Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

*urgent* Superantispyware Went Nuts! *urgent*


  • Please log in to reply
11 replies to this topic

#1 ZT-repairseek

ZT-repairseek

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 22 May 2008 - 11:40 AM

last night I updated SUPERAntispyware and ran it. this morning, when I got up, I've found it's reporting a mountain of stuff; adware, malware, trojans, and more, but the thing is THE THINGS IT'S SHOWING DON'T EXIST!
desktop shortcuts, files, bookmarks, all manner of stuff, but it's not there ! hijackthis! 1.99.1 finds nothing, reanimator finds nothing, AVG antispyware comes up clean, there's nothing showing in Autoruns that's not supposed to be there, finding nothing wrong in ProcessExplorer, and while some things turned up on spybot, none of them are in SAS' list. I'm also not finding any of it when looking by hand, and if it was there in the amounts SAS is reporting, it'd be visible. if I had as much stuff on my system as it's saying, it probably wouldn't even be running well enough to make this post.

working with winXPSP2.

sorry that the images are so whackin' huge, but it was either make a huge image or have an army of small ones to show the entire list of stuff it's reporting.
post would have been up sooner, but spybot and company take a while to run, particularly on my older hardware.

wait, how do I attach stuff again? maybe I'll have to pass the images along some other means, a PM or something... what a pain.

Edited by ZT-repairseek, 22 May 2008 - 11:43 AM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:32 PM

Posted 22 May 2008 - 12:15 PM

In SAS under preferences view logs just copy and paste into a reply

cookies are the least important

another scanner MBAM gives some more detailed infection information

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062
Chewy

No. Try not. Do... or do not. There is no try.

#3 ZT-repairseek

ZT-repairseek
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 22 May 2008 - 12:29 PM

thing of it is, I'm not letting it do ANYTHING with the result it's got, because I'm worried it's been compromised and may end up unleashing unholy hell...

#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:32 PM

Posted 22 May 2008 - 12:33 PM

without some logs we can't tell anything, post some, if you choose to let the scanners not quarantine that's understandable

after we look at the logs maybe we can reccomend something
Chewy

No. Try not. Do... or do not. There is no try.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,605 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:32 PM

Posted 22 May 2008 - 12:45 PM

This is not the first report since updating SAS to the new version. See here and here.

Simply reboot and scan again. That means our kernel driver was not loaded after the update


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 ZT-repairseek

ZT-repairseek
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 22 May 2008 - 12:49 PM

~~~~~~~~~
EDIT:
quietman got his post in while I was posting.
that's a vague relief, but it still seems *VERY* strange, and even a touch suspicious. but maybe I've just become paranoid with all the threats out there; I hardly do anything on the 'net anymore without putting my browser into secure mode(which as per my settings loads only HTML and images), so this struck me as very, very messed up.

~~~~~~
alright, I just got done with MBAM for a quickscan. while it found stuff, it's results ALSO were not things I find in the result pane on SAS.
here's MBAM's quickscanlog:

Malwarebytes' Anti-Malware 1.12
Database version: 777

Scan type: Quick Scan
Objects scanned: 40805
Time elapsed: 11 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 14
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bf0a1ff4-bbaf-487f-bc85-a24ef8f443a8} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\battle.net (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\xrt_id (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\xrt_options (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\xrt_opt_server1 (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\xrt_opt_server2 (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\xrt_opt_forms (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\xrt_opt_certs (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\xrt_opt_options (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\xrt_opt_ss (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\xrt_opt_pstorage (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\xrt_opt_command (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\xrt_opt_idproject (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\xrt_opt_pauseopt (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\xrt_opt_pausecert (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\xrt_newversion (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\bnetunin.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


going to start a full scan now.
now, I've taken screenshots of SAS's list(which is huge, gotta be a few hundred things), and I've also taken one to emphasize the "oh wait, the stuff it says is there isn't... but I apparently have no way to post them.

Edited by ZT-repairseek, 22 May 2008 - 12:53 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,605 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:32 PM

Posted 22 May 2008 - 12:51 PM

Did you read my previous post?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 ZT-repairseek

ZT-repairseek
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 22 May 2008 - 12:57 PM

as noted by the edit, you got your post in while I was posting. 'net normalcy. *shrug*

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:32 PM

Posted 22 May 2008 - 01:06 PM

I would reccomend downloading the new version of SAS, then uninstalling SAS, rebooting and installing the new version, update and then reboot again and run a scan

My SAS was not updating the kernel

MBAM should not be affected by the SAS problems

Backdoor.Agent would be good at hiding, dig deeper

Edited by DaChew, 22 May 2008 - 01:09 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#10 ZT-repairseek

ZT-repairseek
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 22 May 2008 - 01:10 PM

MBAM full scan finished, nothing else found.
in the end I simply find myself seriously wondering how a driver not being loaded can result in the program hallucinating THAT MUCH stuff. 'tis truely a hard to swallow explanation.

#11 ZT-repairseek

ZT-repairseek
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 23 May 2008 - 09:27 AM

hate to double post, but this will be the last post for this thread out of me, at least.
I find it vaguely amusing, if a bit disconcerting, that asking why the driver not being loaded made the program hallucinate massively on the SAS forum resulted in an "I can't tell you that." response. way to instill confidence, eh?

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:32 PM

Posted 23 May 2008 - 10:38 AM

http://www.microsoft.com/technet/community...gmt/sm0504.mspx

even the best scanners may only be reporting some of what the malware is trying to hide

that's why we do repeated scans/fixes with several tools
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users