Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is my computer infected or being attacked?


  • Please log in to reply
33 replies to this topic

#1 emichele

emichele

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 20 July 2009 - 08:23 PM

I am using Windows Home XP SP3 and Norton Antivirus 2009. I知 suspicious that my computer is either being attacked or malware is trying to open. I知 not getting any pop-up warnings from NAV and my computer is operating normally, but the Norton history log shows the following two messages very frequently (23 times yesterday in the couple of hours I had the computer on). This has never occurred before:

Severity: Medium
Activity: Unauthorized access blocked (send terminate message to window)
Status: Blocked
Recommended action: No action required
Actor: c:\windows\explorer.exe
Actor PID: 3732
Target: C:\Program Files\Norton Antivirus\Engine\16.5.0.134\MCU132.exe
Target PID: 796 (This number varies)
Action: Send Terminate Message to Window
Reaction: Unauthorized access blocked
Recommended action: No Action Required


Also:
Severity: Medium
Activity: Unauthorized access blocked (open process token)
Status: Blocked
Recommended action: No action required
Actor: c:\windows\explorer.exe
Actor PID: 3732
Target: C:\Program Files\Norton Antivirus\Engine\16.5.0.134\MCU132.exe
Target PID: 3196 (this number varies)
Action: Open Process token
Reaction: Unauthorized access blocked
Recommended action: No Action Required



This began on the 16th after I returned from a trip. I downloaded Windows updates and ran live update on Norton.

Also, shortly before these messages began, the following two events occurred in the log:
Severity: Low
Activity: firefox setup 3.5.exe made 25 modifications to your system Configuration
Status: Detected
Recommended action: No action required

(I downloaded a Firefox update, but this has since been uninstalled).

Also:
Severity: Low
Activity: setup.exe modified your System Configuration
Status: Detected
Recommended action: No action required

(This may be when I installed an Adobe Acrobat update)

I致e since been trying to find out what is going on. I contacted Norton for a live web chat, but the tech was rather confusing and seemed to be sending me some canned responses. He told me that I shouldn稚 be worrying about a virus if I received no pop-up warnings from NAV and my Windows firewall is on (it is). A full system scan found nothing to remove other than a tracking cookie. But new viruses are circulating all the time, and I want to be absolutely sure this is not an indication of infection before I do any sensitive transactions involving banking or credit cards.

While googling for more information, I found the following discussion on your website, which is very similar to my problem: http://www.bleepingcomputer.com/forums/t/233978/something-is-trying-to-disable-my-computer/

I would very much appreciate any information you have on this problem. Thank you for any help you can give me.

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 20 July 2009 - 08:52 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 golfdude

golfdude

  • Members
  • 219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft Wayne, Indiana
  • Local time:06:14 AM

Posted 20 July 2009 - 10:02 PM

emichele,

You should be relying on help from staff members.

Please read:

http://www.bleepingcomputer.com/forums/t/182397/am-i-infected-what-do-i-do-how-do-i-get-help-who-is-helping-me/

Thanks,
Golfdude

America is all about speed. Hot, nasty, badass speed. -Eleanor Roosevelt, 1936
Intel i7-3820, 32 GB DDR3-1600, Intel 330 SSD Boot Drive, WD 3TB Data Drive, Radeon HD7770 GHz Edition, Windows 10 Professional 64 Bit
 


#4 emichele

emichele
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 21 July 2009 - 01:34 AM

Thank you for the clear and helpful instructions.

I ran the Anti-Malware file and it found 3 infected files and removed them. However, the Norton history log is still giving the same "unauthorized access blocked" messages as before, only more frequently now.

I am a little confused by Post #3. Am I posting in the wrong forum? Am I not listening to the right person? I would very much appreciate any advice you have to give me but am a newbie here.

#5 wj32

wj32

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 21 July 2009 - 03:11 AM

Thank you for the clear and helpful instructions.

I ran the Anti-Malware file and it found 3 infected files and removed them. However, the Norton history log is still giving the same "unauthorized access blocked" messages as before, only more frequently now.


Do those access blocked messages appear out of nowhere, or do they appear when you do something? They may be malware injected into explorer.exe trying to close your AV (the "terminate" window message). Have you installed any explorer extensions, like software which puts custom items into right-click menus?

I am a little confused by Post #3. Am I posting in the wrong forum? Am I not listening to the right person? I would very much appreciate any advice you have to give me but am a newbie here.


Don't worry about it...

EDIT: And please post your Malwarebytes log.

Edited by wj32, 21 July 2009 - 03:13 AM.

MCTS: Windows Internals.
Stupid bureaucracy.

#6 emichele

emichele
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 21 July 2009 - 10:39 AM

"Have you installed any explorer extensions, like software which puts custom items into right-click menus?"

I'm not sure what this means. I recently installed IE8 and a Java update, but I am pretty sure that was after the attempted access messages began appearing.

The attempted access messages (as described in my first post) begin appearing as soon as I start up the computer, now just about every minute, more frequently than before.

Here's the malware report:

Malwarebytes' Anti-Malware 1.39
Database version: 2468
Windows 5.1.2600 Service Pack 3

7/20/2009 11:08:31 PM
mbam-log-2009-07-20 (23-08-31).txt

Scan type: Full Scan (C:\|E:\|H:\|)
Objects scanned: 531317
Time elapsed: 3 hour(s), 59 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\DivX\divx converter\pS2Xx.ddc (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\program files\DivX\divx player\pS2Xx.ddc (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.

#7 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 21 July 2009 - 10:57 AM

Also, for the message, I used to get it sometimes (I use Kaspersky Internet Security), and it is just sometimes Windows Cataloguing files, or something as simple as a startup item processing. I turned off the notification so it wouldnt show. But, this doesnt mean that this is the case for you, it may or it may not be.

Lets do another scan to see some more of the situation:

Please run ATF and SAS:
Credits to Boopme

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#8 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 21 July 2009 - 04:29 PM

I have a question if I may......

This began on the 16th after I returned from a trip. I downloaded Windows updates and ran live update on Norton.


Was the computer left on and 'unattended' while you were away ; OR;was it possible for anyone to have used it during your absence?

I for one am not a great fan of Norton :flowers:

Would you mind running an on- line scan from Trend?
Tredn Housecall

It may take a while to load the definitions the first time so be patient; follow the on screan prompts ; do let us know what, if anything is found :thumbsup:

How did you do the Java update installation ; were you asked to uninstall your old Java program at all

And please advise if you have System Restore enabled?

#9 JacobHall

JacobHall

  • Members
  • 300 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 21 July 2009 - 04:57 PM

Also, for the message, I used to get it sometimes (I use Kaspersky Internet Security), and it is just sometimes Windows Cataloguing files, or something as simple as a startup item processing. I turned off the notification so it wouldnt show. But, this doesnt mean that this is the case for you, it may or it may not be.

Lets do another scan to see some more of the situation:

Please run ATF and SAS:
Credits to Boopme

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Do you understand this person has a Backdoor.Bot!?

Maybe you should leave this for a member of staff to deal with, as ATF Cleaner is not going to find the RootKits that are most probably hiding the RootKits Core Files!

You should really leave this to someone who knows what they are doing :thumbsup:

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:14 AM

Posted 21 July 2009 - 05:14 PM

There is no rootkits on this users machine (atleast what we have discovered so far). Backdoor.Bot is not a rootkit by any means. Your ideas SnowDrop?

Edited by Computer Pro, 21 July 2009 - 05:14 PM.

Computer Pro

#11 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 21 July 2009 - 05:50 PM

I am not yet convinced there is NOT a Backdoor infection on here and I stand to be corrected but I think there IS one

You may wish to read this info by Boopme http://www.bleepingcomputer.com/forums/ind...t&p=1309389


This

c:\program files\DivX\divx converter\pS2Xx.ddc

for me points towards the use of File sharing torrent programs ; Have you been using P2P programs ?

Can you please fully update the Malwarebytes program reboot in Normal mode and run a full deep scan ? Also tell us if you do on line Banking etc with this computer?

#12 emichele

emichele
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 21 July 2009 - 07:20 PM

Was the computer left on and 'unattended' while you were away ; OR;was it possible for anyone to have used it during your absence?



Definitely not left on and no one had access to it.

How did you do the Java update installation ; were you asked to uninstall your old Java program at all
And please advise if you have System Restore enabled?



I was not asked to uninstall the old Java program-it just updated it. I know I should have updated it sooner and I have been worried about this being a source of infection.

I hate to sound dumb, but how do I disable system restore?

#13 emichele

emichele
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 21 July 2009 - 07:32 PM

I am really confused now. In regards to rootkits, I just ran a gmer scan for rootkits (suggested on some Norton forum that I looked at) and it took nearly five hours, but didn't appear to find anything (I'm not very familiar with this program).

I normally do online banking on this computer but ceased doing it as soon as I saw this problem. I went to a known clean computer (a Mac) and changed my password. I am only using that Mac now for online access to banking or credit cards, etc.

Let me emphasize that I am not receiving any error messages of any kind from Norton, and everything seems to work normally on my computer. However, the constant "attempted access blocked" in the Norton history file makes me think there must be some malware on my computer that perhaps Norton is blocking but I want to get rid of it.

Is there any consensus as to what program I should run next to check further for infection?

#14 emichele

emichele
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 21 July 2009 - 07:38 PM

This c:program filesDivXdivx converterpS2Xx.ddc for me points towards the use of File sharing torrent programs ; Have you been using P2P programs ?


I do remember downloading a file to be able to view video downloads from a torrent site, but it didn't work well and I did not continue to try. I did this probably close to a month ago and the attempted access in the Norton history did not occur until 7/17. I can't find anything installed or downloaded close to that date other than IE8.

#15 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:07:14 AM

Posted 21 July 2009 - 07:55 PM

Please run ATF and SAS as asked and post the logs so that Computer Pro can look at them
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users