Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus? Trojan? something sending keystrokes? Please help


  • Please log in to reply
14 replies to this topic

#1 Beeker

Beeker

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 16 October 2010 - 07:30 PM

Hi all, I am trying to help a friend with his computer and we are running into some difficulty. He has AVG antivirus, Super Anti Spyware, Malwarebytes, and Spyware Blaster. We have updated all of them, and ran scans in safe mode. We have also used Ccleaner and ATF Cleaner, and have also gone through the add/remove programs and the programs file on the C drive to delete unwanted stuff, but we can't seem to get rid of the problem.

Here is his what he is going through:

When I am typing an email, I type a few words but then the letters stop appearing on the screen and I see on the bottom, multiple websites flashing such as like something is downloading or uploading something. It almost seems like something is sending my keystrokes. Could that be it? I noticed that an advertisement also changes at the same time. A couple of the websites I was able to catch as they quickly flashed across the bottom of the screen was cyclops something or bannerfarm. Sometimes, if I hit enter when this is happening, I get taken out of my email and onto some other website that I've never seen before.

BC AdBot (Login to Remove)

 


#2 Beeker

Beeker
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 16 October 2010 - 08:09 PM

I just want to add that I think the websites my friend sees flashing across the bottom of the screen is just an add banner changing in his email account. He uses Netzero. Also, when we did the scans in safe mode, the avg log said that it couldn't scan a lot of different sectors, that they were locked. It is copied below. Please let me know what you think. I can help with basic stuff, but this seems beyond me.



AVG 9.0 Anti-Virus command line scanner
Copyright © 1992 - 2010 AVG Technologies
Program version 9.0.832, engine 9.0.856
Virus Database: Version 271.1.1/3161 2010-09-26

C:\Documents and Settings\All Users\Application Data\avg9\Log\2d97283a-27a7-4154-a974-e48c17a079bd Locked file. Not tested.
C:\Documents and Settings\Butko\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\Butko\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\Butko\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\Butko\ntuser.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Locked file. Not tested.
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Locked file. Not tested.
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Locked file. Not tested.
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Locked file. Not tested.
C:\WINDOWS\SYSTEM32\CONFIG\SAM Locked file. Not tested.
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Locked file. Not tested.
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Locked file. Not tested.
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Locked file. Not tested.
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Locked file. Not tested.
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Locked file. Not tested.
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Locked file. Not tested.
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Locked file. Not tested.

------------------------------------------------------------
Objects scanned : 365965
Found infections : 0
Found PUPs : 0
Healed infections : 0
Healed PUPs : 0
Warnings : 0
------------------------------------------------------------

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:21 AM

Posted 16 October 2010 - 10:04 PM

Looks clean , check for rootkits.
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Beeker

Beeker
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 21 October 2010 - 05:30 PM

Thank you for responding. I will check for rootkits as soon as my neighbor comes back with his computer.
I have another question. Why did the mbam log show so many locked files that weren't tested? I thought that means that there is something wrong in order to prevent the files from being tested. What does it mean?

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:21 AM

Posted 21 October 2010 - 07:59 PM

Hi , I take it you meant AVG log. These are hidden sys files and are not scanned by malware tools.
To post the MBAM log....
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Beeker

Beeker
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 26 November 2010 - 04:39 PM

Oops. Right, that's what I meant.

Thank you for the info.

We found 2 rootkits.
What are rootkits?

So far, I haven't heard any other complaints from my neighbor about his computer. I guess that did it... for now.

Edited by Beeker, 26 November 2010 - 04:41 PM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:21 AM

Posted 26 November 2010 - 04:47 PM

Hello again, it sort of would depend on which type or the name of them.

Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Beeker

Beeker
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 26 November 2010 - 09:51 PM

WOW.

All I can say is thank God my neighbor is one of those paranoid types that refuses to do online banking or anything like that with his computer. He only does email, facebook, and looking up stuff. Nothing all that important.

That is really amazing though. Thank you very much for the information. I will look at those links you gave me. I guess I have some catching up to do on the new technologies.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:21 AM

Posted 26 November 2010 - 11:14 PM

If you suspect the rootkits and h]keyloggers still exist you will pbe best served to consider reformatting or posting a DDS log so one of our experts can acertain you level of infection.

Please go here....
Preparation Guide .

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.



Reformatting: {thanks quietman7}

When you say complete rebuild, do you mean I need to delete ALL partitions and reformat the entire disk?

Yes.

If you're not sure how to reformat or need help with reformatting, please review:These links include specific step-by-step instructions with screenshots:Vista users can refer to these instructions:Windows 7 users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq, Toshiba, Gateway or Dell machine, you may not have an original CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. Also be sure to read Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recover disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support.

If you have made a disk image with an imaging tool (i.e. Acronis True Image, Drive Image, Ghost, Macrium Reflect, etc.) before your system was infected, then using it is another option. Disk Imaging allows you to take a complete snapshot (image) of your hard disk which can be used for system recovery in case of a hard disk disaster or malware resistent to disinfection. The image is an exact, byte-by-byte copy of an entire hard drive (partition or logical disk) which can be used to restore your system at a later time to the exact same state the system was when you imaged the disk or partition. Essentially, it will restore the computer to the state it was in when the image was made. You will then have to reinstall all programs that you added afterwards. This includes all security updates and patches from Microsoft.

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.

Caution: If you are considering backing up data and reformatting due to malware infection, keep in mind, with file infectors, there is always a chance of backed up data reinfecting your system. If the data is that important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), dynamic link library (*.dll), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .dll, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Beeker

Beeker
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 04 December 2010 - 05:56 PM

I ran the Sophos scanner and it didn't find anything that it recommended to remove. Just those two rootkits that AVG found the last time I did a rootkit scan. I went through the Sophos list and removed some of the things anyway, like Media Experience stuff that he didn't need. Something about wild tangent games, or something like that. He doesn't play any games.
But his computer is very slow, and I can't figure out what else to do. He wants more ram, which we ordered. He is considering a larger hard drive, which we picked out, but I am not sure how to go about an easy transfer of files and programs that he uses if there is a virus or something. He backs up his files on an external hard drive, but I can't be sure that he hasn't infected it too. If Sophos didn't find any rootkits, can I be close to certain that there aren't any, that AVG actually healed the problem in the first go-round? Should I be doubtful about those files that Sophos doesn't recommend I remove? Should I go into Safe Mode and do another AVG, Sophos, SuperAntiSpyware, Malwarebytes, scan?

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:21 AM

Posted 04 December 2010 - 08:04 PM

The best thing to do is post in the DDS forum. Wait a few days for their reply and have it cleaned,this way you know you are clean. HHD in the meantime.
REMEMBER: The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), dynamic link library (*.dll), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them.

Please read >>> Slow Computer/browser? Check Here First; It May Not Be Malware

not sure how to go about an easy transfer of files and programs

This and which Ram to get can be easily solved by asking in the Operating system forum at the top that corresponds with yours. They will help you set that up. Not difficult.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Beeker

Beeker
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 17 December 2010 - 09:45 PM

Thank you for your help.

The RAM is in and working, maxed out at 2GB. It is moving a little faster. I am certain he needs a bigger hard drive. His is only 40 GB and he only has 8 GB left available. I have read that thread about other things that slow down a computer and I will go through those steps as soon as he brings his computer back on a day I can dedicate to working on it.

I am sorry, this may be a stupid question, but what is the DDS forum and what do you mean by HHD? I don't know many abbreviations or acronyms.

Thank you again for your help.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:21 AM

Posted 17 December 2010 - 10:07 PM

Hello sorry,my bad for not neing clear and that I can't typs ,LOL. HHD was a typing error. I must have meant HDD (Hard Disk Drive)yet I cannot tell what I meant to say there. Well to clear this up.

DDS is a log that you will produce in these instructions.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Beeker

Beeker
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 17 December 2010 - 10:50 PM

Thank you.

I found the info about the DDS and will get on that asap.

After installing the RAM, we ran AVG, Malwarebytes, and SAS scans. Nothing was found in any of them. Everything seems to be ok, but from what I have read in other threads, I won't trust that. I hope to get him back and do what you suggested with the DDS and Gmer scans. As Christmas approaches, I will have more time off from work and hope to be able to dedicate a day or two to just working on his computer, depending on his availability.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:21 AM

Posted 18 December 2010 - 09:50 AM

You look good, but just to be certainas you had "injector" infections ,it's worth the wait to be sure.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users