Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help with finding malware,spyware


  • This topic is locked This topic is locked
32 replies to this topic

#1 elvis7

elvis7

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 16 April 2011 - 11:39 AM

4/15/11 6:34 AM

On April 14 2011 , at 4:57 am an email was sent from a gmail account of mine to my contacts, this email was spam. Luckily that account is only used to sync my android contacts so i only had 15 emails in it. But the problem is that i last logged into gmail on April first and prior to that in February. I logged in using my laptop. Google gave me the ip from where the account was accessed and sent the spam (
Mobile United States (24.184.227.216) Apr 14 (1 day ago)
Browser United States (24.184.227.216) Apr 14 (1 day ago)
). But i dont understand how this could have happened, i do not go on un-trusted sites, i dont do anything that would give me a virus, and i scan regularly. Ive never had a virus in 3 years.


Ive scanned my laptop with over 5 anti-virus and spyware etc software and the only thing that was found was a java security threat (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Exploit%3aJava%2fCVE-2010-0094.AF&threatid=2147640413) that Microsoft essentials found and removed..

since yesterday morning, ive changed all my passwords using my mobile phone and have not logged in on anything on this laptop other than cnet.

What do i do now to make sure nothing is left and is there a way to find out if it was my laptop that was the security risk..

Also to note, the spam was only sent to 10 out of 15 people..Why? And if this person did get a hold of my gmail password from that one login, why did he not send spam using my facebook or hotmail account seeing as ive logged in multiple times with them...


studio xps 1645
windows 7 ult 64bit
internet explorer 8
8gigs DDr3 ram
core i7-820


4/15/11 8:10 AM

malwarebytes found something and removed it.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s) -> No action taken.



4/15/11 10:45 PM


I thought everything was okay, but my friend texted me a few minutes ago and told me i sent her a spam message on twitter... i went and checked and yes it is true. but it wasnt me and the things is I HAVNT LOGGED INTO TWITTER SINCE DECEMBER 2010... also gmail told me the ip and server that logged into my gmail from the us optonline.net:24.184.227.216

4/16/11 12:32 PM

I ran the requested programs and attached their logs. except for gmer , all the squares are greyed out and i am unable to check them.. the only checked ones are services,registry, files(c:\) and ads.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:48 PM

Posted 26 April 2011 - 06:26 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 elvis7

elvis7
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 30 April 2011 - 12:21 AM

I'm following :)

Thank you for your help.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:48 PM

Posted 30 April 2011 - 05:03 AM

Unless you reran MBAM all that happened (according to your cut/paste of the log details) was that it detected the hijacker. It says "No action taken" after each entry.

I would like to see a new run of MBAM first please
Posted Image
m0le is a proud member of UNITE

#5 elvis7

elvis7
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 30 April 2011 - 10:25 AM

the reason it says no action taken is because i copied the log before i had taken action but i asure you everything was deleted right after i copied it. and ive been running mbam and essentiels every day since, heres the latest mbam log and im running another scan now..

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6375

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

27/04/2011 3:12:47 AM
mbam-log-2011-04-27 (03-12-47).txt

Scan type: Full scan (C:\|)
Objects scanned: 403736
Time elapsed: 1 hour(s), 47 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Was what mbam found the cause for my situation? and if so, how did it gain access to twittter seeing as i last used it in december.. and my pc was reformated in jan...

#6 elvis7

elvis7
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 30 April 2011 - 03:27 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6375

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

30/04/2011 2:38:51 PM
mbam-log-2011-04-30 (14-38-51).txt

Scan type: Full scan (C:\|)
Objects scanned: 406450
Time elapsed: 1 hour(s), 30 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:48 PM

Posted 30 April 2011 - 03:33 PM

You look clean now.

Have you updated Java to stop this exploitation?

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Jdk 6 Update 24 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

That will secure your system.
Posted Image
m0le is a proud member of UNITE

#8 elvis7

elvis7
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 01 May 2011 - 11:11 AM

Thank you,
I had already updated java to 25 soon after the initial scan, but i went ahead and removed everything and installed once more just now.

Are those infections the root of the problem?

Thank you for your time and help.
E.A

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:48 PM

Posted 01 May 2011 - 04:29 PM

These exploits are quite easy to detect and remove and also, easy to prevent by updating the vulnerable application - in this case, Java.

Please scan with ESET so we can be sure nothing is hiding away

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#10 elvis7

elvis7
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 01 May 2011 - 07:55 PM

C:\Users\Elvis\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\4ecab782-56439110 Java/Agent.U trojan deleted - quarantined
C:\Users\Elvis\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\5b031078-6d35d658 Java/Agent.V trojan deleted - quarantined


i am going to go ahead and delete what it found.

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:48 PM

Posted 01 May 2011 - 08:03 PM

Just so you are aware, those findings are copies of the malware that have been cached into Java. Where they are is reasonably safe but quarantining them is better :) Delete away!

How is the machine running now? Any other problems?
Posted Image
m0le is a proud member of UNITE

#12 elvis7

elvis7
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 01 May 2011 - 09:54 PM

well, nothing has been compromised, and i had to manualy delete those two files, but i guess all is well :) just a question, how come all the other virus,malaware scanners didnt pick them up?

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:48 PM

Posted 02 May 2011 - 04:13 AM

ESET looks in a large number of places on your computer, it's a useful scanner for mopping up because it will find the copies and infected files. The tools are specifically programmed to look for malware files directly. For instance, MBAM will find the trojan in a registry key where it looks but won't find Java cache entries because it doesn't look there.

Anyway, we can now get to the good bit...

You're clean. Good stuff! :thumbup2:

We Need to Clean Up our Mess
Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it elvis7 (you may leave the building...:)), happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#14 elvis7

elvis7
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 02 May 2011 - 10:39 AM

Elvis is actualy my real name ;)

when i try installing security check, i get : .../.../.../.../securitycheck.exe is not a valid win32 application.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:48 PM

Posted 02 May 2011 - 01:42 PM

This issue can be caused by any of the below possibilities.

1. File is corrupt, bad, or missing.

I just downloaded it and it was fine

2. File is not designed for your version of Windows.

It is.

3. File is a virus, worm, or other malware file.

It certainly isn't.

4. Hardware incompatibility. it's also possible that the CD-ROM drive or the drive you're installing the program from is not compatible with Windows or has drivers that are not compatible with Windows.

This isn't likely to be the case either. So I am PMing you a solution.

Edited by m0le, 02 May 2011 - 01:44 PM.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users