Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE 8 not connecting to anything after dl "flash player"


  • Please log in to reply
12 replies to this topic

#1 Gabriel Walker

Gabriel Walker

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 06 May 2009 - 07:09 PM

Hey There,

Not sure if this is an infection or bad coincident. A couple of days ago I was trying to watch the last 10 minutes of a Psych episode via the internet and I ran across a site that asked me to run a "flash player" app to view the video. Oh and did I mention that this was on my wife's laptop. I said yes and then my bit Defender 2008 went crazy finding and deleting Trojan.AutorunINF.Gen. I finally rebooted the PC. When it came back up IE 7 would no longer connect to any web sites (it just spins, saying it is connecting) I allowed windows update to upgrade to IE 8.

Firefox said it had an update from 3.08 to 3.10 and when it was done it crashed. I uninstalled firefox (leaving the personal data as I did not want to loose my wife's book marks.) and reinstalled 3.08 as i still had the install file on the hard drive. Same result. Uninstalled and reinstalled 3.10. Still crashed. Currently Firefox is uninstalled. Again while saving the personal settings.

I am running on the following:
Toshiba Satellite A205
2GB Ram
Intel Celeron 1.86 Processor
Windows Vista Home Premium SP1
Bit Defender 2008- recent updates
IE 8.0.6001.18702
Firefox uninstalled
Safari 3.1.2
On a wireless network.

So does this sound like a virus or malware issue? Any suggestions would be appreciated.

Thank you,
Gabriel Walker

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 06 May 2009 - 08:00 PM

Hello Gabriel Walker.

This sounds like a typical malware infection scheme.

Let's see what we can do.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simply double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Download and Run FlashDisinfector
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

With Regards,
The Panda

#3 Gabriel Walker

Gabriel Walker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 06 May 2009 - 09:03 PM

Panda,

Thank you for the quick reply. I am working through your direction right now.

Gabriel

#4 Gabriel Walker

Gabriel Walker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 06 May 2009 - 11:34 PM

Well Here is the news. I disabled my real time protection and installed malwarebytes. Unfortunately this is what happens when I try to run it.
Malwarebytes error message Screen shot




file://localhost/C:/Users/thetwinkler/Pictures/MalwareBytesError%20Messsage.jpg

It will not run. I wonder if the bad guy knows how we would defeat it and is interfering with it. Is that giving malware producers to much credit?

What next?

gabriel

#5 Gabriel Walker

Gabriel Walker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 07 May 2009 - 12:37 AM

Okay after a bit mor digging I found that maleware bytes did install. I needed to rename exe file

C:\Programs Files\Malwarebytes' AntiMalware


Right click the mbam-setup.exe file> click rename> rename it something.exe then try to run it.

I am moving forward now.

Gabriel

#6 Gabriel Walker

Gabriel Walker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 07 May 2009 - 02:00 AM

I moved my malwarebytes logs to the correct forum. Under the topic "IE 8 not connection to anything after DL of "flashplayer" sw"

Thank again for the help.
Gabriel

Edited by Gabriel Walker, 07 May 2009 - 12:47 PM.


#7 Gabriel Walker

Gabriel Walker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 07 May 2009 - 12:54 PM

Request for Help,

A couple of days ago I was trying to watch the last 10 minutes of a Psych episode via the internet and I ran across a site that asked me to run a "flash player" app to view the video. Oh and did I mention that this was on my wife's laptop. I said yes and then my bit Defender 2008 went crazy finding and deleting Trojan.AutorunINF.Gen. I finally rebooted the PC. When it came back up IE 7 would no longer connect to any web sites (it just spins, saying it is connecting) I allowed windows update to upgrade to IE 8 same symptom.

Firefox said it had an update from 3.08 to 3.10 and when it was done it crashed. I uninstalled firefox (leaving the personal data as I did not want to loose my wife's book marks.) and reinstalled 3.08 as i still had the install file on the hard drive. Same result. Uninstalled and reinstalled 3.10. Still crashed. Currently Firefox is uninstalled. Again while saving the personal settings.

I originally posted my logs by mistake to the "Am I Infected? What should I do?" ( I have since edited that post and removed the log files) I was not sure if this was an infection and was told that it looks to be. I followed instructions to disable realtime protection and run MalewareBytes. Inorder to run the software I had to I needed to rename the mbam-setup.exe file in C:\Programs Files\Malwarebytes' AntiMalware

I am running on the following:
Toshiba Satellite A205
2GB Ram
Intel Celeron 1.86 Processor
Windows Vista Home Premium SP1
Bit Defender 2008- recent updates
IE 8.0.6001.18702
Firefox uninstalled
Safari 3.1.2
On a wireless network.Here is my scan log from Malwarebytes (if this was not the proper place to post it please advise):

Malwarebytes' Anti-Malware 1.36
Database version: 2085
Windows 6.0.6001 Service Pack 1

5/6/2009 11:46:26 PM
mbam-log-2009-05-06 (23-46-22).txt

Scan type: Quick Scan
Objects scanned: 78242
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\QuickyPlaeyrSoft (Trojan.DNSChanger) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.0.0,85.255.0.0 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6e97d1a7-1c6a-4f8d-b79e-5dee3ec466bd}\NameServer (Trojan.DNSChanger) -> Data: 85.255.0.0,85.255.0.0 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.0.0,85.255.0.0 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6e97d1a7-1c6a-4f8d-b79e-5dee3ec466bd}\NameServer (Trojan.DNSChanger) -> Data: 85.255.0.0,85.255.0.0 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.0.0,85.255.0.0 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{6e97d1a7-1c6a-4f8d-b79e-5dee3ec466bd}\NameServer (Trojan.DNSChanger) -> Data: 85.255.0.0,85.255.0.0 -> No action taken.

Folders Infected:
C:\Users\thetwinkler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\QuickyPlaeyr (Trojan.DNSChanger) -> No action taken.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickyPlaeyr (Trojan.DNSChanger) -> No action taken.

Files Infected:
C:\RECYCLER\S-5-6-33-100017444-100004300-100030047-2209.com (Trojan.Agent) -> No action taken.
C:\Windows\System32\gxvxccounter (Trojan.DNSchanger) -> No action taken.

End of log.

I had malwarebytes clean items and rebooted, so far same symptoms. thanks again for the help.
gabriel

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:36 AM

Posted 08 May 2009 - 10:13 PM

Hello Gabriel Walker,

I merged the topic you made in the HJT forum to this topic. MBAM logs are perfectly fine to post here. If you need to post in the HiJack This forum, you will receive explicit instructions on how to do so at that time.

Back to you PP,

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 09 May 2009 - 01:21 PM

Hello.

Thanks OB.

MalwareBytes has found evidence of a rootkit infection.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Re-run scan with MalwareBytes Anti-Malware
Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead

only clicked "Save Logfile. Please read this thread

and rescan again only using the (Quick Scan) in normal mode and check all items found for removal. Don't

forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from

removing all the malware. After performing the new scan, click the Logs tab and copy/paste the contents

of the new report in your next reply.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

With Regards,
The Panda

#10 Gabriel Walker

Gabriel Walker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 09 May 2009 - 08:47 PM

thank you for correcting my mistake Orange Blossom. You will find over time I can be taught.

PropagandaPanda,

At this time I am interested in disinfecting. I pasted it as I did not see how to attach a file. Thank you for your help and time with this mess.
Gabriel


Here is the Gmer scan log:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-09 19:37:08
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys ZwOpenProcess [0xA67F0BA8]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys ZwOpenThread [0xA67F0C8E]
SSDT \??\C:\Program Files\BitDefender\BitDefender 2008\bdselfpr.sys ZwTerminateProcess [0xA67F0B0C]

Code 860F3580 ZwEnumerateKey
Code 86037408 ZwFlushInstructionCache
Code 86032345 IofCallDriver
Code 8604DE76 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 81C7FFE2 5 Bytes JMP 8604DE7B
.text ntkrnlpa.exe!KeSetTimerEx + 624 81CFEBE8 4 Bytes [A8, 0B, 7F, A6] {TEST AL, 0xb; JG 0xffffffffffffffaa}
.text ntkrnlpa.exe!KeSetTimerEx + 640 81CFEC04 4 Bytes [8E, 0C, 7F, A6]
.text ntkrnlpa.exe!KeSetTimerEx + 854 81CFEE18 4 Bytes [0C, 0B, 7F, A6] {OR AL, 0xb; JG 0xffffffffffffffaa}
.text ntkrnlpa.exe!IofCallDriver 81D01F6F 5 Bytes JMP 8603234A
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 81DF830B 5 Bytes JMP 8603740C
PAGE ntkrnlpa.exe!ZwEnumerateKey 81E4DBA2 5 Bytes JMP 860F3584

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp bdftdif.sys
AttachedDevice \Driver\tdx \Device\Udp bdftdif.sys
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\gxvxcdmtotintopdvwvuqiieydmxqnvsyipon.dll (*** hidden *** ) @ C:\Program Files\Safari\Safari.exe [3108] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\gxvxcpqnseiqymsxcmvqwnfoevfijuixqcgcb.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcpqnseiqymsxcmvqwnfoevfijuixqcgcb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcpqnseiqymsxcmvqwnfoevfijuixqcgcb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcdmtotintopdvwvuqiieydmxqnvsyipon.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcpqnseiqymsxcmvqwnfoevfijuixqcgcb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcpqnseiqymsxcmvqwnfoevfijuixqcgcb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcdmtotintopdvwvuqiieydmxqnvsyipon.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcpqnseiqymsxcmvqwnfoevfijuixqcgcb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcpqnseiqymsxcmvqwnfoevfijuixqcgcb.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcdmtotintopdvwvuqiieydmxqnvsyipon.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcpqnseiqymsxcmvqwnfoevfijuixqcgcb.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcpqnseiqymsxcmvqwnfoevfijuixqcgcb.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcdmtotintopdvwvuqiieydmxqnvsyipon.dll

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\drivers\gxvxcpqnseiqymsxcmvqwnfoevfijuixqcgcb.sys 37376 bytes executable <-- ROOTKIT !!!
File C:\Windows\System32\gxvxccounter 4 bytes
File C:\Windows\System32\gxvxcdmtotintopdvwvuqiieydmxqnvsyipon.dll 26625 bytes executable

---- EOF - GMER 1.0.15 ----

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 11 May 2009 - 07:24 AM

Hello.

Sorry for the delay. Forgot to check on this topic.

There is indeed a rootkit infection. We will require more powerful tools than permitted here.

Download and Run DDS
Please download DDS by sUBs from any of the links below:
DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Start a new topic in the Malware Removal Forum, not in this forum.

Post me a link to the new topic. After the topic has been started, continue all discussion there.

With Regards,
The Panda

#12 Gabriel Walker

Gabriel Walker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 16 May 2009 - 09:16 AM

Propaganda Panda,

Sorry for the delay in writing this reply. life has dragged me away from this issue and the computer so as to get back to you. With that time i started to realize that the laptop is used for sensitive data such as on line banking and shopping so I believe I will need to reverse my initial thought of just cleaning this computer and look at what needs to be done to format and start from scratch. I did notice that the DVD/CD drive is no longer recognized. Looks like the attack took that out.

It is a Toshiba Laptop and I have the restore disk but not sure it that will help now. Again sorry both for the delay and in the change of course.

Sincerely,
Gabriel

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 16 May 2009 - 09:37 AM

Hello Gabriel.

That is a good decison. Feel free to ask if you need any help during the reinstall.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users