Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nav 2008 Shows Suspicious Activity


  • This topic is locked This topic is locked
7 replies to this topic

#1 Burt_Simpson

Burt_Simpson

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 20 August 2008 - 10:01 PM

Norton AntiVirus 2008 Security History Advanced Details shows

"qttask.exe made 226 modifications to your Windows Startup Settings."

NAV 2008 Advanced details:
Program: c:\program files\quicktime\qttask.exe
Risk Level: Low
Last updated: 8/20/2008 10:51:48 AM
Affected Area: Windows Startup Settings

Activity Resource
Modified Resource \REGISTRY\MACHINE\sOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Modified Resource \REGISTRY\MACHINE\sOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuickTime Task

"qttask.exe accessed the protected resources listed above. You may Remove this program"

NAV 2008 Quarantine shows the following results:

1) Infostealer.Gampass detected by Virus Scanner
Date and time: 8/15/2008 6:34:09
Status: Removed
Recommended Action: Resolved - No Action

Risk Properties|Details tab:
Affected Area:
1 File: c:\documents and settings\katja\my documents\limewire\saved\original motion picture soundtrack - this is the life (dog act).mp3
1 Browser Cache

(I doublechecked that this file was in fact removed!)

2) Backdoor.Bitrose detected by Auto-Protect
Date and Time: 7/16/2008 11:10:07 AM
Status: Removed
Recommended Action: Resolved - No Action

Risk Properties|Details tab:
Affected Area:
1 File: g:\zzz_zeus\ai roboform\roboform 6.9.88\airoboform.exe
1 Browser Cache

(Although this file was downloaded, it was not installed. I doublechecked, and the file was in fact removed!)

3) Downloader detected by Email Scanner

Status: Removed
Date and Time: 7/19/2008 11:28:08 AM
Status: Removed
Recommended Action: Resolved - No Action

Alert Details:
Subject: *Telus Detected Spam*Re: Rabbit)
Sender: <corrine@mexxxico.com>
Risk items: [images41.jpg___________________.exe] inside of [images41.zip]

(I doublechecked and this EMAIL was in fact removed!)

4) Trojan Horse detected by Auto-Protect

Status: Removed
Date and Time: 7/4/2008 12:43:52 PM
Status: Removed
Recommended Action: Resolved - No Action

Risk Properties|Details tab:
Affected Area:
1 File: g:\zzz_zeus\dvd\cyberlink powerdvd ultra v8.0\cyberlink powerdvd ultra v8.0.1730 + keygen! [mulitlingual]\core\keygen.exe
1 Browser Cache

(Although this file was downloaded, it was never installed. I doublechecked, and the file was in fact removed!)

Thanks for your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:13 PM

Posted 05 September 2008 - 04:39 AM

Hello Burt and welcome at BleepingComputer,

Sorry to have kept you waiting for so long, but the forums are really busy.
If you still need help :

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. After reboot,
Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following, if still present :O2 - BHO: (no name) - {0347C33E-8762-4905-BF09-768834316C61} - (no file)
O2 - BHO: (no name) - {053F9267-DC04-4294-A72C-58F732D338C0} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

3. Download RSIT by random/random and save it to your desktop.
  • Double click on RSIT.exe to run it.
  • Click Continue at the disclaimer screen.
  • If it cannot locate TrendMicro's HijackThis, the tool will be downloaded, so please allow the download and accept the installation.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Burt_Simpson

Burt_Simpson
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 06 September 2008 - 12:06 PM

Thunder,

Thanks for your help!

I've cleaned my IE7 and Firefox 3.0.1 stuff, and hard drives as requested. Also ran the HighjackThis fixes you suggested.

Here are the RSIT logs, attached, as requested.

What's next?

Burt

Attached Files



#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:13 PM

Posted 08 September 2008 - 07:49 AM

Hello Burt,

Your logs look fine now,
just make sure Norton and AVG don't bump heads !
Keep only 1 antivirus program active.

On the matter of malware : it looks like your programs blocked and/or deleted them all :thumbsup:

Any problems left ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Burt_Simpson

Burt_Simpson
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 12 September 2008 - 11:38 AM

Thunder,

Thanks very much for your help! I still have the same issue with NAV 2008 reporting suspicious activity, tho.

A while back, I did get some typical virus behaviour (eg. an unsolicited message on boot up) from one of the infections that NAV reported as blocked or removed. I don't remember which one, but it was unmistakably virus activity.

***I guess I should not do any online banking, or other transactions, without formatting my hard drive and rebuilding my system, eh?!***

Thanks,

Geoff

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:13 PM

Posted 12 September 2008 - 05:04 PM

Hello Geoff,

If the only notifications you still get are about QuickTime Task (qttask.exe),
then you've got nothing to worry about,
and should allow the changes for this harmless startup entry.

The other ones were malware related however.

If you want an additional check :
Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with the Kaspersky report.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Burt_Simpson

Burt_Simpson
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 13 September 2008 - 08:50 PM

Thunder,

Thanks again for your help! Here's the log of the Kaspersky scan:

**************************************

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, September 13, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, September 13, 2008 04:21:30
Records in database: 1220549
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 128276
Threat name: 3
Infected objects: 23
Suspicious objects: 0
Duration of the scan: 15:14:10


File name / Threat name / Threats count
C:\Documents and Settings\Geoff\Local Settings\Application Data\Identities\{DC0AC371-9F5F-46CF-8F3E-01821183EBB5}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Downloader.HTML.Agent.km 1
D:\Zzz_Zeus\Remote Computer Management\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
D:\Zzz_Zeus\VNC\Real.VNC.Enterprise.Edition.v4.2.6.Incl.Keygen-CORE.rar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Zzz_Zeus\VNC\vnc-4_1_2-x86_win32 (Free).exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
D:\Zzz_Zeus\VNC\vnc-4_1_2-x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
D:\Zzz_Zeus\VNC\vnc-4_1_2-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Zzz_Zeus\VNC\vnc-4_1_2-x86_win32_viewer.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Zzz_Zeus\VNC\vnc-E4_2_7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 2
D:\Zzz_Zeus\VNC\vnc-E4_2_7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
D:\Zzz_Zeus\VNC\vnc-E4_2_7-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
D:\Zzz_Zeus\VNC\vnc-tool-1_5_3-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

The selected area was scanned.

**************************************
Here's what I've done:

1) I changed the file extension on the "delete.dbx" file - in the Outlook Express Identities folder - to "delete.dbx.BAK". OE doesn't seem to need it. OE shows the Deleted Items" folder as empty, which is fine. CAN I SAFELY DELETE THE (now renamed) FILE???

2) I removed the folders above (in D:\ZZZ_Zeus\), because I don't need them. This is just an archive of install files for software that was not installed.

THANKS AGAIN!!! :thumbsup:

Burt

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:13 PM

Posted 15 September 2008 - 07:45 AM

Hello Geoff,

C:\Documents and Settings\Geoff\Local Settings\Application Data\Identities\{DC0AC371-9F5F-46CF-8F3E-01821183EBB5}\Microsoft\Outlook Express\Deleted Items.dbx is in fact your Outlook Express deleted items box,
and removing anything in it would have been fine as well. :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users