Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Facebook Virus - Freezes After Logging On To Computer


  • Please log in to reply
10 replies to this topic

#1 gm1971

gm1971

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 03 October 2008 - 11:41 AM

I beleive I have gotten the Facebook virus.

Symptoms:
Immediately after logging in to my computer, under any account, the computer freezes and is only recoverable by a restart.
Logging in under Safe Mode does NOT cause the computer to freeze. So at least I know it isn't hardware related.

Action Taken:
Reviewed start up processes via SysInternal's procexp. Found a process called Kenny18.exe. Stopped the process and did a search on kenny*
Found Kenny18.exe and Kenny17.exe.
Googled those and found that they are likely related to the Facebook virus. Makes sense, I'm addicted to Facebook.
Also found:
HiGeorge.dll
HiMark.dat
Removed those as well, as my research suggested that they weren't vital and could be problems.

Ran ClamWin with latest updates.
Found Infected and Quarantined:
X-WinHTTrack.exe
SmitfraudFix.exe
AutoItASC.bin
Process.exe
restart.exe

Ran ComboFix with Recover Console Install option.
Nothing jumps out at me as obvious, but I'm no expert on ComboFix, except
C:\Documents and Settings\user\x.exe

It also says it removed:
.#
drsmartload1.exe
fmark2.dat
system32\384043
system32\384043\384043.dll
system32\Cache
MediaTubeCodec_ver1.1595.0.exe
system32\prs.dll

Ran HiJackThis. Again, nothing obvious to me.

Computer still freezes when logging in normally. Hope someone can help!

BC AdBot (Login to Remove)

 


#2 Noypi_to_its

Noypi_to_its

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:01:10 AM

Posted 03 October 2008 - 01:26 PM

nice... did you look at the dll's that are running for each svchosts, explorer.exe, rundll and winlogon? Press ctrl+d to make sure you did not miss any bad dlls.

#3 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 03 October 2008 - 02:11 PM

:flowers: :thumbsup:
You may wish to run a different scan for the Team to check out ;malawarebytes from http://www.bleepingcomputer.com/forums/ind...st&p=959453

Edited by ruby1, 03 October 2008 - 02:25 PM.


#4 gm1971

gm1971
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 03 October 2008 - 03:33 PM

I may have missed some DLL's.
Currently running the MalwareBites program as recommended.

I just did a boot logging, but I can't seem to find the log either. Searching on *boot*, just in case it isn't the default boot log file name.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:10 PM

Posted 03 October 2008 - 04:04 PM

Congratulations,
You have a newer state of the art infection, saw it earlier in MBAM test thread, even tho the distribution is not rated high the severity is rated a 10. I would suggest you abandon any manual attempts at fighting the infection(s). Ruby's advise about MBAM is the best place to start, but I would suggest disconnecting from the internet and any lan and backing up any critical data.
Chewy

No. Try not. Do... or do not. There is no try.

#6 gm1971

gm1971
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 03 October 2008 - 04:07 PM

Here's my MBAM Log:

Malwarebytes' Anti-Malware 1.28
Database version: 1226
Windows 5.1.2600 Service Pack 2

03/10/2008 2:38:58 PM
mbam-log-2008-10-03 (14-38-58).txt

Scan type: Quick Scan
Objects scanned: 56455
Time elapsed: 6 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{1e1b2878-88ff-11d3-8d96-d7acac95951a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{1e1b286c-88ff-11d3-8d96-d7acac95951a} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

------------------------------------------------------------------------------------------
The computer still freezes up just after logging in. I also get these error messages:
hkcmd.exe - Bad Image
igfxres.dll - Bad Image
My research shows that these are supposed to be related to the Intel control panel on the video card, and that they may also be something else.... :thumbsup:

Brain hurts...

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:10 PM

Posted 03 October 2008 - 04:12 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry948242

run sdfix and then update MBAM and run a new scan

Don't expect anything reported by windows to be legitimate with a newer backdoor trojan and rootkit installed
Chewy

No. Try not. Do... or do not. There is no try.

#8 gm1971

gm1971
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 03 October 2008 - 05:40 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry948242

run sdfix and then update MBAM and run a new scan

Don't expect anything reported by windows to be legitimate with a newer backdoor trojan and rootkit installed


Ran the SDFix - this is the report:


SDFix: Version 1.230
Run by administrator on 03/10/2008 at 03:28 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-03 15:58:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 3
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 3
disk error: C:\Documents and Settings\Administrator.COMPANY\ntuser.dat, 3
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\AirLink\\Wireless Ace 3G\\WirelessAce.exe"="C:\\Program Files\\AirLink\\Wireless Ace 3G\\WirelessAce.exe:*:Enabled:WirelessAce"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\FileZilla Client\\filezilla.exe"="C:\\Program Files\\FileZilla Client\\filezilla.exe:*:Enabled:FileZilla FTP Client"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Sprite Software\\Sprite Backup\\SpriteService.exe"="C:\\Program Files\\Sprite Software\\Sprite Backup\\SpriteService.exe:*:Enabled:Sprite Backup PC Service"
"C:\\Program Files\\Microsoft ActiveSync\\astu.exe"="C:\\Program Files\\Microsoft ActiveSync\\astu.exe:*:Enabled:astu.exe"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVU Player Component"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\AirLink\\Wireless Ace 3G\\WirelessAce.exe"="C:\\Program Files\\AirLink\\Wireless Ace 3G\\WirelessAce.exe:*:Enabled:WirelessAce"
"C:\\Program Files\\Macromedia\\HomeSite+\\HomeSite+.exe"="C:\\Program Files\\Macromedia\\HomeSite+\\HomeSite+.exe:*:Enabled:HomeSite"
"C:\\Program Files\\Common Files\\Acronis\\Agent\\agent.exe"="C:\\Program Files\\Common Files\\Acronis\\Agent\\agent.exe:*:Enabled:Acronis Remote Agent"
"C:\\Program Files\\Acronis\\TrueImageWorkstation\\TrueImage.exe"="C:\\Program Files\\Acronis\\TrueImageWorkstation\\TrueImage.exe:*:Enabled:Acronis True Image"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\WINDOWS\\system32\\java.exe"="C:\\WINDOWS\\system32\\java.exe:*:Enabled:Java™ Platform SE binary"
"C:\\Program Files\\IceChat7\\IceChat7.exe"="C:\\Program Files\\IceChat7\\IceChat7.exe:*:Enabled:Internet Relay Chat Client"
"C:\\Program Files\\AdventNet\\ME\\OpManager\\apache\\bin\\Apache.exe"="C:\\Program Files\\AdventNet\\ME\\OpManager\\apache\\bin\\Apache.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\AdventNet\\ME\\OpManager\\jre\\bin\\java.exe"="C:\\Program Files\\AdventNet\\ME\\OpManager\\jre\\bin\\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\AdventNet\\ME\\OpManager\\jre\\bin\\javaw.exe"="C:\\Program Files\\AdventNet\\ME\\OpManager\\jre\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Documents and Settings\\user1\\Desktop\\Utilities\\utorrent.exe"="C:\\Documents and Settings\\user1\\Desktop\\Utilities\\utorrent.exe:*:Enabled:ęTorrent"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\ejabberd-1.1.3\\bin\\erl.exe"="C:\\Program Files\\ejabberd-1.1.3\\bin\\erl.exe:*:Enabled:erl"
"C:\\Program Files\\ejabberd-1.1.3\\bin\\epmd.exe"="C:\\Program Files\\ejabberd-1.1.3\\bin\\epmd.exe:*:Enabled:epmd"
"C:\\Documents and Settings\\user1\\Application Data\\Facebook\\facebook.exe"="C:\\Documents and Settings\\user1\\Application Data\\Facebook\\facebook.exe:127.0.0.1/255.255.255.255:Enabled:Facebook"
"C:\\Program Files\\FileZilla Client\\filezilla.exe"="C:\\Program Files\\FileZilla Client\\filezilla.exe:*:Enabled:FileZilla FTP Client"
"C:\\Program Files\\PRTG Traffic Grapher\\PRTG Traffic Grapher.exe"="C:\\Program Files\\PRTG Traffic Grapher\\PRTG Traffic Grapher.exe:*:Enabled:PRTG_Traffic_Grapher_Webserver"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Documents and Settings\\user1\\Application Data\\U3\\00001673A6720386\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\skype.exe"="C:\\Documents and Settings\\user1\\Application Data\\U3\\00001673A6720386\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 9 Apr 2008 126,976 A..H. --- "C:\Program Files\Opal\Interop.SHDocVw.dll"
Thu 2 Dec 2004 708,608 A..H. --- "C:\Program Files\Opal\Microsoft.Web.Services2.dll"
Sat 29 Sep 2007 77,824 A.SHR --- "C:\WINDOWS\system32\itc.exe"
Sat 29 Sep 2007 9,728 A.SHR --- "C:\WINDOWS\system32\itcdevice.dll"
Sat 29 Sep 2007 12,800 A.SHR --- "C:\WINDOWS\system32\itcs.exe"
Tue 17 Oct 2006 304,736 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\Maint.exe"
Tue 17 Oct 2006 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\uinstrsc.dll"
Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe"
Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\Administrator.COMPANY\Application Data\U3\temp\Launchpad Removal.exe"
Tue 20 Feb 2007 165,232 A..H. --- "C:\Documents and Settings\user1\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll"
Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\user1\Application Data\U3\temp\Launchpad Removal.exe"
Thu 29 Sep 2005 226,304 A..H. --- "C:\Documents and Settings\user1\Desktop\Software Compilations\USB to SATA_IDE Adapter\AUTORUN.EXE"
Fri 3 Oct 2008 65,536 A..H. --- "C:\Documents and Settings\user1\Local Settings\Application Data\Microsoft\Outlook\~DefaBlueTie-0000000c.pst.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Supervisor Backups\1506\supervisor\Application Data\U3\temp\Launchpad Removal.exe"

Finished!

------------------------------------------------------------------
What stands out to me is that there are files left have been left after removing the programs, such as limewire.
As well as this entry:
"C:\\Documents and Settings\\user1\\Application Data\\Facebook\\facebook.exe"="C:\\Documents and Settings\\user1\\Application Data\\Facebook\\facebook.exe:127.0.0.1/255.255.255.255:Enabled:Facebook"

Does Facebook need an executable?

#9 gm1971

gm1971
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 03 October 2008 - 05:42 PM

No bump intended - I just forget to say that I'm running MBAM again, but on deep scan.

Add On:
I'd love to keep digging on this issue out of curiosity and contributing maybe some new knowledge, but time waits for no virus.

Going for the back up of personal files and complete system restore.

Thank you all for your assistance, it is much appreciated and I learned a few things too!

Edited by gm1971, 03 October 2008 - 05:58 PM.


#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:10 PM

Posted 03 October 2008 - 06:37 PM

Going for the back up of personal files and complete system restore.


that would be my choice

I learned a few things too!


Be careful with those saved downloads
Chewy

No. Try not. Do... or do not. There is no try.

#11 gm1971

gm1971
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 07 October 2008 - 09:13 AM

Done and done!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users