Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recent Virus Attack


  • Please log in to reply
12 replies to this topic

#1 mohmama3

mohmama3

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 10 September 2007 - 12:10 AM

Recently I received a virus: Bloodhound.Exploit.109
File: C:\Documents and Settings\Pat\Local Settings\Temporary Internet Files\Content.IE5\J17VX2RS\movie[1].qtl
Location: C:\Documents and Settings\Pat\Local Settings\Temporary Internet Files\Content.IE5\J17VX2RS

I used my virus security and it removed the virus from my computer. I have rerun my virus scan and it shows no virus, but since I cleaned the virus I have been receiving a warning from my firewall stating: Application: C:\Program Files\ISM\ISMModule3.exe Protocol: TCP (Outbound) I have been blocking the access from the internet.

My question is: Is this a result of the virus? Should I delete it from Program Files? I have never seen this before the virus.

BC AdBot (Login to Remove)

 


#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:06:59 AM

Posted 10 September 2007 - 12:39 AM

Actually, this is malware: CastleCops information. You should run a scan with the Bitdefender Online Scanner;

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 mohmama3

mohmama3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 10 September 2007 - 03:43 AM

No virus was found.
BitDefender Online Scanner



Scan report generated at: Mon, Sep 10, 2007 - 04:34:38

Scan path: C:\;D:\;E:\;F:\;G:\;H:\;

Statistics

Time 01:22:23

Files 299249

Folders 9917

Boot Sectors 4

Archives 11076

Packed Files 17591

Results

Identified Viruses 0

Infected Files 0

Suspect Files 0

Warnings 0

Disinfected 0

Deleted Files 0


Engines Info

Virus Definitions 800291

Engine build AVCORE v1.0 (build 2411) (i386) (Jul 9 2007 12:10:22)

Scan plugins 14

Archive plugins 38

Unpack plugins 7

E-mail plugins 6

System plugins 1


Scan Settings

First Action Disinfect

Second Action Delete

Heuristics Yes

Enable Warnings Yes

Scanned Extensions *;

Exclude Extensions

Scan Emails Yes

Scan Archives Yes

Scan Packed Yes

Scan Files Yes

Scan Boot Yes


Scanned File Status

No virus found.

Edited by mohmama3, 10 September 2007 - 04:16 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 AM

Posted 10 September 2007 - 09:24 AM

Are you using Norton Anti-virus?

NAV has the ability to detect unknown viruses of various types using heuristic algorithms known as Bloodhound. This technology uses an expert system to analyze the cataloged behaviors and assess the likelihood of viral infection. See here. Bloodhound is not the name of a virus, but a message displayed by NAV when it thinks it may have found a new virus. According to Symantec, Bloodhound detects up to 80% of new and unknown executable viruses, and 90% of new and unknown macro viruses. False positives] can also occur if virus detection technology (AutoProtect Settings) are set to High for Bloodhound, so you may want to reset Bloodhound to its default settings.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 mohmama3

mohmama3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 10 September 2007 - 10:53 AM

My firewall is Norton. Symantec antivirus Corporate Edition.

I used Avast to remove the virus I had. I can't remember the names of the virus files removed, but I do remember thinking they didn't contain the name my firewall noted in the initial message I posted. Now I know why. :thumbsup: Thank you so much for all this information. I haven't had the chance to read the entire article on bloodhound, but will do so. Is there any info explaining how I reset bloodhound to its default settings. Do I just go into my symantec and reset symantec or my firewall settings.

As far as the malware C:\Program Files\ISM\ISMModule3.exe, it would be safe to just delete the ISM file from my computer?

Edited by mohmama3, 10 September 2007 - 11:05 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 AM

Posted 10 September 2007 - 11:18 AM

When a program quarantines a file or moves it into a virus vault, that file is safely held there (and no longer a threat) until you take action to delete it. One reason for doing this is to prevent deletion of an essential file that may have been flagged as a "False Positive". If that is the case, then you can restore the file. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure.

When the file in the vault is known to be bad, you can delete it at any time.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled, to empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Then download and scan with SUPERAntiSpyware Free.
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 mohmama3

mohmama3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 11 September 2007 - 12:34 AM

Here is my log from superantispyware. Is it safe to delete the quarantined file?


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/10/2007 at 10:34 PM

Application Version : 3.9.1008

Core Rules Database Version : 3303
Trace Rules Database Version: 1309

Scan type : Complete Scan
Total Scan Time : 01:47:28

Memory items scanned : 490
Memory threats detected : 0
Registry items scanned : 6038
Registry threats detected : 13
File items scanned : 140626
File threats detected : 16

Adware.AdSponsor
HKCR\AppId\AdBand.DLL
HKCR\AppId\AdBand.DLL#AppID

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion

Adware.AdSponsor/ISM
HKU\S-1-5-21-2457263322-2362119064-399145528-1005\Software\antica
HKU\S-1-5-21-2457263322-2362119064-399145528-1005\Software\BndDrive
C:\Documents and Settings\Pat\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Pat\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Pat\Start Menu\Programs\Internet Speed Monitor
C:\PROGRAM FILES\ISM\BNDLOADER.EXE
C:\PROGRAM FILES\ISM\ISM.EXE

Malware.Installer-Pkg/Gen
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE

Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\COMMON FILES\YAZZLE1552OINUNINSTALLER.EXE

Edited by mohmama3, 11 September 2007 - 12:42 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 AM

Posted 11 September 2007 - 01:04 PM

Is it safe to delete the quarantined file?

Yes.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs. From within Add/Remove Programs highlight any of the following programs (if listed) and select "Remove".

ClickSpring
Cowabanga by OIN
ipwindows / ipwins
MediaTickets
MediaTickets by OIN
OIN
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX By OIN
Yazzle Cowabanga by OIN
Yazzle Kobe :filtered:! By OIN
Yazzle Picster by OIN
Yazzle Sudoku by OIN
Yazzle Snowballwars by OIN
Yazzle Kobe Balls! by OIN
Zolero Translator
or anything else with the word "OIN" or "Outer Info Network" or "Yazzle" in them.


If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, then download and run the Purity Scan uninstaller.
  • Save the Uninstaller to your desktop.
  • Double click on the OiUninstaller.exe icon on your desktop.
  • Click on "Run".
  • Enter the four digit code that is displayed and click on "Uninstall".
  • Click on "Ok" and reboot your computer.
Click here for Instructions with screenshots if needed.

Open My Computer or Windows Explorer, navigate to and delete any of the named program folder's list above that you find in C:\Program Files (if they still exist).

Reboot and scan again with SUPERAntispyware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 mohmama3

mohmama3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 11 September 2007 - 05:09 PM

(Edited to say: I went to the site from your instructions: "Click here for Instructions with screenshots if needed" and was able to run OiUninstaller.exe without getting a warning.)

When I clicked on OiUninstaller.exe, avast sent me a warning:

File name: http//www.outerinfo.com/OiUninstaller.exe\$TEMP\UE.exe\[UPX]

Malware name: Win32 PurityScan-AF [Trj]

Malware type: Trojan Horse

VPS version: 000774-3, 09/11/2007

So I aborted the download. I realize the file is from Purity Scan, should I allow it on my computer?

Edited by mohmama3, 11 September 2007 - 05:18 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 AM

Posted 11 September 2007 - 06:33 PM

The OiUninstaller uses UPX (ultimate packer for executables), an advanced file compressor and a method for compressing executable files to reduce their size to save space on a disk and download time. Some anti-virus programs such as Avast and Kaspersky may detect it as malware when attempting to download or unpack the compressed file.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 mohmama3

mohmama3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 11 September 2007 - 07:56 PM

I deleted the quarantined files and ran OiUninstaller then I restarted and ran SUPERAntiSpyware This is what I got.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/11/2007 at 08:31 PM

Application Version : 3.9.1008

Core Rules Database Version : 3303
Trace Rules Database Version: 1309

Scan type : Complete Scan
Total Scan Time : 02:04:21

Memory items scanned : 457
Memory threats detected : 0
Registry items scanned : 6041
Registry threats detected : 4
File items scanned : 143227
File threats detected : 10

Adware.Tracking Cookie
C:\Documents and Settings\Pat\Cookies\pat@adrevolver[3].txt
C:\Documents and Settings\Pat\Cookies\pat@richmedia.yahoo[1].txt
C:\Documents and Settings\Pat\Cookies\pat@adinterax[2].txt
C:\Documents and Settings\Pat\Cookies\pat@ad.yieldmanager[1].txt
C:\Documents and Settings\Pat\Cookies\pat@adrevolver[1].txt

Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR

Adware.AdSponsor/ISM
HKU\S-1-5-21-2457263322-2362119064-399145528-1005\Software\antica
HKU\S-1-5-21-2457263322-2362119064-399145528-1005\Software\BndDrive
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP514\A0111966.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP514\A0111967.EXE

Adware.ClickSpring/Outer Info Network
C:\DOCUMENTS AND SETTINGS\PAT\DESKTOP\OIUNINSTALLER.EXE
C:\WINDOWS\Prefetch\OIUNINSTALLER.EXE-0879F05C.pf

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\WTSICOMSV32.EXE

#12 mohmama3

mohmama3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 11 September 2007 - 10:56 PM

I ran everything again and this is the last one I got from superantispyware. I deleted the quarantine. It is getting better, but will it ever end. :thumbsup:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/11/2007 at 11:30 PM

Application Version : 3.9.1008

Core Rules Database Version : 3303
Trace Rules Database Version: 1309

Scan type : Complete Scan
Total Scan Time : 02:07:42

Memory items scanned : 453
Memory threats detected : 0
Registry items scanned : 6036
Registry threats detected : 0
File items scanned : 141212
File threats detected : 1

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP514\A0112027.EXE


I ran it again and got this:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/12/2007 at 04:16 AM

Application Version : 3.9.1008

Core Rules Database Version : 3304
Trace Rules Database Version: 1310

Scan type : Complete Scan
Total Scan Time : 02:02:25

Memory items scanned : 458
Memory threats detected : 0
Registry items scanned : 6036
Registry threats detected : 0
File items scanned : 140835
File threats detected : 1

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\WTSICOMSV32.EXE

Edited by mohmama3, 12 September 2007 - 03:34 AM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:59 AM

Posted 12 September 2007 - 06:29 AM

Reboot and use Windows Search feature > More advanced options to locate the following file:

C:\WINDOWS\SYSTEM32\WTSICOMSV32.EXE <- this file

To do this, go to Start -> Search -> All files and folders -> More advanced options. Checkmark these options:
  • "Search system folders"
  • "Search hidden files and folders"
  • "Search subfolders"
Type in the name of the file and then click "Search" to look for the file(s).

If it still exists, download FileASSASSIN.zip and save to your desktop (this tool is compatible with Win 2000/NT/XP/Vista only).
  • Create a new folder on your C:\ drive called FileASSASSIN and extract (unzip) the file to that folder. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.)
  • Open the folder and double-click on FileASSASSIN.exe.
  • Select the bad file to delete by dragging it onto the text area or select it using the (...) browse button.
  • Select a removal method. Start with the default "Attempt FileASSASSIN's method of file removal"
  • Click delete and the removal process will begin.
  • If that did not work, start the program again, select the file(s) the same way as before and this time check "Use delete on reboot function from windows."

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users