Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something new?


  • Please log in to reply
7 replies to this topic

#1 ESCHEW

ESCHEW

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 26 February 2010 - 02:48 AM

Just come across this less than an hour ago. Funny thing is I thought I have all angles covered and safe.
My virus definition is up to date and all versions are all up to date too. While I was surfing the net, reading news, my zone Alarm popped up and a file that I don't know ask for permission to access the internet. The file name is kxhlsftav.exe.
Of course, I denied access and quickly looked for the file at the usual places using different tools to scan the file.
All reported clean, including AVG and SAV. Although the name is new, the way it wormed itself in looks familiar.

Used Task Manger to stop the process tree, delete the file, delete the pf, delete the subdir (xxusbf), empty trash. Check RegEdit and found the exe file at the usual places, hiding in micorsoft/windows/current verison/run (both user and local machine) waiting to restart on every boot.

Good thing Zone Alarm was working or else I'm toasted as AVG and SAV did not think the file was a problem. I will keep checking the usual places for funny file name (most likely randon name) for the next while.

I think there are other instance of the file but am not 100% sure. I deleted the file anyway. The time stamp is identical and I have no idea what it is. (vyilpp.exe) Looks suspicious enough.

The problem I have now is I cannot empty my recyle bin. It said it has 3 files. I looked and it is empty. When I try to empty the recycle bin, it gave me an error message. "Cannot delete Dd51: Access is denied."

Anyone else came across this problem or knew what I am up against?


EDIT: Moved to a more appropriate forum-MG

Edited by garmanma, 26 February 2010 - 09:49 AM.


BC AdBot (Login to Remove)

 


#2 ESCHEW

ESCHEW
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 26 February 2010 - 03:20 AM

There is more to this story. I reboot the computer. Looks like it is a clean boot. Searched log files.
According to Zone Alarm, the file kxhlsftav.exe is trying to access ip 195.88.190.54:80
DNS search revealed it as : Bigness Group Ltd, 25 Nevsky broad str, office 96, S-Petersburg, Russia, cardiro.org
google cardiro.org showed the following after some digging:
195.88.190.54/Malware URL/Rogue Antivirus / AntivirusLIVE (main site) Bogenov Oleg / cardiro@cardiro.org
Mystery solved! However, I am still disappointed that both AVG and SAV didn't think the file is a problem.

#3 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:12:30 AM

Posted 26 February 2010 - 06:07 AM

Thanks for the information ESCHEW. Could you tell us what site you were looking at the news.

#4 Eric RBA

Eric RBA

  • Members
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State College, PA
  • Local time:12:30 AM

Posted 26 February 2010 - 09:24 AM

ESCHEW, are you using Windows XP?
I would never ask a person to do something that I wouldn't do myself.

#5 ESCHEW

ESCHEW
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 26 February 2010 - 01:43 PM

Thanks for the information ESCHEW. Could you tell us what site you were looking at the news.


I usually hit the msn and yahoo home pages (in various countries) and see what news worthy items are there. I usually right click and open new tab so I have no clue which one caused the "leak". I might have accidentially click on soemthing that's not news. When the Zone Alarm pop up said soemthing wants to access internet and I don't know the program, I shuts down IE and engage internet lock right after I deny access to the program.

By the way, I ahve my restore and monitor turned off but "that thing" turned it on for me as after the reboot, the restore monitor is on.

#6 ESCHEW

ESCHEW
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 26 February 2010 - 01:53 PM

ESCHEW, are you using Windows XP?


XP SP3, latest update and security patch, always patch on Tuesdays, Windows defender, AVG (local), SAV end point (Corporate edition/managed through server), IE8. I even used Http block with peerblock.

Funny story about peerblock, I can't access BBC web sites and look at their TV program info as peerblock is blocking the site. I have to add BBC to my white list to access the web so it's a new tool that I am experimenting to use to fghht malware. You'll be amzed how many people are trying to ping you while you web browser is up.

If it was't for Zone Alarm, I'm toasted, (hours spent to clean the sucker) As it is, ut's an hour of work. If not, it would be half day for sure. I think I'm going to add Zone Alarm to all my machines.

#7 Eric RBA

Eric RBA

  • Members
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State College, PA
  • Local time:12:30 AM

Posted 26 February 2010 - 02:11 PM

Thanks for the information ESCHEW. Could you tell us what site you were looking at the news.


I usually hit the msn and yahoo home pages (in various countries) and see what news worthy items are there. I usually right click and open new tab so I have no clue which one caused the "leak". I might have accidentially click on soemthing that's not news. When the Zone Alarm pop up said soemthing wants to access internet and I don't know the program, I shuts down IE and engage internet lock right after I deny access to the program.

By the way, I ahve my restore and monitor turned off but "that thing" turned it on for me as after the reboot, the restore monitor is on.


To be honest, this likely came from scripts in advertising or something of that sort. They're the #1 problem causing spot anymore. You should use a script blocker, or at least ad blocker, in whatever web browser you're on. And don't use Internet Explorer if you are still. Ever. It's the most unsafe piece of garbage out there for web browsing. Install Mozilla Firefox or Google Chrome (preferred) and look for extensions. You definitely want extensions that block ads. I use Chrome with AdBlock and I feel quite safe.

The reason I asked about your use of Windows XP is because I support about 500 computers on that OS and part of your problem sounds familiar as far as the Recycle Bin not fully deleting. There's a hidden folder (even if you show hidden folders in the View options) in the C:/ drive that you need to delete. It isn't easy to do, but necessary because it's where everything goes when you empty the Recycle Bin and malware can exploit this known issue. Here's what you can do though.

You'll need to be logged into Windows with a user account that has administrator privileges. Then, go the Start Menu and open All Programs. From there go to the Accessories folder and look for Command Prompt and open that. In the command prompt window type the following information, exactly as you see it.

rd /s /q C:\recycler

Then hit enter. Depending on how large that folder is it will either be quick or will take several seconds. Just be patient until it's done. There are two other possibilites though. 1 - it might say that you don't have permissions to do this task or 2 - it might not have anything to delete.

Go ahead and try this and let me know how it goes when you're done. Also, if I were you, as soon as you possibly can do it go and download a different browser and get yourself away from Internet Explorer.

Edited by Eric RBA, 26 February 2010 - 02:16 PM.

I would never ask a person to do something that I wouldn't do myself.

#8 ESCHEW

ESCHEW
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 26 February 2010 - 04:57 PM

Thanks Eric ... actually I used a cheat ... boot up with linux and deleted it, lock stock and barrel ...
The rd command is a good tip as well,. Too bad it doesn't delete bad / invalid directories,
I have used Firefox. Too slow compare to IE. Tried Opera as well. Have not treid Chrome yet so I'll give it a try.
Accroding to what I've seen so far, every one is vulnerable. There are holes in Firefax and Chrome just the same according to what I've read in the various trade articles.
IE gets the most press and the most exploits as they have the highest installed base. I am not saying they are the best, just that they have the hoigest installed base.
You are probably right about the script as I remember seeing a java script icon popped up on my task bar notification area when that happened. Thanks for your input!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users