Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Hibernating Hijacker


  • Please log in to reply
7 replies to this topic

#1 hannedog

hannedog

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 19 August 2008 - 09:39 PM

Hello all,

First off I have a b.a. in computer science and am fairly knowledgeable on windows os stuff.

However I did run into a bit of a situation when I decided to hook my computer up to an old CRT monitor!

The problem was that since I normally use a widescreen LCD, and since I forgot to make the resolution compatible before switching, I couldn't boot into Windows. Had to use safe mode to boot, but then it wasn't letting me change or save the resolution change for normal boot. Well, at first I thought I would make a temp user profile while in safe mode, and then normal boot into the temp profile. I thought the default resolution of the temp profile would let me normal boot (that turned out to be wrong, but it's another story). Not only was making a temp profile for booting with a lower resolution a bad idea, it also had another very bad side effect.

Apparently, when logging into the temp profile for the first time, when Windows was doing all the set-up stuff for the profile, the active protection I was using wasn't present during setup -- and this allowed some malicious code I evidently had stored on my computer to manifest itself.

I noticed that after I had made that temp account (and deleted immediately once I found it didn't work for booting into normal mode), my Internet would work for about 5 minutes, then stop. The only way to fix this was to reboot the computer. At first I thought it was a router problem... but, then, I noticed that my Zone Alarm was no longer running in the taskbar! It was a registered process in taskman, but there was no way to access the gui functions. When trying to run from start menu -- nothing. So this is when I knew something was up. Only moments later and my browser was hijacked and I got some ad from a 72.xx.xx.xx IP address.

I went to my Windows Defender software explorer -- and noticed some peculiar things. A Watson Notifier exe -- I forget the exe name right now -- had curiously weaseled its way into the startup programs. Also, my active protection for defender was also turned off! Well, some hijacker had disguised itself as the Dr. Watson, because as soon as I disabled and removed that, the Internet worked fine again. However, all traces of infection don't seem to be gone yet -- which is why I came here

I ran a Kaspersky online scanner to double check that my system was clean -- and it found some things in my Java cache that AVG did not. My question is if I can feel confident in total system cure by just deleting the Java cache? Or should I be looking at other stuff as well? I thought a look at my HJT for recommendations would be a good idea in any respect.

Here is the Kaspersky log:


"KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 19, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, August 19, 2008 07:05:03
Records in database: 1109290


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics
Files scanned 167579
Threat name 4
Infected objects 7
Suspicious objects 0
Duration of the scan 02:23:41

File name Threat name Threats count
C:\Documents and Settings\All Users\Documents\ANTI - SPYWARE FOLDER\ssfsetup972.exe Infected: Trojan-Clicker.Win32.Small.to 1

C:\Documents and Settings\Student\Application Data\Sun\Java\Deployment\cache\6.0\25\2365d359-1fc7db6b Infected: Trojan.Java.ClassLoader.as 3

C:\Documents and Settings\Student\Application Data\Sun\Java\Deployment\cache\6.0\35\362cfe3-626587f8 Infected: Trojan-Downloader.Java.OpenStream.ac 1

C:\Documents and Settings\Student\Desktop\enum\enum.exe Infected: HackTool.Win32.EnumPlus.a 1

C:\enum\enum.exe Infected: HackTool.Win32.EnumPlus.a 1

The selected area was scanned."


The AVG log (which didn't find the infections Kaspersky did):

Scan "Scan specific files or folders" was finished.
Infections found:;"0"
Infected objects removed or healed:;"0"
Not removed or healed:;"0"
Spyware found:;"0"
Spyware removed:;"0"
Not removed:;"0"
Warnings count:;"0"
Information count:;"0"
Scan started:;"Tuesday, August 19, 2008, 5:48:42 AM"
Scan finished:;"Tuesday, August 19, 2008, 6:41:10 AM (52 minute(s) 28 second(s))"
Total object scanned:;"859396"
User who launched the scan:;"Student"


Note: you'll see that Kaspersky listed some enum.exe as a hacktool -- well, these files are just perfectly fine They're supposed to be there -- purely for educational purposes.

Also, I see that my Windows Installer directory has grown to 1.7 GB. I'd like to clean it out, but Microsoft says it doesn't recommend using the MSI cleaner utility if you have Office 2007 installed -- and so I'm a bit hesitant to use msizap.exe. I'd rather not mess anything up than to gain just a bit mroe space. But does anyone here know if using the msizap.exe G! command with office 2007 will be fine or not?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:17 PM

Posted 20 August 2008 - 09:07 AM

Certain files that are part of legitimate programs may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)". Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. If you put the file on your system, you can ignore it but keep in mind that other security tools may eventually detect it as well.

I am familiar with enum.exe. ssfsetup972.exe is related to a trial version of Webroot's Spysweeper (installation/setup file) but is the ANTI - SPYWARE FOLDER something you created to hold it?

To clear your Java cache, follow the instructions provided in How do I clear the Java cache?.

Msizap.exe is a command line utility that removes either all Windows Installer information for a product or all products installed on a computer. Products installed by the installer may fail to function after using Msizap.

msdn.microsoft.com

MsiZap G! is helpful for clearing out Windows Installer resources that are no longer being referenced...Take care when using msizap, though. "G!" is safe, but exploring other switches without understanding their ramifications could mean you cannot patch products anymore because product registration is missing (essentially making it appear to Windows Installer that your product is not there). Treat this like editing the registry..

blogs.msdn.com
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 hannedog

hannedog
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 20 August 2008 - 12:44 PM

Certain files that are part of legitimate programs may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)". Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. If you put the file on your system, you can ignore it but keep in mind that other security tools may eventually detect it as well.

I am familiar with enum.exe. ssfsetup972.exe is related to a trial version of Webroot's Spysweeper (installation/setup file) but is the ANTI - SPYWARE FOLDER something you created to hold it?

To clear your Java cache, follow the instructions provided in How do I clear the Java cache?.

Msizap.exe is a command line utility that removes either all Windows Installer information for a product or all products installed on a computer. Products installed by the installer may fail to function after using Msizap.

msdn.microsoft.com

MsiZap G! is helpful for clearing out Windows Installer resources that are no longer being referenced...Take care when using msizap, though. "G!" is safe, but exploring other switches without understanding their ramifications could mean you cannot patch products anymore because product registration is missing (essentially making it appear to Windows Installer that your product is not there). Treat this like editing the registry..

blogs.msdn.com



Thanks for the response. First off -- yes, the spysweeper was put in there by me (although it is quite antiquated by now). I should just remove it. Was there really something within the spysweeper setup that could be exploited?

Secondly, I cleared out my Java cache... but we'll see if that's enough. I will be doing another Kaspersky scan. I did notice between the time I posted yesterday and now (when I cleaned out my Java cache) that my browser was hijacked once to an ad site (again a 72.xx.xx.xx was in the URL bar). So we'll if this behaviour continues now that the cache has been cleared. Note that intially when this all started I checked the HOSTS files etc. and they all checked out. Perhaps I should just post a HJT log anyway? Everything in my HJT log seems like they're there from legitimate sources... (well, maybe)

Also, I forgot to mention in my original post what ended up happening to ZoneAlarm. Like I said, ZoneAlarm couldn't be accessed, even though it was running in the taskman. Selecting to run ZoneAlarm from the start menu had no effect. So, I ended up deciding that uninstalling it was the only option. Now, here's the weird part: at the end of the uninstall, the very first "setup" screen that ZoneAlarm runs when you INstall it appeared. I went through the settings, and then the main ZoneAlarm window appeared! At the end of the uninstall! And here's the kicker: The window had no contents! The background of the Window had the familiar ZoneAlarm graphics, and that was it. No text, no buttons, nothing. Well, I closed the window out, and that seemed to be the last of it. It doesn't start up with Windows anymore anyway. So, something definitely messed up my ZA... and I'm not 100% convinced that it's been totally resolved yet.

Hmmm unfortunately msizap didn't seem to do anything... too bad, looks like I just need 1.7 GB of installer files. Well, anyway, thanks for the help, and further advice would be appreciated.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:17 PM

Posted 20 August 2008 - 01:05 PM

Was there really something within the spysweeper setup that could be exploited?

It was probably a "false positive".

I will be doing another Kaspersky scan. I did notice between the time I posted
yesterday and now (when I cleaned out my Java cache) that my browser was
hijacked once to an ad site (again a 72.xx.xx.xx was in the URL bar).

What security and anti-malware scanners do you have on your system? Did you perform scans? Did they find anything?

If you don't have any anti-malware programs, see BC's list of Freeware Replacements For Common Commercial Apps. I would also recommend that you download and scan with SUPERAntiSpyware Free in "Safe Mode".
Please update the defintions before performing a scan.

If you removed Zone Alarm, be sure to replace it with something else.
Comodo Free Firewall
Online Armor Free
PC Tools Firewall Plus
Ashampoo FireWall Free
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 hannedog

hannedog
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 20 August 2008 - 06:12 PM

Was there really something within the spysweeper setup that could be exploited?

It was probably a "false positive".

I will be doing another Kaspersky scan. I did notice between the time I posted
yesterday and now (when I cleaned out my Java cache) that my browser was
hijacked once to an ad site (again a 72.xx.xx.xx was in the URL bar).

What security and anti-malware scanners do you have on your system? Did you perform scans? Did they find anything?

If you don't have any anti-malware programs, see BC's list of Freeware Replacements For Common Commercial Apps. I would also recommend that you download and scan with SUPERAntiSpyware Free in "Safe Mode".
Please update the defintions before performing a scan.

If you removed Zone Alarm, be sure to replace it with something else.
Comodo Free Firewall
Online Armor Free
PC Tools Firewall Plus
Ashampoo FireWall Free


Traditionally, I have AVG, Windows Defender, ZoneAlarm, and I used to have Spybot S&D, but, in recent times I've felt that the extra push on system resources hasn't been worth it (and that's been true... this only happened becasue of a "fluke" occurrence). So, I've dropped Spybot. I plan on reinstalling ZoneAlarm after this ordeal is over (realistically, my router and windows firewall is plenty enough anyway).

I will try the SAS scan in safe mode. As I said in my original post, AVG did not detect any of the items mentioned by the Kaspersky log (and the items it did detect were cleaned). Also, Windows Defender reports the system as clean.

However, after clearing out the Java cache, Kaspersky no longer reports any active threats (just the enum and spysweeper). So, it looks clean there. However, there still seems to be traces of the hijack. Every once in a while, I'll get a "Bad Gateway" page that has some addtional info on it (can't remember -- PGNIX?). The URL doesn't get changed from my desired destination, so unfortunately I can't re-find the page now, and clicking "refresh" causes the real page to load. I'm suspicious about it though because I've seen the exact same "Bad Gateway" page on two completely different domains (Yahoo News and Dawn of War 2 website). So, my guess is that the malicious file is gone, but it's footprint still remains somewhere in my browser. Maybe a HJT log?

I'll post the results of the SAS scan.

#6 hannedog

hannedog
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 21 August 2008 - 12:12 AM

Well, I ran SuperAntiSpyware in Safe mode -- didn't find a thing.

So, that only leaves the curious random "Bad Gateway" pages as a final question (I've only gotten two of them so far, so, maybe they were just coincidences). Do you think I should post a HJT log?

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,905 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:17 PM

Posted 21 August 2008 - 07:53 AM

Lets try clearing all your history, temp files and cache again with a more thorough tool.

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 hannedog

hannedog
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 21 August 2008 - 01:33 PM

Hmmm yeah I've never used ATF Cleaner before... it seemed to work quite nicely. Typically, I've manually deleted all the temp files myself to make sure I know what's being deleted... in the past I used a cleaning program on a machine which caused it to delete some Windows system files (possibly in the Installer folder) which then required the actual Windows XP CD to repair. I've just generally avoided them since.

But this ATF cleaner seems to be very convenient and (even though it didn't really clean anything out) and I'll probably be using this in the future!

Well, in the meantime I guess I'll just watch out for another one of those "Bad Gateway" pages to occur.... if I don't get one then I can probably guess I'm mostly ok. (I'll be doing a reformat eventually here regardless... I hate when these things happen, you can just never be 100% sure...)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users