Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying to escape this spyware/rootkit


  • This topic is locked This topic is locked
6 replies to this topic

#1 marco55

marco55

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 12 November 2010 - 08:56 PM

Alright. I'd rather not go into too much detail about things that happened before, because I am too stressed and tired, and I have posted those old detaails elsewhere and they don't seem to add up to anything known, BUT the bottom line is that I have some kind of malicious software on my PC that has redirected me from safe sites to "adultfriendfinder.com". I have used all types of antivirus/antispyware software to try to remove it, including many rescue boot cds like Bitdefender, AVG, etc. Nothing significant was found. I also followed a guide (I think it was from this forum) on how to get rid of malicious software/rootkits...no luck.
I was unable to access any of my accounts online for fear that my passwords would get stolen.

One day I remembered the the Bitdefender live cd had firefox, so I booted from it (thinking that keyloggers won't work because I'm not booting from my HD), and launched Firefox, and installed the firefox addons "Noscript", "Mywot" and "Ghostery". I then proceeded to check my email for the first time in a while, check my youtube account, and make a purchase on ebay. At one point, I was redirected from a safe site (maybe ebay--can't remember) to a site which I cannot remember the name but i googled it and it seems to be associated with viruses/spyware.

Last night I downloaded and installed Kubuntu 10.10 to a flash drive (using a different computer), removed the hard drive from my infected PC, inserted the flashdrive, and booted from it. I used the internet browser on it and only went on google, gmail, ebay, and youtube and unfortunately had to visit Macafee siteadvisor because somehow I had a tab open that said something about taking a survey. I don't have the full URL, but the website was called "INSIGHTEXPRESSAI.COM", and and the end of the url it said something like "referrer:ZEDO.COM". After doing some searching, it seems that these sites are associated with spyware.

So there are 3 main possibilities left that I can think of:

1. Other parts of my computer besides my hard drive are storing this malicious software.
2. The computer (netbook with XP) that I used to download/install Kubuntu onto my flashdrive was infected with malicious software advanced and quick enough to infect Kubuntu on my flash drive (even though I installed it right after I downloaded the ISO, and quickly removed my flashdrive right when it was done intalling).
3. Google, Gmail, Youtube or Ebay is legitimately associated with "ZEDO.COM" "INSIGHTEXPRESSAI.COM", and I accedently clicked and ad without realizing it.


I plan to back up my data, reformat my hard drive, and restore my computer to the factory settings with a disc from HP.
The problem is that I have no safe way to order the recovery discs because because it requires a credit/debit card, and a keylogger might take my debit card number.
Another problem is the if "possibility #1" is correct, then I will just become reinfected.

My PC uses WINDOWS 7.

Can anyone shed some light on my predicament?


Thank you very much in advance,
Marco

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:13 PM

Posted 12 November 2010 - 11:35 PM

Hello. this is a tough situation.
One option is to use another known clean PC to do the order.

The next best thing is to post a DDs log here and have the PC cleaned. It will take a few days.
It does appear you have some type of rootkit or backdoor infection.

These infections can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.


To go thru our MAlware Removal..... Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 marco55

marco55
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 13 November 2010 - 05:05 PM

Hi, boopme. Thank you for your reply.

Unfortunately I do not have access to a known clean PC.
I did change 2 of my passwords while I was booted from my flash drive, but that probably didn't do me any good.
I think I might order the rescue cds over the phone...even though I don't feel too comfortable giving my debit card # to these customer service people either.

I called my bank and it seems that no suspicious activity has been made yet.

I will follow the steps that you have suggested.

Is it possible that parts of my computer other than the hard drive are infected? I don't have a huge understanding of a computer's hardware so I'm not sure if maybe there is some alternate storage on my computer that the malicious software is hiding in.
There are no other hard drives in my computer though (at least I have never noticed one in my tower or on "My Computer".

Once again, I appreciate your response.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:13 PM

Posted 13 November 2010 - 10:09 PM

OK, it is possible that the router was infected but wait on that. For your safety I recommend you Post the DDS login the other section and wait the few days until they reply.

Or ask in the WIN 7 forum how to reformat with out disks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 marco55

marco55
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 14 November 2010 - 04:56 AM

OK, it is possible that the router was infected but wait on that. For your safety I recommend you Post the DDS login the other section and wait the few days until they reply.

Or ask in the WIN 7 forum how to reformat with out disks.


I ended up ordering the discs over the phone. It'll take more than a week to ship it.

I still do intend to follow the steps you gave me and post the logs like you said, but I thought this information may be important first:

I did a quick search on google for router infections and I seem to be infected with something of this nature:
http://en.wikipedia.org/wiki/Zlob_trojan

I don't think I have the same trojan because this one came out in 2005 and I'd think my antivirus software would be able to take care of it/prevent it in the 1st place. Also there are many symptoms in the article that my computer is not exhibiting.

I was wrong not to post the details of the events that occurred before the ones described in my post.
After reading the article on this Zlob trojan, the following information (an email that I wrote to Avira) now seems to be relevant:

"Hi. I downloaded a video file on utorrent last night that I believe contains some sort of virus or or spyware.
When this file finished downloading, I tried to play it (on VLC player), and all a saw was 4 seconds of (I don't know the word for it but it's similar to 'white noise' but it's multicolored).
I tried to play the file with Windows Media Player, and it said I needed to to download the latest Divx. I almost clicked fell for it, but on the top if this update notification, it had the website name "mediastarsoft.net". I googled this website name and the first few results were related to malicious software.
This page: http://forums.cnet.com/7723-6132_102-377844.html has some information on a trojan that communicates with this site.

Although I have deleted the file, and didn't click the link it tried to trick me with, I am worried the it may have infected my system already. I was wondering if, in addition to finding out if this file is malicious, you could maybe download the file, and see if it makes any changes to your system after trying to play it on VLC Player and Windows Media Player while connected to the internet in Windows 7. I would appreciate that very greatly.
Getting viruses and spyware has been somewhat of a nightmare for me in the past, and I'd hate to go through that again, and would at least like to feel safe in logging into my regular email address, and other accounts without worrying that I have a keylogger of some sort.

Also do you think that just by downloading this file I may have opened myself up to receiving malware from the source I downloaded it from?

I have attached the suspected file in a compressed RAR file. The RAR file also contains the .torrent file I think it came from.
I apologize ahead of time if you are offended by the language used in the title of the file. I am also aware that downloading files like this can be dangerous and that it is illegal, but unfortunately I have somewhat of a habit and a lack of money. Although I am not morally opposed to this type of violation of intellectual property laws, I still intend on paying money for legal copies of these videos in the future once I have money. I also plan on buying Avira Premium once I can afford it (I'm using the Personal version right now).
Sorry if that was too much unnecessary information.

Anyway, I will be very grateful to get a response, and especially appreciate if you could find out if this file may have already affected my system.

Thank you very much in advance,

Cardo"


Though a guy from Avira checked out the file and said it was clean.

The reason I didn't think that this incident mattered anymore was I guess because I didn't actually click "update" in the video file.

Similarities between my symptoms and what I read in the article include:

"a trojan horse which masquerades as a needed video codec in the form of ActiveX"

"Some variants of the Zlob family, like the so-called DNSChanger, add rogue DNS name servers to the Registry of Windows-based computers[3] and attempt to hack into any detected router to change the DNS settings and therefore could potentially re-route traffic from legitimate web sites to other suspicious web sites."

Does this info help at all?
And since my router is very likely infected, should I have my router replaced, or is it easy to clean the infections on my router?

Thank you for your help so far.

The following is probably useless and strange information:
By the way, if you're wondering why used a different name in my email to Avira, it's just because I feel more comfortable using different names on the internet. And if you're wonder why I didn't just erase the name from the bottom, it's because I also posted that quote on their forum and I didn't want it to look like I removed the name on purpose because I'm up to something fishy or whatever (just incase someone google'd part of the quote).

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:13 PM

Posted 15 November 2010 - 11:28 AM

Hi, tho I still want them too look at your system I believe you may have a Rootkit. As you have win7 we need to use some specific tools.. I was going to have you change your DNS setting but felt as you are moving to MRL forum they will do this anyway.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,948 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:13 PM

Posted 24 November 2010 - 09:51 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic362515.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users