PDA

Просмотр полной версии : "Outgoing mail" that I'm not sending



Fast Panda
28.05.2008, 08:47
I'm not sure how this started - infected wireless network? - but the only indicator of a problem is my (nearly useless) PC-Cilin protection software notifying me that it is "scanning outgoing mail" without me actually sending anything. This has happened irregularly for a few months now. Repeated attempts to search/quarantine/fix the problem indicate that, first, it's a rootkit issue, and second, it's a royal bugger to kill off. Every scan with a new product seems to come up with a new virus, Trojan, or something.

It's not hugely affecting my normal activities -yet - but it makes me wonder how much the guilty parties are able to read my typing or otherwise see everything I'm doing.

Attached as requested are the two AVZ files and the HijackThis log. The cnvfatr.dll activity seems to be significant, as well as another .dll control that has a single letter appended to the normal name.

Please advise if there's any other pertinent info for me to pass along, and thank you very much in advance for your gracious help.

Rene-gad
28.05.2008, 10:25
Switch your Antivirus and Firewall OFF!!!
Switch the System Recovery off
Run Hijackthis and Fix

O2 - BHO: (no name) - {164DBEE2-7074-4C63-B6AF-066852EDFB95} - c:\windows\system32\cnvfatr.dll
O2 - BHO: (no name) - {2A722E69-CFE6-495F-8CE1-719F8F9383D1} - C:\WINDOWS\system32\dpnhpastw.dll
O20 - Winlogon Notify: yznfncmh - C:\WINDOWS\SYSTEM32\cnvfatr.dll
Run the script

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteService('ouwwfedk');
QuarantineFile('C:\WINDOWS\System32\bcmwlpkt.dll', '');
QuarantineFile('C:\WINDOWS\System32\bcm1xsup.dll', '');
QuarantineFile('C:\WINDOWS\system32\dpnhpastw.dll' ,'');
QuarantineFile('c:\windows\system32\cnvfatr.dll',' ');
QuarantineFile('C:\WINDOWS\system32\Drivers\ouwwfe dk.sys','');
QuarantineFile('C:\WINDOWS\system32\dpnhpastw.dll' ,'');
QuarantineFile('C:\WINDOWS\system32\drivers\ouwwfe dk.sys','');
DelBHO('{2A722E69-CFE6-495F-8CE1-719F8F9383D1}');
DelBHO('{164DBEE2-7074-4C63-B6AF-066852EDFB95}');
DelBHO('ID');
DelBHO('{2A722E69-CFE6-495F-8CE1-719F8F9383D1}');
DeleteFile('C:\WINDOWS\system32\drivers\ouwwfedk.s ys');
DeleteFile('C:\WINDOWS\system32\dpnhpastw.dll');
DeleteFile('C:\WINDOWS\system32\Drivers\ouwwfedk.s ys');
DeleteFile('c:\windows\system32\cnvfatr.dll');
DeleteFile('C:\WINDOWS\system32\dpnhpastw.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(1);
ExecuteRepair(6);
EcecuteRepair(7);
RebootWindows(true);
end.
After re-boot upload a quarantine file following red the link on the top of the page and make/attach 3 new logfiles.

RiC
28.05.2008, 20:46
ADD: FAQ How execute AVZ script (http://virusinfo.info/showthread.php?t=9207) and How fix items in HijackThis (http://virusinfo.info/showthread.php?t=9206) :)

Fast Panda
29.05.2008, 05:10
Okay, so I did the following:

1. Shut off the firewall , System Restore, and the aforementioned feckless PC-Cilin.

2. Opened up AVZ and loaded in the script, opened HijackThis and selected the indicated lines.

3. Closed out of everything else.

4. Ran HijackThis first and then AVZ in quick succession; system rebooted as expected.

5. Figured out how to .zip the quarantine file, if not how to encrypt it, so hopefully it will just open up. I had to do this twice, so if you see a second one it's identical and unnecessary.

6. Re-ran the AVZ and HijackThis searches as indicated. The first AVZ scan found something it identified as "Rootkit.Win32.Podnuha.ay", which makes me edgy. Didn't see anything worrisome on the other two, but didn't look too closely.

7. Attached the appropriate log files.

So how are we doing, guys?

AndreyKa
29.05.2008, 07:46
So we have
C:\WINDOWS\system32\dpnhpastw.dll - damaged (it was Rootkit.Win32.Podnuha.cb)
C:\WINDOWS\System32\bcmwlpkt.dll,
C:\WINDOWS\System32\bcm1xsup.dll - clean
C:\WINDOWS\system32\Drivers\ouwwfedk.sys - VirTool:WinNT/Boaxxe.E (detected by Microsoft antivirus)
c:\windows\system32\cnvfatr.dll - Trojan.Win32.Obfuscated.avw (a new threat)

Run Hijackthis and Fix

O2 - BHO: (no name) - {164DBEE2-7074-4C63-B6AF-066852EDFB95} - c:\windows\system32\cnvfatr.dll
O20 - Winlogon Notify: yznfncmh - C:\WINDOWS\SYSTEM32\cnvfatr.dll

After re-boot make and attach a new Hijackthis logfile.
Is unnecessary outgoing mail disappear?

Rene-gad
29.05.2008, 10:17
aforementioned feckless PC-CilinYou shouldn't move the responsibility towards any security software. It's only a program due to recognize any other program as malicious, any malicious program try to dupe a security program... The responsibility lies in each case upon the person using the system :)

Fast Panda
30.05.2008, 03:33
Okay, so I tagged those two on HijackThis (which each had [file missing] at the end of the string - definitely a Good Sign!), rebooted, and rescanned. See attached file.

No "scanned outgoing mail" yet since last night's procedures; it's looking hopeful, but occasionally the messages would skip a day. I'm still sort of holding my breath. And dear God, what's up with the shopping list of infections?

Rene: Yeah, I know; I'm not blaming my antivirus software as much as I am the amoral sadistic cretins who came up with these ingenious violations of my privacy. I'm just disappointed that what was once a top-rated product didn't do what I thought it was supposed to do.

Speaking of which, am I supposed to turn the antivirus and my firewall back on yet?

Thanks too much again, guys. Will keep you posted.

AndreyKa
30.05.2008, 11:51
The log is clean. Viruses have removed.
You have to turn the antivirus, System Restore and firewall on.

Fast Panda
04.06.2008, 04:50
Hi, folks:

A quick two-part follow-up: First, the offending behavior has now stopped, and I'm starting to feel safe about doing normal semi-secure things again. Thank you tremendously for your enlightened guidance.

Second, sort of a leftover concern from the exorcism process: Should I delete the quarantine file folder that AVZ generated? Is there any other housecleaning I should perform to really scrub everything out thoroughly?

Thanks much again; will be around.

drongo
04.06.2008, 20:18
You welcome :)
Yes, you can delete a "quarantine file folder that AVZ generated". Moreover, you can send it your antivirus company, if you want to check time response of the trendmicro virlab ;) In my opinion it is very poor ;)
In order to not to get in such troubles in the future, you should use an limited user account in windows, and browser i suggest : firefox+noscript.
Good luck ;)