Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got serious infection from one of these sites


  • Please log in to reply
5 replies to this topic

#1 SterlingGold

SterlingGold

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 31 October 2010 - 12:23 AM

Hi, i went to some torrent sites last night (all at once using open all in tabs feature of firefox 3.6.12) and all hell broke lose. I want to stress that I did not download anything but i did click a couple of buttons on dialogs that popped up after I tried closing firefox (this was probably my downfall) what ensued was a massive infection that persisted even in safe-mode.
Symptoms:
*firewall service cannot start with various errors:
*nothing showing up on my network connections page (where you usually see the network cards)
* microsoft mrt.exe would not execute (unless renamed)
* trying to open the dependencies dialog for any service results in a win32: access denied error
* the obvious redirects (I think by forcing a new DNS server)
* a dialog with Chinese letters asking for some password popped up after first reboot from the spoolsrv.exe service
* when i ran procmon (not in safe mode) i noticed a lot of calls to the dr Watson tool

I ran the Sophos virus and rootkit scans in safe mode nothing was found. I also ran viper deep scan, it found and cleaned some stuff but did not remove the actual problem.

I think the infection happens inside winlogon.exe since I killed all the other processes in safe mode and mrt.exe was still being prevented from running.

Anyway here is the list of sites I opened from firefox, I recovered my drive using a day old ghost image so I'm good but if anyone here find this interesting i still have the bad drive and I can boot from it again if asked.

ebookshaer _DOT_ net
scenetime _DOT_ com
zmovie4u _DOT_ com
filenest _DOT_ com
scenereleases _DOT_ info
iwillsearch4you _DOT_ com
scnsrc _DOT_ net
oneddl _DOT_ com
newtorrents _DOT_ info

Edited by Orange Blossom, 31 October 2010 - 06:32 PM.
Move to AV forum. ~ OB


BC AdBot (Login to Remove)

 


#2 SterlingGold

SterlingGold
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 03 November 2010 - 09:15 PM

finally found a tool that recognized this virus ran tdsskiller.exe from http://support.kaspersky.com/downloads/utils/tdsskiller.exe

After reboot all was clear. here is the report of the actual culprit. I read on some posts its due to an older version of Java that makes firefox vulnerable (scary). so Installed the latest (JRE 6 build 22).


2010/11/03 19:52:45.0375 Detected object count: 1
2010/11/03 19:52:53.0234 PCI (27daae71085304172192ac780e4f6084) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/03 19:52:53.0234 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pci.sys. Real md5: 27daae71085304172192ac780e4f6084, Fake md5: a219903ccf74233761d92bef471a07b1
2010/11/03 19:52:54.0359 Backup copy found, using it..
2010/11/03 19:52:54.0359 C:\WINDOWS\system32\DRIVERS\pci.sys - will be cured after reboot
2010/11/03 19:52:54.0359 Rootkit.Win32.TDSS.tdl3(PCI) - User select action: Cure
2010/11/03 19:53:05.0953 Deinitialize success

Edited by SterlingGold, 03 November 2010 - 09:16 PM.


#3 Skittler

Skittler

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NC, USA
  • Local time:07:26 AM

Posted 04 November 2010 - 01:40 PM

I've been to many Torrent sites and have never received a virus. You must have really dug this one out from seclusion. I'm guessing you don't know which site you got it from?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:26 AM

Posted 04 November 2010 - 02:45 PM

Your log which indicates a TDSS, TDL3/TDL4 rootkit infection. The forged file was identified and will be cured after reboot. Please reboot if you have not done so already.

Please download Malwarebytes Anti-Malware and follow these instructions for doing a Quick Scan in normal mode.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
-- If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

-- Some types of malware will target Malwarebytes Anti-Malware and other security tools to keep them from running properly. If that's the case, please refer to the suggestions provided in For those having trouble running Malwarebytes Anti-Malware as you may need to rename it or use RKill by Grinler.

Then try doing an online scan to see if it finds anything else (i.e. remnants) that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

Important Note: Using any Torrents, peer-to-peer (P2P) or file sharing program (i.e. Limewire, eMule, Kontiki, BitTorrent, uTorrent, BitLord, BitLord, BearShare, Azureus/Vuze) is a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, and exposure of personal information.

The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. This practice can make you vulnerable to data and identity theft, system infection and remote access exploit by attackers who can take control of your computer without your knowledge. Even if you change the risky default settings to a safer configuration, downloading files from an anonymous source increases your exposure to infection because the files you are downloading may actually contain a disguised threat. Many malicious worms and Trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities. In some instances the infection may cause so much damage to your system that recovery is not possible and a Repair Install will NOT help!. In those cases, the only option is to wipe your drive, reformat and reinstall the OS.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The best way to eliminate these risks is to avoid using P2P applications.
Using such programs or going to torrent sites is almost a guaranteed way to get yourself infected!!
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 viksum

viksum

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nigeria
  • Local time:06:26 AM

Posted 06 November 2010 - 12:25 PM

Hi, i went to some torrent sites last night (all at once using open all in tabs feature of firefox 3.6.12) and all hell broke lose. I want to stress that I did not download anything but i did click a couple of buttons on dialogs that popped up after I tried closing firefox (this was probably my downfall) what ensued was a massive infection that persisted even in safe-mode.
Symptoms:
*firewall service cannot start with various errors:
*nothing showing up on my network connections page (where you usually see the network cards)
* microsoft mrt.exe would not execute (unless renamed)
* trying to open the dependencies dialog for any service results in a win32: access denied error
* the obvious redirects (I think by forcing a new DNS server)
* a dialog with Chinese letters asking for some password popped up after first reboot from the spoolsrv.exe service
* when i ran procmon (not in safe mode) i noticed a lot of calls to the dr Watson tool

I ran the Sophos virus and rootkit scans in safe mode nothing was found. I also ran viper deep scan, it found and cleaned some stuff but did not remove the actual problem.

I think the infection happens inside winlogon.exe since I killed all the other processes in safe mode and mrt.exe was still being prevented from running.

Anyway here is the list of sites I opened from firefox, I recovered my drive using a day old ghost image so I'm good but if anyone here find this interesting i still have the bad drive and I can boot from it again if asked.

ebookshaer _DOT_ net
scenetime _DOT_ com
zmovie4u _DOT_ com
filenest _DOT_ com
scenereleases _DOT_ info
iwillsearch4you _DOT_ com
scnsrc _DOT_ net
oneddl _DOT_ com
newtorrents _DOT_ info

i suggest u change ur browser to Google Chrome...it detects viruses and refuses to open such links...change ur antivirus program... OR... do this
go to RUN
type %temp%
press "enter"....it will display temporary file used...delete all..
go to "control panel"
internet options
double click it
delete cookies and files.
C:\\windows\temp\ and delete all the files there..
i guess ull delete most files that host some malware..

or download "Autorun for windows"
Run the program..ull be amased at what ull c..

Edited by quietman7, 06 November 2010 - 12:40 PM.

viksum$$5

#6 SterlingGold

SterlingGold
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 06 November 2010 - 03:18 PM


Hi, i went to some torrent sites last night (all at once using open all in tabs feature of firefox 3.6.12) and all hell broke lose. I want to stress that I did not download anything but i did click a couple of buttons on dialogs that popped up after I tried closing firefox (this was probably my downfall) what ensued was a massive infection that persisted even in safe-mode.
Symptoms:
*firewall service cannot start with various errors:
*nothing showing up on my network connections page (where you usually see the network cards)
* microsoft mrt.exe would not execute (unless renamed)
* trying to open the dependencies dialog for any service results in a win32: access denied error
* the obvious redirects (I think by forcing a new DNS server)
* a dialog with Chinese letters asking for some password popped up after first reboot from the spoolsrv.exe service
* when i ran procmon (not in safe mode) i noticed a lot of calls to the dr Watson tool

I ran the Sophos virus and rootkit scans in safe mode nothing was found. I also ran viper deep scan, it found and cleaned some stuff but did not remove the actual problem.

I think the infection happens inside winlogon.exe since I killed all the other processes in safe mode and mrt.exe was still being prevented from running.

Anyway here is the list of sites I opened from firefox, I recovered my drive using a day old ghost image so I'm good but if anyone here find this interesting i still have the bad drive and I can boot from it again if asked.

ebookshaer _DOT_ net
scenetime _DOT_ com
zmovie4u _DOT_ com
filenest _DOT_ com
scenereleases _DOT_ info
iwillsearch4you _DOT_ com
scnsrc _DOT_ net
oneddl _DOT_ com
newtorrents _DOT_ info

i suggest u change ur browser to Google Chrome...it detects viruses and refuses to open such links...change ur antivirus program... OR... do this
go to RUN
type %temp%
press "enter"....it will display temporary file used...delete all..
go to "control panel"
internet options
double click it
delete cookies and files.
C:\\windows\temp\ and delete all the files there..
i guess ull delete most files that host some malware..

or download "Autorun for windows"
Run the program..ull be amased at what ull c..


This was a Java based virus so it would affect any browser not only firefox or IE so I'm pretty sure Chrome would not have helped. Also it appears to also affect Linux/Mac OS's so all you Mac folks better beware.

Again I want to stress that NONE of the AV softwares can detect this virus AND it will infest your computer only by visiting the bad website.

Here is some more details about this:
http://www.bleepingcomputer.com/forums/blog/676/entry-1747-microsoft-unprecedented-wave-of-java-exploitation/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users