Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avg detecting firefox as trojan


  • This topic is locked This topic is locked
16 replies to this topic

#1 xxdeusxx

xxdeusxx

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 03 November 2011 - 10:41 PM

Pasting in contextual information from other topic. ~ OB

Windows 7 64bit

So recently I've been getting redirected to search websites quite often. Today when I got home from work there was an AVG threat detection warning saying something about adobe having a virus. I can't remember what it said exactly and I quarantined it. After that I got an adobe error message. Not thinking much of it I tried to open Firefox. Where I get this AVG warning. (I'm using AVG 9.0.917 Free Edition)

File
c:\ProgramData\DirectxManagerpolicy.dll

Infection
Trojan Horse Generic25.AJDE

Result
Infected

Process Name: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Also, I tried to play Fallout New Vegas today and it kept minimizing the game every couple of minutes or so.

EDIT: While running Spybot Search & Destroy AVG detected another threat

File
c:\Windows\SysWOW64\srrstr.dll

Infection
Trojan horse Generic25.AJDE

Result
Infected

Process name
C:\Program Files (x86)\Spybot - Search & Destroy\SpybotSD.exe

Also, while running this an error message appeared.

RunDLL
There was a problem starting
C:\Users\DEUS\Appdata\Local\AMD\AMDUpdate\AMDupdt32.dll

Access is denied.

End of added information. ~ OB

The original Thread: http://www.bleepingcomputer.com/forums/topic424590.html

Attached Files

  • Attached File  DDS.txt   17.08KB   8 downloads

Edited by Orange Blossom, 04 November 2011 - 03:01 AM.
Revealed link. ~ OB


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 08 November 2011 - 10:45 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/426233 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 AM

Posted 10 November 2011 - 10:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===

Go to: http://www.funkytoad.com/index.php?option=com_content&task=view&id=13&Itemid=
Download the program HostsXpert to restore the default hosts file back onto your machine.
Unzip the program and execute it.
Select
"Restore MS Hosts File".
Close the application.
=*=

Please post the Malwarebyte log and include a fresh DDS log as well.

#4 xxdeusxx

xxdeusxx
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 10 November 2011 - 11:29 AM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8132

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

11/10/2011 10:23:30 AM
mbam-log-2011-11-10 (10-23-30).txt

Scan type: Quick scan
Objects scanned: 187140
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DirectxManagerPolicy (Trojan.SHarpro.PGen) -> Value: DirectxManagerPolicy -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 AM

Posted 10 November 2011 - 02:15 PM

Can you please post a DDS log and let me know what problem persists.

#6 xxdeusxx

xxdeusxx
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 10 November 2011 - 03:48 PM

Got home from work and another alert had popped up.

File name: c:\Windows\SysWOW64\srrstr.dll

Threat name: Trojan horse Generic25.AJDE
Detected on open.

Process name: C:\Program Files(x86)\Malwarebytes' Anti-Malware\mbamservice.exe

Process ID: 864

Attached Files

  • Attached File  DDS.txt   18.67KB   1 downloads

Edited by xxdeusxx, 10 November 2011 - 08:37 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 AM

Posted 11 November 2011 - 08:34 AM

We should be able to identify the culprit and remove it with this tool.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

#8 xxdeusxx

xxdeusxx
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 13 November 2011 - 06:51 PM

Sorry I took so long to post the log.

Attached Files

  • Attached File  Log.txt   19.31KB   3 downloads


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 AM

Posted 14 November 2011 - 09:23 AM

The file name: c:\Windows\SysWOW64\srrstr.dll was not identified with ComboFix.
I checked further to find out that this file is normally associted with the System Restore.

Is it damaged?

Let find out.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :file
    c:\Windows\SysWOW64\srrstr.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#10 xxdeusxx

xxdeusxx
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 14 November 2011 - 01:55 PM

Here you go.

Attached Files



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 AM

Posted 15 November 2011 - 09:47 AM

The file looks good but I'm unable to find a similar file with the MD5: 670830D7FDACE447939013EB072965A6
Also it was created on 20/10/2011 which is strange.

c:\Windows\SysWOW64\srrstr.dll - File found and opened
MD5: 670830D7FDACE447939013EB072965A6
Created at 22:44 on 20/10/2011
Modified at 22:43 on 20/10/2011
Size: 90112 bytes
Attributes: --a----
FileDescription: Microsoft Connection Manager Utility Lib
FileVersion: 7.02.7600.16385 (win7_rtm.090713-1255)
ProductVersion: 7.02.7600.16385
OriginalFilename: CMUTIL.DLL
InternalName: CMUTIL
ProductName: Microsoft® Connection Manager
CompanyName: Microsoft Corporation
LegalCopyright: Microsoft Corporation. All rights reserved.


Let see if you have other copies on your computer.

Run the SystemLook tool and paste the following in the main text field and run it.

:filefind
srrstr.dll


Please post the results.

p.s. Have you had other instances of this: Threat name: Trojan horse Generic25.AJDE recently?

#12 xxdeusxx

xxdeusxx
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 17 November 2011 - 05:30 PM

I only started noticing it right before I posted my original thread.

Attached Files



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 AM

Posted 18 November 2011 - 08:05 AM

Will remove the file in the SysWow64 folder.


Open notepad and copy/paste the text in the quote box below into it:

File::
C:\windows\SysWow64\srrstr.dll



Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists.

#14 xxdeusxx

xxdeusxx
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:10:08 AM

Posted 21 November 2011 - 04:20 PM

No problems yet.

Attached Files

  • Attached File  log.txt   50.78KB   1 downloads


#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,506 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:08 AM

Posted 22 November 2011 - 08:55 AM

If all is well.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users