8f3 \0000\xf8f3\xff740\xff770\xff830\xff6f0 128
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@@MS \x30b4\x30b7\x30c3\x30af 41088
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper@@MS P\x30b4\x30b7\x30c3\x30af 8320
Reg HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6@ProductName Alcohol 120%

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 MBR read error
Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

---- EOF - GMER 1.0.15 ----

Edited by sato_, 25 May 2011 - 11:31 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 04 June 2011 - 05:54 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 sato_

sato_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 05 June 2011 - 07:22 AM

hiya mole, thank you very much i appreciate your assistance.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 05 June 2011 - 11:39 AM

Can you run a couple of the .exe files which are being flagged as malware through Jotti. Then we can eliminate them.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Go to Jotti

When the jotti page has finished loading, click the Browse button and navigate to the file and click Submit.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at VirusTotal
Posted Image
m0le is a proud member of UNITE

#5 sato_

sato_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 05 June 2011 - 11:40 PM

there was only ever one exe file infected (or that AVG has ever detected) and that file was removed immediately upon detection.

my concern now is how that exe file (which was definitely clean up until very recently) came to be infected in the first place, and fixing whatever is causing an active-x control to run whenever a local html is opened, even though those html files definitely contain no active-x controls or scripts of any kind.

what appears to have happened is that something got thru AVG, infected a random .exe file and iexplore.exe. the file which was infected has been deleted, and AVG has cleaned the offender (blackhole) out of iexplore.exe, but i'm none the wiser as to what infected those 2 files, if the culprit is still around, or how to stop iexplore from trying to run an active-x when i open a local html file.

Edited by sato_, 06 June 2011 - 12:09 AM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 06 June 2011 - 02:42 PM

Blackhole is a backdoor so it's a sneaky piece of malware but it doesn't infect files so there may also be a rootkit involved here.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 sato_

sato_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 06 June 2011 - 07:37 PM

that was my feeling too. one of the first things i ran was the AVG rootkit scan and it only turned up one file: vax-something.sys, which checked out ok.
anyway i downloaded and renamed combofix as you instructed, and disabled firewall and avg as in the link you gave, but combofix is telling me i have to completely unistall AVG before it can run. would you mind just confirming that temporarily disabling AVG isn't enough before i proceed?

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 07 June 2011 - 02:14 PM

Yes, I'm afraid AVG has to be completely uninstalled. Disabling it is not enough.
Posted Image
m0le is a proud member of UNITE

#9 sato_

sato_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 09 June 2011 - 03:05 AM

sorry about the delay, had a couple things i wanted to finish up before meddling too much with my system.
i completely uninstalled avg including all settings etc, disabled my firewall and ran combofix.
after it was complete, i tried opening a local html and no active-x warning! great! so i re-enabled my firewall, downloaded a fresh copy of avg free and installed it again, and now the active-x warnings on local html files are back... not great... but at least it's a bit of a hint i guess. my own conclusion would be that IE is fine, and that something managed to damage avg or one of its processes that must be left behind when the product is uninstalled. what do you think?
i don't see anything of consequence on the combofix log (jword and IME are all language related), but i've attached it for good measure.

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 09 June 2011 - 05:01 PM

It looks like AVG might be flagging something as a warning that may not be a threat. Combofix shows nothing and the best thing to do would be to uninstall AVG again (it's not the best free option anymore) and try Avast or Antivir. See if the new antivirus finds anything on your system.
Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 13 June 2011 - 06:54 PM

Hi,

I have not had a reply from you for 5 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#12 sato_

sato_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 13 June 2011 - 08:46 PM

It looks like AVG might be flagging something as a warning that may not be a threat. Combofix shows nothing and the best thing to do would be to uninstall AVG again (it's not the best free option anymore) and try Avast or Antivir. See if the new antivirus finds anything on your system.


sorry for the delay. it's not AVG flagging something, it's an active-x warning: "your current security settings do not allow for active-x scripts to run, if you'd like to enable this...", the message is from internet explorer, nothing at all comes up in AVG. it could be that AVG is trying to run an active-x control when i open a local html file, but it never used to so i think it's more likely that the presence of AVG (or possibly any antivirus software) is prompting some kind of malicious software to try to run an active-x control. any ideas?

i used to use avast but found it often didn't completely clear an infection, so malware kept re-establishing itself. i'll check out antivir.

btw not related to my system but relevant, there sure are a lot of people who are having the google redirect problem. i had the same a few years ago and found a 4th level to the infection. after getting rid of the browser hijack, the randomly-named files trying to hide in temp directories that were doing the hijacking, plus the registry "run" settings that were re-installing the randomly-named files, the thing still kept coming back which i only discovered by accident. there was another invisible registry setting! while deleting malware "run" settings i found that i could click on an invisible line of text below all the usual visible lines, and delete the key. also after running a defrag shortly later, another randomly-named exe file showed us as being unable to defrag. i did a search for the file including hidden and system files but it didn't exist. even rebooting in command-prompt the file didn't show up, attempting to delete the file just got me 'file not found', yet it kept showing as unable to defrag. the only way i was finally able to get rid of it was to boot with cd, and use recovery console to delete it.
wouldn't have thought a super-super hidden file could exist like that if i hadn't seen it myself!

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 14 June 2011 - 04:58 PM

Microsoft suggest this can be solved and this wouldn't look to be a malware issue. Take a look here and report back
Posted Image
m0le is a proud member of UNITE

#14 sato_

sato_
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:23 AM

Posted 14 June 2011 - 06:42 PM

thanks for the link but what's happening on my computer is exactly the opposite of this problem.

i'll try to explain as simply as possible... i've tested it by creating the simplest possible web page in notepad:

<html>
<body>
test
</body>
</html>

and saved it to my desktop. i open this file with internet explorer and an active-x control tries to run. obviously it's not the html file causing it to run, so it must be something else.

this error only comes up on local html files, never when i just do normal browsing, and didn't exist until the day i made my first post.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:23 PM

Posted 14 June 2011 - 06:47 PM

Let's take a look at the ActiveX entries.

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users