Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Auto Spam Mailer


  • Please log in to reply
11 replies to this topic

#1 Bill@Whitehorse

Bill@Whitehorse

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:36 AM

Posted 13 February 2008 - 01:03 PM

Hello, and thanks in advance.

So I bought a game for the kid on eBay thinking it was a new product. When it arrived the product key code was missing so the wiseguy decides to "crack" it. Hackers are so cool don't ya know...
So he downloads this from here:
(link removed by Mod)
and runs the resulting .bat file.

Please don't do this, it' the most EVIL bit of code ever written!

Anyway, after having run Avast, Spyware Doctor, RegCure, ATF and SUPER Anti SpyWare, I'm still getting an Avast! Virus warning dialog when ever I'm connected to the network.

"Suspicious Message!
There are too many identical e-mails in appointed time


Sender: "Aimar blayone" <[email protected]>
Recipient: [email protected]
Subject: Increase the length and power of the rod in your pants today."


Avast will stack up about 20 of these and then stop.

If I unplug the network cable the problem stops, but when I plug it back in the problem bigins again shortly thereafter. Otherwise the computer seems to be working normally.

Wolud someone please look at my HT log and share their wisdom? Where should I post the log?

Thanks, Bill

Edited by quietman7, 13 February 2008 - 02:09 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,867 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:36 AM

Posted 13 February 2008 - 02:19 PM

...so the wiseguy decides to "crack" it...

Not only is the practice of using crack or keygen tools a security risk, it is considered illegal activity. If you use those kind of programs, be forewarned that some of the worst types of malware infections can be contracted and spread by visiting crack, keygen and pirated software sites. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling Windows.

Have you tried doing your scans in "Safe Mode"?

You need to start there first. If rescanning in Safe Modes does not help, then do this:

Perform an Online Virus Scan like BitDefender.
(These require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component. If given the option, choose "Quarantine" instead of delete.)

Download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "Safe Mode".
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#3 Bill@Whitehorse

Bill@Whitehorse
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:36 AM

Posted 13 February 2008 - 03:25 PM

Thank You, I'll try what you suggest.

#4 Bill@Whitehorse

Bill@Whitehorse
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:36 AM

Posted 13 February 2008 - 10:28 PM

Quietman,
Thanks a million, what you guys do is a real public service. Thanks for being there.
I followed your instructions and my computer seems to be back to normal.
Do you still want to see the .csv logs or anything else? Is there anything furthur I should do to be sure that every last trace of the nasty is gone?
If not then, via con Dios!
Whitehorse

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,867 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:36 AM

Posted 14 February 2008 - 09:47 AM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1".
"Hardening Windows Security - Part 2".
"IE Recommended Minimal Security Settings".
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#6 Bill@Whitehorse

Bill@Whitehorse
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:36 AM

Posted 14 February 2008 - 09:59 AM

Roger Wilko, Over and Out!

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,867 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:36 AM

Posted 14 February 2008 - 10:29 AM

Please be aware that this type of infection often comes with a rootkit. Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

Even though, your system appears clean it may be best to do a check for the presence of any rootkits.

Please download rootchk.exe and save to your desktop
  • Important: To avoid false positives, it is important that you temporarily disable ZoneAlarm Pro firewall or any other security program that protects your registry before running a rootchk scan.
  • Click on this link to see a list of other programs that should be temporarily disabled.
  • Disconnect from the Internet.
  • Double-click on rootchk.exe to run the program.
  • A command prompt window will open as the scan begins and then close.
  • When the scan is completed, a logfile named rootlog.txt will open and be saved to the root directory usually C:\.
  • Copy and paste the contents of the log into your next reply.
  • Re-enable active protection on any program you temporarily disabled.
Then download AVG Anti-Rootkit and save to your desktop
  • Double click avgarkt-setup-1.1.0.42.exe to begin installation.
  • Click Next to select the Normal interface.
  • Accept the license and follow the prompts to install. (By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit)
  • You will be asked to reboot to finish the installation so click "Finish".
  • After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
  • You will see a window with three buttons at the bottom.
  • Click "Search For Rootkits" and the scan will begin.
  • You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  • When the scan has finished, if anything was found, click "Remove selected items"
  • If nothing is found, a message will appear "Congratulations! There were no installed rootkits found on your computer."
  • Click close, then select "Perform in-depth Search".
  • When the scan has finished, if anything is found, click "Remove selected items"
  • Again, if nothing was found, you will see the message "Congratulations! There were no installed rootkits found on your computer."
  • Exit AVG ARK.
Note: Close all open windows, programs, and DO NOT USE the computer while scanning. If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted automatically.

Edited by quietman7, 14 February 2008 - 10:40 AM.

Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,867 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:36 AM

Posted 14 February 2008 - 10:38 AM

I made an edit to my last reply.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#9 Bill@Whitehorse

Bill@Whitehorse
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:36 AM

Posted 14 February 2008 - 10:42 PM

Like your iconic, your are thorough Mr. Tracy.
I appreciate it.
Again, I will do as you suggest.
Thanks

#10 Bill@Whitehorse

Bill@Whitehorse
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:36 AM

Posted 14 February 2008 - 10:58 PM

OK, Alice is through the looking glass...Ok Big Guy, now what? AVG?

HKLM\SECURITY\Policy\Secrets\SAC* 6/11/2005 10:12 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 6/11/2005 10:12 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\.rcn\ 4/27/2006 10:54 AM 7 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\RAdmin\v2.0\ 1/27/2008 11:16 AM 0 bytes Key name contains embedded nulls (*)

Edited by Bill@Whitehorse, 14 February 2008 - 11:04 PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,867 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:36 AM

Posted 15 February 2008 - 08:50 AM

Those entries look like results from a RootKit Revealer scan. RKR scans the HKLM\Security\Policy hive which contains SAC* and SAI* hidden keys with embedded nulls. This is normal and not a cause for alarm. The presence of some keys with nulls may be pertinent to the correct operation of related applications. See RKR 1.71 and HKLM\Security\Policy\Secrets. Also see "Info on common log entries" for data mismatches.

I have not seen the last embedded null entry in a RKR log before. I know there is a variant of Haxdoor that will create a similar key related to Parameters and Disable TrayIcon and the date of the entry in your case is recent. You should follow up and check with Sysinternals to see if they have further information.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#12 Bill@Whitehorse

Bill@Whitehorse
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:36 AM

Posted 15 February 2008 - 01:30 PM

Hello Again,
AVG has reported all clear on both scans...Thakfully..
The date on the HKLM RAdmin entry is well before the infection date (infected 2/11 around 6pm)

I think I'm out of the woods now.
Kudos to the QMan!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users