Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Access interfering malware


  • Please log in to reply
15 replies to this topic

#1 esswired

esswired

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 07 April 2010 - 10:52 AM

What happened:
April 5, 2010 - I did a search for a manual, found a site that purported to have pdfs of something I wanted, and got infected.

What I have done:
With some guidance, I checked for Malware using Malawarebytes’ Anti-Malware, removed Google Toolbar, Google Earth, Firefox, Live Mail in an attempt to ferret out the problem.

Today I ran Anti- Malware again and found: Trojan.FakeAlert

I have the logs for today’s and yesterday’s Anti- Malware runs, if they might be useful

Where I am now:
I am running in safe mode and find that my web requests are still being redirected or failing.
For instance,
-In safe mode, when I open Internet Explorer, it puts me in a anti-spam site.
-Also in safe mode, it is now putting a shield, like the Microsoft one in my tray and warning me that I have a virus and should run their program. Right clicking on this does nothing.
-when I was not in safe mode, Norton has a button that invites me to go online. This fails.
-When I click on Windows Live Synch, that also fails to go to its website as it normally would.

I have run a log from HijackThis while in safe mode (which I have not included here as instructed). It has an item which has (no name) so it caught my eye:
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)

My environment:
Windows XP Professional
When infected, Norton Internet Security 2005 or so. Now Norton Internet Security 2010

BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:08:25 PM

Posted 07 April 2010 - 01:04 PM

Please post your Malwarebytes logs from yesterday and today. I'd also like you to check your Proxy settings.

Check your Proxy settings in Internet Explorer to make sure malware did not alter them. If so, that can affect your ability to browse or download tools required for disinfection:

* Open Internet Explorer > click Tools > Internet Options > Connections tab.
* Click the LAN Settings... button and uncheck Use a proxy server for your LAN
or change the settings to the proxy you normally use if you previously reconfigured it.
* Remove any unknown addresses from the Address box. 80 is the default Port so it does not have to be changed.
* Click Ok and then click Ok again.
* Close Internet Explorer and restart the computer.
* An example of how to do this with screenshots can be found in steps 3-7 under the section Automated Removal Instructions... in this guide..

Check your Proxy settings in Firefox to make sure malware did not alter them:

* Open Firefox, click Tools > Options > Advanced and click the Network Tab.
* Under the Connection section click on the Settings... button.
* Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.
* Click Ok and then click OK again.
* Close Firefox and restart the computer.

For other browsers, please refer to How to configure browser proxy settings.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

Member of the Bleeping Computer A.I.I. early response team!

#3 esswired

esswired
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 08 April 2010 - 06:51 PM

Thanks. I checked and that turns out not to have been the problem. I looked at the Spyware Removal tab here and it seems to have worked. We will see! I have purchased Malwarebytes as insurance.

#4 esswired

esswired
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 08 April 2010 - 09:06 PM

The good news: Malawarebytes is preventing my machine from reaching out to spam sites
The bad news: my machine is still reaching out to spam sites

Anyone have any ideas??
Thanks

#5 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:08:25 PM

Posted 09 April 2010 - 07:12 AM

Ok. Let's run Malwarebytes again. This time select "Full Scan" and post the log from that. I'd also like you to run a few more tools and post their logs please.

SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
  • First
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
  • (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
  • (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

Member of the Bleeping Computer A.I.I. early response team!

#6 esswired

esswired
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 09 April 2010 - 04:59 PM

Thanks for your reply. I am currently running SUPERAntiSpyware and it is going strong after 2 1/2 hour. So far it has looked at 235 memory items, 6513 Registry items and 82,000 file items and counting. 76 adware cookies are all that it has uncovered so far.

I want to report on two other things: Characteristics of the virus I have noticed and what I have been doing about it.

The virus seems to be triggered by starting up some programs (e.g., Excel, a browser). It continues to try to reach out to malware sites fortunately known to Malwarebytes which I now have running in the background, having bought it. In the browser it tries to open a tab. Sites I have recorded it trying to reach are 94.228.209.171 and 93.190.143.144. This happens whether or not a browser is open.

Before I received your note I was following the steps in topic 34773. I ran defogger, and generated a log from DDS. I then tried twice to generate a log using Gmer, once in Safe mode (the virus works just fine in "safe" mode) and once not. Both times the system crashed without any warning. There were no messages to help understand why each time I booted up afterward.

I also ran a HijackThis log a day or so ago.

If you have any ideas what best to do next, please let me know. When I get back tonight I will run Dr. Web Cureit, assuming you think it advisable.

Thanks again

#7 esswired

esswired
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 10 April 2010 - 01:16 AM

Here is the log from SUPERAntiSpyware Scan. Please let me know if you want any of the others I mentioned. I am running Dr.Web CureIt overnight and should have results in the morning.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/09/2010 at 06:11 PM

Application Version : 4.35.1002

Core Rules Database Version : 4788
Trace Rules Database Version: 2600

Scan type : Complete Scan
Total Scan Time : 03:05:51

Memory items scanned : 235
Memory threats detected : 0
Registry items scanned : 6513
Registry threats detected : 0
File items scanned : 99776
File threats detected : 76

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media6degrees[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@toseeka[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsci[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@youporn[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@overture[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@invitemedia[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
C:\Documents and Settings\Administrator\Cookies\system@enhance[2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@collective-media[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@insightexpressai[1].txt
C:\Documents and Settings\Administrator\Cookies\system@advertising[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@porntube[1].txt
C:\Documents and Settings\Administrator\Cookies\system@advertise[1].txt
C:\Documents and Settings\Assistant\Cookies\[email protected][1].txt
C:\Documents and Settings\Assistant\Cookies\assistant@xiti[1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\system@doubleclick[2].txt
C:\Documents and Settings\LocalService\Cookies\system@kontera[1].txt
C:\Documents and Settings\LocalService\Cookies\system@media6degrees[1].txt
C:\Documents and Settings\LocalService\Cookies\system@realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@2o7[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[5].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertise[6].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adxpose[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@apmebf[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[3].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@burstnet[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@exoclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@featuredlocalfind[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@featuredlocalfind[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@interclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@trafficmp[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
C:\Documents and Settings\NetworkService\Cookies\system@zedo[2].txt

#8 esswired

esswired
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 10 April 2010 - 01:32 AM

I got this error which is the same as or similar to an error I have been receiving when closing Internet Explorer after there has been an attempt to reach a website that Malwarebytes has blocked:

iexplore.exe - Application Error

The instruction at "0x6beb7776" referenced memory at "0x6fa1250". The memory could not be "read".

Click OK to terminate the program

#9 esswired

esswired
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 10 April 2010 - 09:15 AM

An update:
I am running Dr.Web Scanner. At this point it has scanned 4344 files at 27-32 KB/s. It has been running for 7 hours 30 minutes and counting. I am guessing it does not normally run this slowly. Am I right?
Thanks

#10 esswired

esswired
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 10 April 2010 - 04:24 PM

Just terminated Dr. Web Scanner after 12 hours. The speed had deteriorated to 17 KB/s. I have rebooted and it is now working at 680-900 +/- KB/s. I cannot be sure, but it looks like it picked up where it left off, not with the count, but with the directory it is in.

My third running of Dr. Web Scanner is going at 1200+ KB/s AND it found viruses:
1. Process in memory: C:\Windows\system32\svchost.exe:1068 BackDoor.tdss.565
(Is this because I have Firefox open?)

2. nmcsrwxoae.tmp in C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Trojan.Click.25308
(Is the temp folder something I should simply delete the contents of?)

Dr Web Scanner slowed down again, so I am running a 4th time-no reboot-and another BackDoor.tdss.565 showed up, this time in svhost.exe:2028

I will send this now and create a new post for further developments
Thanks again for your interest and attention

Is there a reltionship between the trojan and the backdoor?

#11 esswired

esswired
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 10 April 2010 - 06:39 PM

I downloaded the most recent Dr. WS & it found a Backdoor.Tdss.565 in Firefox.

It finally completed and I am running the complete one.

#12 esswired

esswired
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 11 April 2010 - 11:56 AM

Sunday update

I let the second part of Dr WS go until it crashed. Log below. You will see a few more viruses found & dealt with. I see some are in Outlook and want to make sure I do the right thing about them and also hopefully not lose data.

I tried to run Dr. WS again. It runs the preliminary run again even though it has already run. It slowed down to under 30KB/sec at about 4300 files scanned. I stopped it after a couple of hours. Is there any way to avoid going over this again? Does the paid version allow you to go directly to the second scan?

I also tried to download a new version of Dr WS (in Safe Mode) and the (Cable) download said it would take 5 hours. Does this mean the virus is slowing me down again in spite of all that I have done?? Please help. Thanks.

#13 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,780 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Utah
  • Local time:06:25 PM

Posted 11 April 2010 - 10:03 PM

Hi,

I hope it is ok that I am jumping in here, I am only doing so because your helper has not been here for a while and it looks to me like you have a rootkit on the system (Backdoor.Tdss.565) so I thought that while you wait for Techextreme to return, you might want to start backing up your data in case you decide you need to reformat your drive and reinstall windows. Even though Dr.Web may be able to cure the infection, your computer may never be safe again without formatting it. Below is some info about backdoor trojans and rootkits.

Techextreme, I hope I am not stepping on your toes here, if I am, I am sorry. Btw, I don't weigh much so your toes should feel better soon :thumbsup:


Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards. Let us know what you decide to do.


Btw, I have been advised that it is best when formatting to remove viruses to use a formatting utility instead of using the formatting function from the Windows disk. The formatting utilities like Killdisk will write zeros to the disk to ensure all data is erased and the Windows disk formatting does not do that.

I am sure that Techextreme will return to this thread soon to finish helping you.

Good luck

Edited by Stang777, 11 April 2010 - 10:07 PM.


#14 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:08:25 PM

Posted 12 April 2010 - 06:41 AM

As has been reported by Dr. Web, it seems you have the TDSS Rootkit which will require more tools than I am permitted to use in this forum.

I am sorry for my absense over the weekend but I had some work to take care of around the house. ( gotta love home ownership work work work ).

I would also take heed to the information Stang777 posted about Backdoor Threats.

At this point, I think this one is best left to the experts, so I'm going to refer you to the Virus, Trojan, Spyware, and Malware Removal Logs Forum.

Please read the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help in cleaning your computer. Once complete, post a link back to this forum so the HJT team knows what we have tried.

Please be patient as the HJT team is quite busy sometimes and it may take a day or even a few for someone to pickup your log but someone will get back to you.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

Member of the Bleeping Computer A.I.I. early response team!

#15 esswired

esswired
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 12 April 2010 - 07:27 AM

Thanks to you both. I called MacAfee last night and they found something suspicious about my ATAPI.sys. When trying to remove it, the computer went into a system loopback so it would not boot. They didn't charge me anything and I am planning to call HP this morning.

I have saved my data with the exception of my Outlook e-mails (I have my addresses and calendar synced) and am working on my laptop. My remaining question is how best to recover my e-mail or whether it is possible. Any ideas would be helpful. I will look at the links you included to see if there is information there.
Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users