Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning: Two New Link Redirect Processes Not In Database


  • Please log in to reply
4 replies to this topic

#1 luizgot

luizgot

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 30 May 2011 - 03:08 PM

The names of the two processes are:

msdtctm32.exe
nvwrssl32.exe (that's a lower-case "L" before 3)

I know they are malware, because I didn't have them in the Task Manager before yesterday, and since yesterday I am sometimes redirected to a link - researchex - when I click on search results in Google. When I try to terminate them from Task Manager, they immediately reappear.

Besides, I have Malwarebytes Anti-Malware Protection module running, and I can see it sometimes popping up with "Successfully blocked access to a potentially malicious website: 91.217.153.48". The IP address is not always the same. Here are three of them from the Malwarebytes log:

193.169.234.242
89.187.53.210
193.169.234.244
67.29.139.153
64.111.196.121

Since I do not see an option to attach the log here, I'll quote the full log:

12:13:57 Admin IP-BLOCK 195.242.152.51 (Type: incoming)
12:14:02 Admin MESSAGE IP Protection stopped
12:14:30 Admin MESSAGE Database updated successfully
12:14:40 Admin MESSAGE IP Protection started successfully
12:17:50 Admin MESSAGE Protection started successfully
12:18:02 Admin MESSAGE IP Protection started successfully
13:32:53 Admin IP-BLOCK 67.29.139.153 (Type: outgoing)
13:32:56 Admin IP-BLOCK 67.29.139.153 (Type: outgoing)
13:33:02 Admin IP-BLOCK 67.29.139.153 (Type: outgoing)
13:33:04 Admin IP-BLOCK 64.111.196.121 (Type: outgoing)
13:33:07 Admin IP-BLOCK 64.111.196.121 (Type: outgoing)
13:33:13 Admin IP-BLOCK 64.111.196.121 (Type: outgoing)
13:53:00 Admin IP-BLOCK 193.169.234.242 (Type: outgoing)
13:53:03 Admin IP-BLOCK 193.169.234.242 (Type: outgoing)
13:53:09 Admin IP-BLOCK 193.169.234.242 (Type: outgoing)
13:54:05 Admin IP-BLOCK 193.169.234.242 (Type: outgoing)
13:54:08 Admin IP-BLOCK 193.169.234.242 (Type: outgoing)
13:54:14 Admin IP-BLOCK 193.169.234.242 (Type: outgoing)
15:06:47 Admin MESSAGE Protection started successfully
15:06:57 Admin MESSAGE IP Protection started successfully
15:07:18 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:07:21 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:07:26 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:07:29 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:07:35 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:07:38 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:07:44 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:07:56 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:07:59 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:08:05 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:08:17 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:08:20 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:08:26 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:08:38 Admin IP-BLOCK 193.169.234.244 (Type: outgoing)
15:08:38 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)
15:08:41 Admin IP-BLOCK 193.169.234.244 (Type: outgoing)
15:08:41 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)
15:08:47 Admin IP-BLOCK 193.169.234.244 (Type: outgoing)
15:08:47 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)
15:42:25 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:42:28 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:42:34 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:42:41 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:42:44 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:42:50 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:43:02 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:43:05 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:43:11 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:43:23 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:43:26 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:43:32 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:43:44 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)
15:43:47 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)
15:43:53 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)
15:50:55 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:50:58 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:51:04 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:51:12 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:51:14 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:51:21 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:51:32 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:51:36 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:51:42 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:51:54 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:51:57 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:52:02 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:52:15 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)
15:52:18 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)
15:52:23 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)
15:55:44 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:55:47 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:55:50 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:55:56 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:56:08 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:56:11 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:56:17 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:56:29 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:56:32 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:56:38 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:56:50 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)
15:56:53 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)
15:56:59 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)
15:57:50 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:57:52 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:57:55 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:58:01 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:58:13 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:58:16 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:58:21 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:58:34 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:58:36 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:58:42 Admin IP-BLOCK 91.217.153.48 (Type: outgoing)
15:58:54 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)
15:58:57 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)
15:59:04 Admin IP-BLOCK 89.187.53.210 (Type: outgoing)


I ran the Malwarebytes full and flash scans to no avail. It gave me about 20 or so malicious things to remove, which I did, but the problem is still there. I also tried ComboFix, several times, even from Safe Mode, to no avail.

Where do I go from here?

P.S. As I was writing, I just saw a new process pop up in the Task Manager - avicap3232.exe - that wasn't there before. I can't terminate it either as it reappears, so now there's 3 different malicious processes that I cannot terminate.

Edited by Budapest, 30 May 2011 - 05:26 PM.
Moved from Windows Startup Programs Database ~Budapest


BC AdBot (Login to Remove)

 


#2 april73betsy

april73betsy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 30 May 2011 - 04:41 PM

I was having the same problem but the processes were something different. windows malware removal tool found conficker b, i think it fixed it.

#3 luizgot

luizgot
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 30 May 2011 - 07:13 PM

Thanks Betsy, but it didn't solve the problem.

#4 luizgot

luizgot
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 30 May 2011 - 10:48 PM

Problem solved.

After many attempts with Malwarebytes, the trojan "tracur" kept reappearing after each quarantine and deletion.

I decided to look at the Autoruns again. I saw an author "Dmitry Streblechenko", with the processes being the same as I saw in Task Manager. I just deleted them. Then I exited and ran Autoruns again. Saw another process with Dmitry as the author. Deleted it. Exit, run again. Found no more Dmitries. Restarted and voila, problem is gone.

Big Thanks to Autoruns Authors!

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:28 AM

Posted 31 May 2011 - 09:07 AM

Thanks for providing the info! Would you happen to have samples of these files still available? If so please submit them to http://www.bleepingcomptuer.com/submit-malware.php?channel=3




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users