Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

paranoid newbie seeks advice


  • Please log in to reply
8 replies to this topic

#1 xxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxx

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 08 August 2009 - 07:34 AM

some of your posts sound horrible, so i hesitate to put my 'problem' forward... but here goes.
i got seduced by an email quoting Emily Dickinson & got swept onto a malware site freshsummer.ru/sunshine.html. this is 2 weeks ago.

Norton360 said (i scanned after the penny had dropped) it had blocked an attack: "HTTP Malicious Toolkit Variant Activity 2" ...so OK, but malwaredomains.com said this site targetted a new weakness (in Adobe Reader & Flash) & Norton couldn't recognise the signiture of the attack. So this is the paranoia clicking in. The computer is working fine, but I have removed those Adobe tools to avoid triggering anything.

Malwarebytes, Avast (both free versions), and updated Norton still say i'm OK. I'd be nearly reassured if the rootkit infection program GMER hadn't come up with a list of ominous sounding outputs like ZwCreateMutant and ZwImpersonateAnonymousToken. GMER code is apparently used by Avast. If i was writing malware i don't think i'd use those terms in my code, but nevertheless...

What does it mean, do you think? How do i prove a negative? is the best advice to get an expert to wipe the machine clean and start over??

Many thanks for advice. :thumbsup:

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:43 PM

Posted 08 August 2009 - 07:36 AM

Let's get a good look at what's running on that computer.

Please download and run Processexplorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply
Chewy

No. Try not. Do... or do not. There is no try.

#3 xxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 08 August 2009 - 07:45 AM

hello there..

process explorer report:


Process PID CPU Description Company Name
System Idle Process 0 80.16
Interrupts n/a Hardware Interrupts
DPCs n/a 1.54 Deferred Procedure Calls
System 4 1.54
smss.exe 436
csrss.exe 508
csrss.exe 552 3.08
wininit.exe 580
services.exe 640
svchost.exe 824 7.71
WmiPrvSE.exe 2828
igfxsrvc.exe 3184 igfxsrvc Module Intel Corporation
svchost.exe 896
svchost.exe 1056
audiodg.exe 1208
svchost.exe 1084
dwm.exe 2080 Desktop Window Manager Microsoft Corporation
WUDFHost.exe 1632
svchost.exe 1100
taskeng.exe 2040 Task Scheduler Engine Microsoft Corporation
taskeng.exe 2028
wuauclt.exe 1784 Windows Update Automatic Updates Microsoft Corporation
stacsv.exe 1144
SLsvc.exe 1276
svchost.exe 1308
DockLogin.exe 1396
svchost.exe 1456
WLTRYSVC.EXE 1568
BCMWLTRY.EXE 1588
aswUpdSv.exe 1596
ashServ.exe 1620
spoolsv.exe 1996
svchost.exe 2020
AEstSrv.exe 816
IAANTmon.exe 1096
ccSvcHst.exe 1716 1.54
ccSvcHst.exe 3300
WSCStub.exe 4200
svchost.exe 812
SeaPort.exe 1580
svchost.exe 2068
svchost.exe 2128
SearchIndexer.exe 2244
SearchProtocolHost.exe 2224
SearchFilterHost.exe 2868
rundll32.exe 2400 1.54
ashMaiSv.exe 2568
ashWebSv.exe 2700
wmpnetwk.exe 3696
sprtsvc.exe 6004
lsass.exe 656
lsm.exe 664
winlogon.exe 592
explorer.exe 2200 Windows Explorer Microsoft Corporation
Apoint.exe 2884 Alps Pointing-device Driver Alps Electric Co., Ltd.
ApMsgFwd.exe 3948
hidfind.exe 4416 Alps Pointing-device Driver Alps Electric Co., Ltd.
sttray.exe 2904 IDT PC Audio IDT, Inc.
igfxtray.exe 3024 igfxTray Module Intel Corporation
hkcmd.exe 3080 hkcmd Module Intel Corporation
igfxpers.exe 3192 persistence Module Intel Corporation
WLTRAY.EXE 3220 Dell Wireless WLAN Card Wireless Network Tray Applet Dell Inc.
quickset.exe 3236 QuickSet Dell Inc.
IAAnotif.exe 3256 Event Monitor User Notification Tool Intel Corporation
WebcamDell.exe 3272 Dell Webcam Central Application Creative Technology Ltd.
PDVDDXSrv.exe 3308 CyberLink PowerDVD Resident Program CyberLink Corp.
sprtcmd.exe 3368 SupportSoft, Inc.
wpcumi.exe 3408 Windows Parental Control Notifications Microsoft Corporation
realsched.exe 3488 RealNetworks Scheduler RealNetworks, Inc.
ashDisp.exe 3528 avast! service GUI component ALWIL Software
sidebar.exe 3540 Windows Sidebar Microsoft Corporation
sidebar.exe 2632 Windows Sidebar Microsoft Corporation
btdna.exe 3904 DNA BitTorrent, Inc.
wmpnscfg.exe 3912 Windows Media Player Network Sharing Service Configuration Application Microsoft Corporation
AutoUpdateSrv.exe 3932 3Connect Auto Update Birdstep Technology
WilogApp.exe 2844 1.54 WILOG_FILE_DESCRIPTION Birdstep Technology
firefox.exe 284 Firefox Mozilla Corporation
procexp.exe 6176 1.54 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
ApntEx.exe 4100 Alps Pointing-device Driver for Windows NT/2000/XP/Vista Alps Electric Co., Ltd.

Edited by xxxxxxxxxxxxxxxxxxxx, 08 August 2009 - 07:50 AM.


#4 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:43 PM

Posted 08 August 2009 - 08:13 AM

This is a dell laptop running vista?

Does the computer run OK?

The fact that you have Bittorrent running would indicate you let everything load and run at bootup, this is an accident waiting to happen.
Chewy

No. Try not. Do... or do not. There is no try.

#5 xxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 08 August 2009 - 08:21 AM

it is. a Dell laptop running Vista.
You only use one question mark on each line, so i take it you're not totally incredulous that it runs OK....

i'm not using bittorrent at the moment, or 'seeding', so i'm surprised that it's active.

anyhow...

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:43 PM

Posted 08 August 2009 - 08:52 AM

Does the computer run OK?


This is a trick question, I was subtly suggesting that you spend a little time and effort in cleaning up your startup processes.

Most programs have a setting where you can tell it to not load when windows boots up. This is a lot of work, but in the end you maintain a healthy computer.

As the bloat increases then the likelihood of crashes/stalls/glitches increases. This is why Vista is dead in the water, Windows 7 is proving it.

Edited by DaChew, 08 August 2009 - 08:53 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 xxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 08 August 2009 - 09:05 AM

and i will do that, believe me.

but as to the rest of the list: there's nothing nefarious in it?? if i assume the malware site was pushing something targetting Adobe Reader, would it be active when Adobe reader wasn't active? can these things lie low for extended periods? and is there no pleasing me?

i just watched Die Hard 4.0 last week, so I know these hackers can do anything. :thumbsup:

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:43 PM

Posted 08 August 2009 - 09:23 AM

You need to open an infected PDF file or execute/play a flash file for the Adobe vulnerabilities to infect you.

Maliscous web sites use several vectors of attack, it's best to give them a wide berth, when I need to investigate an iffy one I use FireFox with noscript.
Chewy

No. Try not. Do... or do not. There is no try.

#9 xxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 08 August 2009 - 10:14 AM

i'm downloading the latest version of Adobe Reader. if i run the Process Explorer while i'm looking at a pdf, i suppose any additional process occurring will show up...

that noscript idea. thats a no brainer, i should've done that at least.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users