mshta.exe connects to this site http://azxr.net/cod/srun

[hgokuh]

There are the 3 logs, I posted the RSI earlier, you didn't see it, I also wrote this:
New Hijack log and new thing going on. I got this before once but didn't make much about it, is a window that saids Dial-up Connection, and I checked what it was and it was jushed.exe, I heard people using Java to infect computer, might this be the case?
Also, Gmer frezees the computer, first when it was checking devices, so I removed that, and then after over 8 hours frozed on files, and I didn't used the computer or had any programs opened. So I run it again without devices and files, I'm also posting the log.

Also, I deleted mshta.exe and let windows create the file again, and I deleted from the registry the run command for the jushed.exe. I haven't got any of the two problems lately, but the cause of the infection must be somewhere.
Thanks for helping me.

-------------------------------------------------------------------
Window pop up again
Now there are many sites that mention the azxr.net on google, a week ago just one. Here is one about Java, maybe you can understand it:
jsunpack.jeek.org

And this one, it saids is malicious and very dangerous
http://www.mywot.com/en/scorecard/azxr.net

And this from AVG
http://www.avgthreatlabs.com/siterep...omain/azxr.net

How can I get rid of this?

[Jintan]

Due to the code on that jsunpack site it sets off security alerts, so I did take the liberty of neutralizing the hot link you posted. I had checked the azxr site in a secure setup, and did see it using obfuscated Javascript code, but didn't get enough of a sample to work with. The unpacker site you linked to (it "decodes" the encrypted/obfuscated code) shows the script creating an ActiveX object, though not sure it alters file code, like mshta.exe's. Not seeing where it changes something with the Java updater file you mentioned either, but if those changes you made did stop the problem, something in them must be tied to it.

Checking the registry didn't locate anything, so let's look at file code.

Go here and download Agent Ransack to your desktop, then click the downloaded file to install the program. Once installed go to Start - Programs and open Agent Ransack.

Under the Advanced tab, type the following, exactly as shown, into the text box next to "Containing text:"

azxr.net

Make no other changes at this time. Then click the "Start search" button (upper right corner) and allow Agent Ransack to search. This will take quite a while to complete, depending on the number of files stored on the system, so please allow the scan to complete and not use the computer while it is running.

When the scan is done go to File - Save Results, and click the "Save" button to save the information to your clipboard. The open Notepad and click Paste to copy the scan results. Save this as Life.txt.

Then zip a copy of that file, and send it to jintan@malwarecrypt.com as an attachment. Please place "Submitted Files -hgokuh/hjt/ransack" as the email Subject.

[hgokuh]

Hi again, I tried running Agent Ransack 4 times, but all of them it crashed my computer, it didn't find anything before crashing. But after deleting some of the lines from the registry it didn't happen again, but now, after installing iTunes and a Firefox update and restarting the computer I got this other malware in my computer: CheckVer104.exe, it tried to connect to a pornsite, bestdailyporn or something like that.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:31:05 PM, on 9/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
D:\WINDOWS.0\System32\smss.exe
D:\WINDOWS.0\system32\winlogon.exe
D:\WINDOWS.0\system32\services.exe
D:\WINDOWS.0\system32\lsass.exe
D:\WINDOWS.0\system32\nvsvc32.exe
D:\WINDOWS.0\system32\svchost.exe
D:\WINDOWS.0\System32\svchost.exe
D:\WINDOWS.0\system32\svchost.exe
D:\Program Files\Sygate\SPF\smc.exe
D:\WINDOWS.0\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\WINDOWS.0\eHome\ehRecvr.exe
D:\WINDOWS.0\eHome\ehSched.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS.0\system32\svchost.exe
D:\WINDOWS.0\system32\Tablet.exe
D:\Program Files\DynDNS Updater\DynUpSvc.exe
D:\WINDOWS.0\system32\dllhost.exe
D:\WINDOWS.0\Explorer.EXE
D:\WINDOWS.0\RTHDCPL.EXE
D:\WINDOWS.0\system32\RUNDLL32.EXE
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS.0\system32\ctfmon.exe
D:\Program Files\DynDNS Updater\DynTray.exe
D:\WINDOWS.0\system32\WTablet\TabUserW.exe
D:\Program Files\MagicDisc\MagicDisc.exe
D:\WINDOWS.0\System32\svchost.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe
D:\dvbdream\winlirc-0.6.5\winlirc.exe
D:\dvbdream\gbox\Program Files\gboxplugin\GboxControl.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Java\jre6\bin\java.exe
D:\DOCUME~1\FWALLM~1\LOCALS~1\TempImages\CheckVer104.exe
D:\dvbdream\dvbdream.exe
D:\Program Files\OpenVPN\bin\openvpn.exe
D:\dvbdream\gbox\Program Files\gboxplugin\gboxx86.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=;ftp=;https=;
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQ6Toolbar\ICQToolBar.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4FE6-8A56-BBB695989046} - D:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] D:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS.0\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS.0\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: MagicDisc.lnk = D:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: DynDNS Updater Tray Icon.lnk = D:\Program Files\DynDNS Updater\DynTray.exe
O4 - Global Startup: TabUserW.exe.lnk = D:\WINDOWS.0\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS.0\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS.0\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DynDNS Updater - Dynamic Network Services, Inc. - D:\Program Files\DynDNS Updater\DynUpSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1ca38a9c5510932) (gupdate1ca38a9c5510932) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - D:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - D:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TabletService - Wacom Technology, Corp. - D:\WINDOWS.0\system32\Tablet.exe

--
End of file - 9350 bytes

[Jintan]

That was a big delay in responding here, and I am not so certain this newer malware isn't from the infection we were addressing. However, there is a different problem with this request now. In checking back through the logs to refresh my memory, I now see what I usually expect when threads showing the same expensive and often cracked/hacked programs, including Nod. Which shows as being run illegally on your computer, using a crack method to keep it's trial period from ending.

These security forums do not assist in situations where illegal software exists or is in use, and will stop any assistance once that is seen in these repairs. In fact, some of our teammates in different locations are employees of these hacked security softwares.

But I will have to close this request at this time. The best I might suggest is you reformat and reinstall to remove the infection.