Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden malware


  • Please log in to reply
10 replies to this topic

#1 Eolath

Eolath

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 12 July 2010 - 05:05 AM

Since there seem to be several topics regarding this problem already - I have exactly the same issue. Sound suddenly turns off, no virus scanner I used can find anything at all.

Same with sudden pop-ups of random sites.

I can also suddenly safe no cookies through Internet Explorer (Even though this is not my main explorer, I tried using it because it kept popping up on my taskbar. )

Seems like a new virus?

PS: I cannot access my L.A.N either, while my internet works fine through Firefox.. quite interresting.. the problem seems to get more and more problematic the longer the virus stays on my computer. (It started yesterday, once - and it has already happened 5-6 times today )

PSS: 50 minutes without problems so far, I used http://www.esagelab.com/ - Bootremover. Internetexplorer task is killed, and doesn't pop back up.

I'm not sure if this is a permanent fix, we shall see later on.

55 minutes without problems - L.A.N seems to be back up aswell.

If I didn't know any better I'd say the virus is gone, but I do know better.. these virusses can be damned hard to remove sometimes. :thumbsup:

And yeah, bootkitremover did find an unknown error in one of my devices, according to Bootkitremover the threat is removed. (When I run it again it gives a green O.K )

Edited by Eolath, 12 July 2010 - 07:02 AM.


BC AdBot (Login to Remove)

 


#2 Jayson201

Jayson201

  • Members
  • 208 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:54 AM

Posted 12 July 2010 - 07:02 AM

Microsoft Security Essentials and Malwarebytes can only find what is in its definitions, and what heuristics say is dangerous.
Some malware do hide as something legit, when it isnt.
Also do try SUPERAntiSpyware....

Kudos on your success Eolath.

I remember once my computer got hit with something screwy, and any scanner couldnt scanner correctly, not even in safe mode. There were also extra ads on pages where ad's didnt exist.

I reformatted because there was no use in trying to remove a virus I may have had, when I couldnt scan at all.

Edited by ComputerTalk-Jayson, 12 July 2010 - 07:07 AM.


#3 Eolath

Eolath
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 12 July 2010 - 07:03 AM

Microsoft Security Essentials and Malwarebytes can only find what is in its definitions, and what heuristics say is dangerous.
Some malware do hide as something legit, when it isnt.
Also do try SUPERAntiSpyware....


I think it is hiding as Internet explorer, that seems the most likely cause of the problems anyway.

#4 Jayson201

Jayson201

  • Members
  • 208 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:54 AM

Posted 12 July 2010 - 07:20 AM

Microsoft Security Essentials and Malwarebytes can only find what is in its definitions, and what heuristics say is dangerous.
Some malware do hide as something legit, when it isnt.
Also do try SUPERAntiSpyware....


I think it is hiding as Internet explorer, that seems the most likely cause of the problems anyway.


Internet Explorer is often hijacked.
Check the LAN Settings for IE (Internet Settings, Connections tab)
There might be a proxy that was set by what viruses you had.

#5 Eolath

Eolath
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 12 July 2010 - 07:47 AM

Microsoft Security Essentials and Malwarebytes can only find what is in its definitions, and what heuristics say is dangerous.
Some malware do hide as something legit, when it isnt.
Also do try SUPERAntiSpyware....


I think it is hiding as Internet explorer, that seems the most likely cause of the problems anyway.


Internet Explorer is often hijacked.
Check the LAN Settings for IE (Internet Settings, Connections tab)
There might be a proxy that was set by what viruses you had.


Hmm.. there seems to be an unknown port and IP adress that is grayed out in the fields, I certainly did not add that. (I use firefox only) - but it might've been copied from Firefox proxies, although I haven't used a proxy in a while.

But it is probably nothing, I never checked the L.A.N proxies for Internet explorer before, so it might've been there all the time :thumbsup:
Atleast it wasn't enabled.

http://whois.domaintools.com/208.74.174.142

This was the IP, seems to be used to spam certain sites aswell.

PS: I can pretty much confirm that bootkitremover removes the virus, 2 hours and counting without a problem so far. It might be hiding somewhere, but that seems quite unlikely.

Edited by Eolath, 12 July 2010 - 08:10 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,728 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:54 AM

Posted 12 July 2010 - 09:29 AM

Hello, you are not getting the proper advice here. Also I've split you to your own topic. As it's too confusing as you see to have many people reply over each other.

You most likely heve a Bootkit infection . I would recommend you start a new topoic as improper removal is dangerous.... You should NOT run Bootkit remover on your own.. therre are controlling conditions to verify first.

Malwarebytes is prettyy good at spotting it.
Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.
Before you save it rename it to say zztoy.exe


alternate download link 1
alternate download link 2
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Edited by boopme, 12 July 2010 - 09:43 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Eolath

Eolath
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 12 July 2010 - 09:40 AM

I was trying to help the person in question , boopme. I had the solution. Please read the whole topic.


For the record, you are claiming I ran bootkit remover without a proper idea - but the bootkit remover confirmed an infection, it also confirmed the fact that the infection was removed afterwards, also I am not completely clueless when it comes to computers.

Edited by Eolath, 12 July 2010 - 09:46 AM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,728 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:54 AM

Posted 12 July 2010 - 09:53 AM

Didn't say you were... .. Malware Removal Team here says we need to confirm
If multiple Operating Systems (like linux) installed,

If you have a DELL computer or do you use drive enctyption software?

Also, can you confirm the number of drives connected to this computer?

So we do not bash the PC,,, like sometimes using ComboFix.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,931 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:54 AM

Posted 12 July 2010 - 10:09 AM

I was trying to help the person in question , boopme. I had the solution. Please read the whole topic.

Just because someone had a similar problem or symptom as the infection you were dealing with, does NOT necessarily mean the solution will always be the same. BTW, please read How do I get help? Who is helping me?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,816 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:54 PM

Posted 12 July 2010 - 10:09 AM

I was trying to help the person in question , boopme. I had the solution. Please read the whole topic.

Please read the AII rules before accusing a staffmember. :thumbsup:

See here

Posting instructions for the use of the following by non-staff members is prohibited in this area, as well as in all other areas of the forums. This list contains tools and procedures that are forbidden, the instructions for using similar tools or procedures should not be posted here, or elsewhere on Bleeping Computer forums, without prior Staff approval.

  • Manual file removal instruction
  • ComboFix instructions or discussion
  • Registry instruction
  • Automated registry cleaners
  • HiJackThis and /or DDS instructions (logs are for review only)
  • Custom scripts, batch files
  • Other specialized fix tools the BC Staff deems untrained members should not recommend for use.
Note: This list is not limited and we may add to it as necessary. These restrictions are in place to ensure that only safe and effective methods are given to members seeking help with a malware problem.


First of all, Esage Bootkit remover is a very unreliable tool. As boopme said, it directly interacts with the MBR (master boot record) of the harddisk. If something goes wrong, you have an unusable computer.

Second, again, just as boopme said, first confirm, then fix!

For everyone who suspects having this infection, please follow the steps in this guide

:flowers: Attempting to fix a rootkit like this one on your own is at your own risk!

Edited by elise025, 12 July 2010 - 10:11 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Jayson201

Jayson201

  • Members
  • 208 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:54 AM

Posted 13 July 2010 - 11:34 AM

You had to split one that I was involved in O_O
Scared the bejeebers outta me, thought I was in trouble XDDDD




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users