Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hitman finds proxy but no other symptoms


  • This topic is locked This topic is locked
2 replies to this topic

#1 NozzaC

NozzaC

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 17 January 2011 - 04:27 AM

This is being posted here after being instructed to do so by Cryptodan in the "I'm Infected..." forum. This is the original post:

My PC was recently infected with a fake AV. I found and removed it's registry startups, DNS redirection settings and associated files and all was working fine. As a precaution I also ran MBAM and Hitman Pro. MBAM found a few items and Hitman found that IE was running through a proxy port on 127.0.0.1. It would apparently fix this but the problem would be there on reboot. So I looked for a rootkit using TDSS Killer which found nothing. Gmer scan would not complete having a BSOD IRQ not equal error 10 mins into the scan. However sigverif found an unsigned driver file and Kernel Detective showed a few hooks, so I went offline to scan with the ERD/DART CD Standalone scanner which found an Alureon:F rootkit associated with that driver. I used Combofix for good measure which found a few files in temp file areas but I believe these were no longer active anyway.

So the current state of play is that the system is running fine. No signs of any redirection or symptoms. However Hitman Pro, and only that app still finds that IE is running though the 127.0.0.1 proxy. Checking IE's proxy settings in IE or looking at the relevant reg key doesn't show that proxy.

So I'm trying to work out if this is just a Hitman error or if something really is still going on.

**************************************************************************************************************************************************
THIS IS THE MBAM LOG AS REQUESTED


Hi

Thanks for the reply. Below is the original MBAM log which found items:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5500

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

10/01/2011 22:49:35
mbam-log-2011-01-10 (22-49-35).txt

Scan type: Quick scan
Objects scanned: 145386
Time elapsed: 29 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\{5617ECA9-488D-4BA2-8562-9710B9AB78D2} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\qni8hj710fdl (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\DoubleD (Adware.DoubleD) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Bad: (93.188.164.35,93.188.160.105) Good: () -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{65CC53BF-D06E-439C-ADE2-D6B09F8A2C29}\DhcpNameServer (Trojan.DNSChanger) -> Bad: (93.188.164.35,93.188.160.105) Good: () -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\jackschris\AppData\Local\Temp\0.05591074014851627.exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Users\jackschris\local settings\temporary internet files\Content.IE5\Z8PHQM63\irfvjtg[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\Users\jackschris\AppData\Roaming\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.

Edited by Orange Blossom, 17 January 2011 - 08:03 PM.
Please do not move topic. Awaiting the other logs. ~ OB


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:03 PM

Posted 23 January 2011 - 08:27 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:03 PM

Posted 30 January 2011 - 12:37 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users