Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Exploit Blackhole threat and other issues


  • Please log in to reply
8 replies to this topic

#1 ptijerm

ptijerm

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 12 March 2011 - 04:32 PM

Hello:

Over the last day or so I've noticed AVG giving me threat notices for something called "Exploit Blackhole Exploit Kit (type 1889)". The most recent threat notice identifies the file name as "r8cm.co.cc/index.php ?tp=8e5bc13421c553f2", the process name as "C:\Users\Owner\AppData\Local\Temp\Uth.exe" and the process ID as 2340.

This morning AVG found one infection - Trojan horse FakeAV.KQZ - and one warning - "Found registry key with reference to file C:\Users\Owner\AppData\Local\ipg.exe. It cleaned both and stuck them in the virus vault.

I ran SUPERAntiSpyware as well this morning and it cleaned up a bunch of adware and malware; I've also ran SUPERAntiSpyware a couple of times since and it STILL detects a bunch of adware and malware (42 Adware.Tracking Cookies and 2 Malware.Traces in the most recent scan).

I've run Spybot Search and Destroy as well a couple of times and it found malware each time; the most recent scan found the following Malware - Win32.FraudLoad.edt.

Should adware and malware continue to pop up, even immediately after a cleaning? Is there an underlying virus infection or something else that's making my system vulnerable?

Any help you can provide would be greatly appreciated.

I am using Windows Vista Home Premium Version 6.0 (Build 6002: Service Pack 2)

ptijerm

Edited by ptijerm, 12 March 2011 - 04:35 PM.


BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 3,795 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:45 PM

Posted 12 March 2011 - 09:49 PM

Hi ptijerm

Let's clean your temp files and remove anything that's sitting in there.
Then we'll see if MBAM shows anything.

Step 1

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

In your next reply, please submit:
MBAM report


Thanks.

Edited by Starbuck, 12 March 2011 - 09:49 PM.

unite1.png


#3 ptijerm

ptijerm
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 13 March 2011 - 10:21 AM

Starbuck:

Thanks for your assistance.

I've run TFC and MBAM and below is the MBAM report:

-----------------------

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6042

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

13/03/2011 12:43:43 PM
mbam-log-2011-03-13 (12-43-43).txt

Scan type: Full scan (C:\|D:\|F:\|)
Objects scanned: 285070
Time elapsed: 39 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\KUGHGZXAKT (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KUGHGZXAKT (Trojan.FakeAlert) -> Value: KUGHGZXAKT -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Uwamua.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#4 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 3,795 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:45 PM

Posted 13 March 2011 - 10:45 AM

Hi ptijerm,

I'd like you to do an ESET OnlineScan

You may find it beneficial to close your resident AV program before running the scan.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer.
      Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Click Posted Image, and save the file to your desktop using a unique name, such as ESETScan.
    Include the contents of this report in your next reply.
  • Click the Posted Image button.
  • Click Posted Image
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt


Note:
It's been found that on some systems the Eset's Online Scan fails during the database download ( around 20% )
To prevent this happening:
When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):

Enable Anti-Stealth technology

Posted Image


Post the report once the scan has finished.

Thanks

unite1.png


#5 ptijerm

ptijerm
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 13 March 2011 - 03:41 PM

I ran the ESET Online Scan, but it found no threats. Consequently, there was no "list of found threats" or report to post. I hope this is a good thing...

What next? Should I run ESET again?

#6 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 3,795 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:45 PM

Posted 13 March 2011 - 03:46 PM

If it found nothing, that's ok.
How's the system running now?
Are you still getting alerts of malware?

unite1.png


#7 ptijerm

ptijerm
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 13 March 2011 - 04:04 PM

So far so good. There have been no more pop-ups or notices of Exploit Blackhole.

Is there anything else I need to do, or do you think I'm good?

Edited by ptijerm, 13 March 2011 - 04:05 PM.


#8 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 3,795 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:08:45 PM

Posted 14 March 2011 - 05:24 AM

Hi ptijerm,

I suggest cleaning out the MBAM quaranteen folder and get a fresh restore point made:

Step 1
Restart MBAM.
Click on the Quarantine tab
Make sure everything is selected and then click Delete All.
Close MBAM.

Step 2
Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools may not be able to access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

Click on Start... Control Panel... System and Maintenance... System
Click on System Protection in the left-hand task list.
Uncheck the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.

When you uncheck a disk you will be presented with a screen.
You should click on the Turn System Protection Off button.
Click Apply and then OK.

Reboot your computer.

Now:
Click on Start... Control Panel... System and Maintenance... System
Click on System Protection in the left-hand task list.
Put a checkmark in the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section.
Click Apply and then OK.

Your System restore will now be active again... starting with a new restore point.

If you still experience problems after a day or so, come back and we'll take a deeper look at things.

Safe surfing. Posted Image

unite1.png


#9 ptijerm

ptijerm
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 14 March 2011 - 06:59 AM

Starbuck.

Will do. Thanks again for your help.

Much appreciated,

ptijerm




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users