Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTP Neosploit Toolkit / Drive By Download - potential infection


  • This topic is locked This topic is locked
5 replies to this topic

#1 Johnny J

Johnny J

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 30 November 2010 - 08:00 AM

Hello,

My name is Ivan and this is my first post here :-)

I have some suspicions that my computer has been infected, and I'd like to find out if this is the case.
Here is what happened and what I have done so far:

What happened
I clicked on an image in Google Images search. The URL that the image was pointing to did not seem suspicious at the time (it was some web site about cars etc.). After I clicked on the image my browser (Internet Explorer ; normally I use Opera, but this time I was using IE) got redirected to the following site http://YahooRating.info/AVORP1BOBA.asp. At this point my antivirius AVG kicked in and notified me that the web site has been blocked, because it is potentially dangerous. I'm not sure if the redirect was caused by me clicking on the image link, or by some virus/malware running on my machine. I googled the problematic website and it appears to be related to HTTP Neosploit Toolkit Activity threats and Drive-by downloads threats.

Things I've done
After the notification by AVG I scanned my computer using the following (all of the programs are up to date):

MalwareBytes Anti-malware (both Quick scan and Full scan)
- No threats detected
SUPERAntiSpyware (both Quick scan and Full scan)
- Detected and removed a bunch of tracking cookies
TDS Killer
- No threats detected
Symantec Endpoint Protection
- No threats detected
AVG
- No threats detected
Avira
- No threats detected
- Detected hidden objects

I run Avira two times - each run the detected hidden objects differed

1st Avira scan

Starting search for hidden objects.
HKEY_USERS\S-1-5-21-3588576997-122566184-1208044290-1001\Software\Microsoft\Internet Explorer\Recovery\Active\{c25a0699-fc65-11df-9bc7-00214f5040c7}
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00020D75-0000-0000-C000-000000000046}\ShellFolder\attributes
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\Flyout\381b4222-f694-41f0-9685-ff5bb260df2e
[NOTE] The registry entry is invisible.

As far as I'm aware the first registry entry is a recovery entry for IE, created when the browser crashes. I deleted it and disabled crash recovery in IE, and re-scanned.

2nd Avira scan

The first entry was gone, but I got some new ones:

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00020D75-0000-0000-C000-000000000046}\ShellFolder\attributes
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\Flyout\381b4222-f694-41f0-9685-ff5bb260df2e
[NOTE] The registry entry is invisible.
c:\program files (x86)\internet explorer\iexplore.exe
c:\Program Files (x86)\Internet Explorer\iexplore.exe
[NOTE] The process is not visible.
c:\program files (x86)\opera\opera.exe
c:\Program Files (x86)\Opera\opera.exe
[NOTE] The process is not visible.

The funny thing is that those new "not visible" processes - i.e. iexplore.exe and opera.exe did not pop up in the first search.

Autoruns
A also ran the Autoruns tool (sysinternals) and googled all entries for which the signature could not be verified. I didn't notice anything suspicious.

GMER
I tried to run GMER, but it did not work - while it did scan my machine, all checkboxes except the last three where grayed out and disabled. I googled that as well and it appears that it is due to my OS being 64 bit.

Some info regarding my setup:
- Windows 7 64 bit
- Antivirus/Anti-malware - Symantec Endpoint Protection, AVG and MalwareBytes
- Firewall - Comodo Firewall / Defense +

Basically I ran all the programs that I know and normally use, and they did not detect anything. I have not experienced any strange behavior after the redirect. Any advice on what I should do next is more than welcome - I'd really like to find out if my computer is clean or not. Normally I'm quite self conscious when it comes to security (I'm using antivirus/anti-malware and firewall software, i try to practive safe browsing, keep my OS up to date with updates etc.) and I have never been infected so far, but I guess there is a first time for everything :-)

Thank you in advance !

Edited by Johnny J, 30 November 2010 - 08:09 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:39 AM

Posted 30 November 2010 - 12:13 PM

Hello and welcome at this point we will need you to repost.


We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.

Skip Gmer. Instead Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth, and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Johnny J

Johnny J
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 30 November 2010 - 01:46 PM

Thank you for your response.
I did as you asked - generated a DDS log and attached it in a new topic - http://www.bleepingcomputer.com/forums/topic364045.html
Unfortunately the http://www.rootkit.com site appears to be down and I can't download the Rootkit Unhooker app at the moment. Is there any other location that I can use?

Edited by Johnny J, 30 November 2010 - 01:46 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:39 AM

Posted 30 November 2010 - 03:39 PM

Try this.. L@@K
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Johnny J

Johnny J
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 01 December 2010 - 01:26 AM

I downloaded and installed Rootkit Unhooker, but when I run it I get the following error: "Error loading driver, NTSTATUS code: 0xC000036B". Could it be because I'm running a 64bit OS?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:39 AM

Posted 01 December 2010 - 09:42 AM

OK , yes that is why,it's not 64 compatible. no worries they will run what they need there when they reply.
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users