Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tazinga email activity


  • Please log in to reply
1 reply to this topic

#1 Deets

Deets

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 01 July 2010 - 11:53 PM

I have some bad activity happening on my computer usually after it sits overnight. This just started happening a few weeks ago.

Sometimes after periods of inactivity I find an email message open addressed to info@tazinga.com (I think that is the address). I am on XP SP2 and using Outlook 2003. That is really all the activity that I have seen so far (I know, that is the scary part). I have searched for Tazinga and found a lot of issues with redirecting, but I have not seen any of that on my PC. I have ClamAV running and it has not found anything, I loaded Malwarebytes and it found and removed several things but the issue is still there.

Has anyone heard of this behavior before?

BC AdBot (Login to Remove)

 


#2 Deets

Deets
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 06 July 2010 - 05:02 PM

I would like to thank everyone for their help with problem. Without you I could not have gotten this fixed.

/sarc off

On a more serious note I wanted to reply to this because I got it fixed. I take it by the responses that no one on here (who had looked at my post) had seen this issue so I wanted to update this in case someone else out there ran into this issue.

Since the post I put on here a week ago a lot has changed.

After posting I did a lot more research into the possible problems I was having. I started to find some anomalies on my system and it seemed to get worse by the day. I knew I was infected so I stopped all regular activity on my PC. I have several systems I work from so this was not an issue. I also made sure my system was kept quarantined from my other systems. Internet browsing was fine and to this point I had not seen any adverse affects from the virus. I ran several virus/spyware/malware scanners and I found nothing. I checked all running processes and startup items and still found nothing. Then I found a service that was hidden and not supposed to be there. I removed it. I rebooted my PC and I got a message saying there was a file named "C:\Program" that could cause problems with some programs. This was a 0 byte file. At this point I am feeling really lucky that this/these malware(s) is not running correctly for whatever reason (first, it could not create and send or remove the email and now it is not writing files to my drive like it should). If these were working I would have never known this was happening.
I renamed the file and continued my hunt. I setup a packet sniffer on another PC and pushed all in/out traffic to/from this PC to that machine to capture any strange traffic.
I did more research and found some more information on the Tazinga virus. I tried to run RootKit Revealer but it would not run. It was not able to process files due to an issue with CMD.EXE. At this point I downloaded ComboFix.exe and ran that. It would not run! I renamed it and still no luck. I rebooted into safe mode and still it would not run. I found Stopzilla and installed it and it found every other antivirus program I had loaded and one other entry. I tried to remove it but it said I needed to pay for this feature.

soapbox
I hate when people do this cr@p. Why else would I download your program. It never stated that it costs any money and in today's world getting a free virus scanner is not too much of a unusual occurrence so I don't think I am being too unreasonable here. From there main page it took to right to a download page and the instructions said to run from here and not save it. Now they want $10 to remove my other anti-virus programs? No thanks. I uninstalled Stopzilla right then. It is not about the money it is the way they handle it (Just tell me up front it costs money).
/soapbox

After this I rebooted normally and tried to go back out to the web to lookup some more info on ComboFix. Now Firefox would not start. I went into IE and it was slow and Google was very slow on searches. Now I started to get search redirects. and link swaps.

It was at this point that I started to see strange traffic on the sniffer. there were HTTP requests and sessions being opened when the machine was idle. This is when I started to see pop up ads.

Now I started to notice odd behavior with the HelpAssistant account. I disabled it and rebooted and it was re-enabled. I had noticed that the profile for that account was very large. I looked up that and found the info I needed. I downloaded GMER and ran that. It found several things including a rootkit located at sectors 00 and 63 on my hard drive. Sectors 00-63, or the first 64 sectors are the master boot record location. I was also directed to http://www.eset.com/online-scanner and I ran that. That found the virus/trojans I had on my PC. I guess it was busy downloading other malware to my PC.
Here is the list of files found.
C:\Documents and Settings\Deets\Desktop\ComFix.exe a variant of Win32/Kryptik.YI trojan cleaned by deleting - quarantined
C:\Documents and Settings\Deets\My Documents\Downloads\ComboFix(2).exe a variant of Win32/Kryptik.YI trojan cleaned by deleting - quarantined
C:\Documents and Settings\HelpAssistant\Local Settings\Application Data\Mozilla\Firefox\Profiles\7dy76wdl.default\Cache\38BF208Ad01 JS/Fraud.NAD trojan cleaned by deleting - quarantined
C:\Program Files\VMware\VMware Server\vnetlib64.exe Win32/Virut.NBP virus cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\BtwSvc.dll.vir a variant of Win32/Refpron.KQ trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\user32.dll.vir.vir Win32/Pinit virus cleaned - quarantined
C:\WINDOWS\system32\PereSvc.exex a variant of Win32/Refpron.FS trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\pxcpya64.exe Win32/Virut.NBP virus cleaned - quarantined
C:\WINDOWS\system32\pxinsa64.exe Win32/Virut.NBP virus cleaned - quarantined
C:\WINDOWS\system32\qeuombwwl Win32/Pinit virus cleaned - quarantined

Once this ran and cleaned the files I rebooted and went straight into the recovery console. From there I ran mbrfix and then rebooted.

At this point I repeated the steps of the virus scans (including several more scanners) with reboots and let my PC sit overnight for 2 days with the packet filter running to gather any more data. I saw no activity and did not see any unexpected traffic to/from the PC.

The aftermath
I guess the virus was copying my profile to the HelpAssistant profile and running everything from there. Many of my profile folders were mirrored in the HelpAssistant profile. On top of that the internet history folder for that account was much larger than mine (it was a very busy virus). For example my profiles internet cache was 300 objects and 17MB, the HelpAssistant cache was 9538 objects at 429MB in size.

I disable the HelpAssistant account and remove it from the Administrators group. Just to sure, I added it to the Guests group as another way to monitor that account. I am going to delete the profile for the account.

I had to reinstall Firefox to get it working again.

I am now going to purchase the ESET program to monitor PC.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users