Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection Included Music Video


  • Please log in to reply
7 replies to this topic

#1 DanT

DanT

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arkansas, USA
  • Local time:02:08 PM

Posted 20 May 2008 - 10:23 AM

On Saturday, May 17, I was reading a newsgroup and clicked on a link that indicated it had more information. My web browser (Firefox) popped up with a music video (singer named Rollins ? - song It could hurt you?) that proceeded to hop about the screen. When I tried to kill it, I got various dialog boxes indicating that I should hang around and have more fun. I powered off the computer and disconnected the internet and powered back up. Still had the video.

I checked and found that my ZoneAlarm firewall was not starting on bootup as it should.

Now, whenever I start a program, I get a ZoneAlarm popup asking if that program can access CFT Loader. I answer NO to this question and the program appears to load normally.

I have not reconnected the computer to the internet so far and am working on my wife's laptop.

I tried going back to a restore point prior to my error with no apparent effect.

Using Windows XP SP2. AVG virus checker. AVG Spyware checker. Ran Spybot and AdAware.

I looked at the system process window, but didn't see anything that looked abnormal.

Any ideas or suggestions?

Thanks, DanT

Edited by DanT, 20 May 2008 - 11:01 AM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:08 PM

Posted 20 May 2008 - 11:00 AM

I like to keep an infexted computer off the internet myself, but it's 3 times harder to work on, but then again I know the infection is not updated and downloading more code as I try to kill it

I use a usb drive, immunized with subs flashdisinfector

http://www.bleepingcomputer.com/forums/ind...mp;#entry798468

MBAM scanner

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062

and I get the manual updates for putting on the drive also

Latest Database

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

this makes a good start and you can bring the log back with the drive and then hopefully we'll be able to tell what kind of infection you have

Edited by DaChew, 20 May 2008 - 11:01 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 DanT

DanT
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arkansas, USA
  • Local time:02:08 PM

Posted 28 May 2008 - 08:28 AM

Thanks for the directions. Sorry it's taken so long for me to comply (out of town, computer crashes, etc.)

I loaded the programs on a USB flash drive and ran the disinfector.

I ran the MBAM and clamwin on the laptop first ( just to see what they do)

Here's the Clamwin log from the laptop:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Scan Started Sun May 25 10:14:21 2008

-------------------------------------------------------------------------------

C:\Program Files\Java Web Start\helper.exe: Trojan.Agent-14242 FOUND

C:\Program Files\Java Web Start\splash.exe: Trojan.Downloader-24726 FOUND

C:\WINDOWS\system32\ActiveScan\pskavs.dll: Sirius.Annihilator.272 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 298319

Engine version: 0.93

Scanned directories: 7219

Scanned files: 76172

Infected files: 3


Data scanned: 25308.70 MB

Time: 13892.246 sec (231 m 32 s)

--------------------------------------

Completed

--------------------------------------
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Here's the MBAM log:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Malwarebytes' Anti-Malware 1.12
Database version: 785

Scan type: Full Scan (C:\|D:\|H:\|)
Objects scanned: 115973
Time elapsed: 58 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<


Then I ran them on the desktop. Clamwin never finished on the desktop! In multiple trials, it hung up at about 79% of the way through the C: drive or the system crashed due to power fluctuations in a series of thunderstorms. I checked the file that Clamwin was hanging on and it is just a 484KB text file that my wife had downloaded for genealogy work. I read through it with wordpad with nothing unusual happening.

Here are two of the clamwim logs:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Scan Started Tue May 27 07:57:20 2008

-------------------------------------------------------------------------------

Scanning aborted...


C:\DownLoads\VerizonPCCheckup.exe: Trojan.LdPinch-2612 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 298319

Engine version: 0.93

Scanned directories: 2498

Scanned files: 37184

Infected files: 1



Data scanned: 11009.11 MB

--------------------------------------

Cancelled

--------------------------------------

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


Scan Started Tue May 27 12:35:18 2008

-------------------------------------------------------------------------------

Scanning aborted...


C:\DownLoads\VerizonPCCheckup.exe: Trojan.LdPinch-2612 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 298319

Engine version: 0.93

Scanned directories: 2499

Scanned files: 37184

Infected files: 1



Data scanned: 11009.11 MB

--------------------------------------

Cancelled

--------------------------------------
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Here's the MBAM log:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 775816
Time elapsed: 5 hour(s), 27 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\mozilla.org\Mozilla\regxpcom.exe (Trojan.FBrowsingAdvisor) -> No action taken.
G:\backup_compaq\Backup_C\C\Program Files\mozilla.org\Mozilla\regxpcom.exe (Trojan.FBrowsingAdvisor) -> No action taken.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


Since it looks as though I am infected with a trojan horse, can you tell me how to get cleaned up?

Thanks, Dan

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:08 PM

Posted 28 May 2008 - 10:20 AM

Looks like some broken pieces of adware and then a false positive on the mozilla files?

Update MBAM and just repeat quick scans

Firefox is a good browser but I use the noscript addon when I am surfing in the wild
Chewy

No. Try not. Do... or do not. There is no try.

#5 DanT

DanT
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arkansas, USA
  • Local time:02:08 PM

Posted 29 May 2008 - 08:34 AM

Thanks, I am posting this from the previously flawed computer. I ran the MBAM quick scans and was clean. Then I ran the full scan and was still clean.
The computer still couldn't work with the internet.
I uninstalled firefox and zonealarm, then reinstalled them this morning and things are now working.
I am going to run another set of virus scans (multiple programs) to be sure it's clean.

Thanks again, Dan

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:08 PM

Posted 29 May 2008 - 09:41 AM

C:\WINDOWS\system32\ActiveScan\pskavs.dll: Sirius.Annihilator.272 FOUND

The above is a common FP.

pskavs.dll is a legitimate file installed by Panda ActiveScan but there are some anti-virus vendors that flag it as malicious. This FP detection is caused by Panda's on-line scanner not encrypting its virus signature files.

The problem is that Panda still ships files that contain "plain viruscode", other vendors encrypt such files to avoid such false positives. So Clam is right somehow, it found the bytesequence of the virus in the file.

ClamAV Mailing List Archive

Viruses have been detected in some of the 'Panda Antivirus' files on my computer...Why is this?...When an antiviral program scans a file for viruses, it compares all the signatures (of all viruses) in the database with the signatures in that file. If the signatures match (they are the same), the file is marked as infected. For an antivirus program, it is important to hide this database of signatures somehow - e.g. by encrypting it. Panda Antivirus does not encrypt its virus database - the signatures inside are clearly "visible" to other antiviral programs, so they detect this file as infected (but there is actually no virus inside - only the signatures are the same).

avast detects ActiveScan as virus
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 DanT

DanT
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arkansas, USA
  • Local time:02:08 PM

Posted 30 May 2008 - 11:19 AM

Thanks.

At some time in the past, I did run Panda Antivirus on this computer.

I forgot to mention earlier that I also uninstalled Adode Flash Player. I understand that it has some problems.

Dan

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:08 PM

Posted 30 May 2008 - 12:50 PM

http://www.adobe.com/products/flashplayer/

they just released a new improved version to fix a massive vulnerabilty yesterday

I uncheck that durn google toolbar
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users