Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question about Trojan infection and shut down of various websites


  • Please log in to reply
18 replies to this topic

#1 tg2011

tg2011

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 24 June 2011 - 12:19 AM

A trojan or two infected my system the other day. When the thing went off, it did all kinds of things which I am still trying to get fixed. It is kind of a blur, but I could see that there were changes being made to web browsers. I am running Windows 7 Ultimate 64 bit. At the time I had Norton 360 installed and it became aware of the trojan, yet it seemed to only halt some of the activity. I also have spybot and superantispyware installed. Norton would not update. After looking up some information online I downloaded, installed and ran a full Malwarebytes scan. The scan reported the following;
c:\program files (x86)\Adobe\Updater (Backdoor.HMCPol.Gen) -> Quarantined and deleted successfully.

After that I was able to update Norton, and ran full scans for it, superantispyware, spybot, and malwarebytes. SuperAnti reported a "Malware Trace" two or three consecutive times running the program, then after that it has not shown up again. Now, running all of these scans, I do not get anything reported. I also ran a Kaspersky TDSSKiller rootkit remover because in one of them I also saw reference to tDSS. I also ran the sophos a-conficker removal, just in case. I ran combofix and realize you do not want it posted unless asked, but can post if that helps determine if there is anything hanging around or problematic. I also uninstalled my firefox and chrome web browsers. I uninstalled IE(which rolled it back to version 8) and then updated to bring it back to current version. I reinstalled Safari as well but I am still getting messages of some websites not being able to be connected to.

The one problem that I still am encountering is that while I have website access, some sites do not pull up at all, yet on other computers on my network I can get to the files fine. I have a feeling that the hosts file was screwed up somehow. I did go in and remove an entry for kaspersky and then it could go to the site, but how to fix the entire file I have no clue how to do. I did try a microsoft tool to fix the hosts file, but it did not work.

Ultimately I want to get confirmation that I have the beasts killed and my system is clean again and somehow fix my system so when going to various websites that they connect instead of giving me messages like, "Safari can’t open the page “http://forum.slysoft.com/showthread.php?t=48312” because Safari can’t connect to the server “forum.slysoft.com”.

Thanks in advance to anyone who can help resolve this.

BC AdBot (Login to Remove)

 


#2 tg2011

tg2011
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 24 June 2011 - 12:19 PM

Ran SAS again this morning and the Malware.Trace showed up again. I looked at the logs and the thing will not go away....this is the registry key. SAS says it quarantines it, but it does not get rid of it. It shows up again and again after reboot.

(x86) HKU\S-1-5-21-2789648889-2795420910-3747001401-1007\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

I still have access to only some websites, and others I get blocked.

Downloaded Spyware Doctor and found Trojan-Downloader.Murlo and Trojan.Generic, but of course unless you buy the program it won't remove them. I used regedit to remove the registry entries and cleaned up with norton utilities. Will reboot and see what happens....but at this point I still cannot get onto certain websites under this computer, while others on the network can without a problem....

#3 tg2011

tg2011
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 24 June 2011 - 03:16 PM

Reboot....SPYBOT found nothing. MWB found nothing. SAS fount the same registry entry (from last post) listed as Malware.Trace again. Doesn't show up until i unlock a bitlocker drive, that's all I can see why it shows up randomly. I still cannot get to some websites randomly...tried to go onto the Norton Site, no luck. Outlook 2010 now shows some images are not downloading (just showing the little red x in a box), although clicking on them still loads pages which are not blocked by the "Cannot connect to server" message that only happens on some websites....tearing my hair out over here....anyone, anyone? Thanks in advance to anyone who can provide some help.

#4 Curiousp

Curiousp

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:41 PM

Posted 24 June 2011 - 11:10 PM

Can you please download HitmanPro from www.surfright.nl/ and scan?

This may detect something as the program uses multiple antivirus to detect malicious software on your computer.

Thanks

#5 tg2011

tg2011
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 25 June 2011 - 08:47 PM

Ran Hitman Pro and it found a few items, one a trojan, and two that it didn't know for sure, but I quarantined them anyway. When I re-ran SAS the Malware.Trace did not show up again. I also decided to run GMER and scan all drives. It did show a bunch of items, but none in red. I tried to delete but was unsuccessful. I rebooted and am running the scan again to see what comes up. I made up a new Hosts file, yet I still cannot get to a bunch of websites. I went to the norton site and when I go to look at their products, and click on the products link, I get the following: "Safari can’t open the page “http://buy.norton.com/?trf_id=symcom?inid=us_ghp_link2_to_store” because Safari can’t connect to the server “buy.norton.com”. I get this on a bunch of sites. I am also still getting some of my emails with blocked pictures, and others not....really at a loss with this....

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-25 14:33:14
Windows 6.1.7601 Service Pack 1
Running: st2uuf6e.exe


---- Files - GMER 1.0.15 ----

File C:\Users\Tom\AppData\Local\Apple Computer\Safari\History\_i2.cfs 0 bytes
File C:\Users\Tom\AppData\Local\NPE\ErrMgmt\Queue\Incoming\SQ_{5FA8A88A-E9C3-4FAF-9614-D30DC6AD75B1} 0 bytes
File C:\Users\Tom\AppData\Local\NPE\ErrorInstances\30FC76C3\F4E8E49A-AC47-4841-9864-4EEBA0A38AC7.dat 0 bytes
File C:\Users\Tom\AppData\Local\NPE\NPETraceInProgress.etl 262144 bytes
File S:\$RECYCLE.BIN\S-1-5-21-1398815852-3327887365-163461274-1000 0 bytes
File S:\$RECYCLE.BIN\S-1-5-21-2789648889-2795420910-3747001401-501 0 bytes

Edited by tg2011, 25 June 2011 - 08:47 PM.


#6 tg2011

tg2011
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 25 June 2011 - 09:10 PM

Ran GMER in win xp SP3 mode as administrator this was all I have. I think I have it licked, but as I mentioned in the previous post, I am still having issues going to sites....unsure how to remedy that after making up a new hosts file and it is still occuring...


GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-25 19:07:55
Windows 5.1.2600 Service Pack 3
Running: st2uuf6e.exe


---- Files - GMER 1.0.15 ----

File S:\$RECYCLE.BIN\S-1-5-21-1398815852-3327887365-163461274-1000 0 bytes
File S:\$RECYCLE.BIN\S-1-5-21-2789648889-2795420910-3747001401-501 0 bytes

---- EOF - GMER 1.0.15 ----

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:41 AM

Posted 25 June 2011 - 10:01 PM

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Curiousp

Curiousp

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:41 PM

Posted 25 June 2011 - 10:03 PM

Can you possibly boot your computer into safe mode using F8 when the computer starts, and select Safe Mode or Safe Mode with Networking?

I then suggest to scan with Malwarebytes and HitmanPro, and a professional will be able to analyse the GMER results.

Thanks

:thumbup2: To boopme

#9 tg2011

tg2011
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 26 June 2011 - 12:03 PM

Ok, thanks, will do both and post the results. Thanks for your help!

#10 tg2011

tg2011
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 27 June 2011 - 12:25 AM

Didn't have time to do the safe mode and scan with MWB and HP....will to that tomorrow after work. This is the results from ESET online....


C:\Program Files (x86)\RipBot264v1.16.3\Tools\Process\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\Users\Tom\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000163 probably a variant of Win32/Adware.WhiteSmoke.B application cleaned by deleting - quarantined
C:\Users\Tom\Desktop\Programs\Nero 9 9.4.44.0\Nero 9\unit_app_75\Toolbar.exe Win32/Toolbar.AskSBar application cleaned by deleting - quarantined
C:\Users\Tom\Desktop\Programs\Nero 9 9.4.44.0\Nero BackItUp 4\unit_app_75\Toolbar.exe Win32/Toolbar.AskSBar application cleaned by deleting - quarantined
C:\Users\Tom\Desktop\Programs\Nero 9 9.4.44.0\Nero MediaHome 4 Trial\unit_app_75\Toolbar.exe Win32/Toolbar.AskSBar application cleaned by deleting - quarantined

Thanks!

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:41 AM

Posted 27 June 2011 - 10:43 AM

As you have /had a Whitsmoke infection please run the tool HERE

A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 tg2011

tg2011
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 27 June 2011 - 09:46 PM

I ran Kaspersky's TDSS Killer 2.5.6.0 and it found nothing. It scanned 320 objects. When I was starting to investigate this problem, either SAS or MWB reported something that looked like TDSS, so I ran it, and in looking, it looks like I did not save a file if it found anything. I am still experiencing random websites that will not load, like norton.com, and others that are non-av related like buy.com.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:41 AM

Posted 27 June 2011 - 10:06 PM

Hello, soory u[pon review I see you had found this,.. Backdoor.HMCPol.Gen

I feel it important to mention this now.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 tg2011

tg2011
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 28 June 2011 - 09:05 PM

I ran MWB in safe mode (no networking) and found zero threats. I ran HMP in safe mode with networking and it found no threats. I read your last message. Back in 10/2010 when I set the machine up I did a backup of what I had installed at that time. Short of perhaps bookmarks, files (pics/docs, etc.) any new software, and email in outlook it is probably pretty close without having to reinstall from scratch. Would a restore back to that work? I know that I can copy files, bookmarks, etc, but will that compromise the newly restored backup? Thanks for your help, it is appreciated.

#15 tg2011

tg2011
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 28 June 2011 - 09:56 PM

I have another computer which has never had an infection which I can use for online transactions. After the trojan/rootkit, or whatever it was that slammed my system, I have not done any online transactions, instead using the other uninfected computer. This computer is Win 7 Ultimate 64 bit. It took me quite a while to set up and setting it up from scratch again would be a major undertaking. Like I mentioned in my previous post, I could restore the version that I saved back in 10/10 when i got it all set up. Another thought, what about running a virtual machine to run that kind of stuff in (credit card payments, etc.), or should I stick with the other computer?. Any suggestions you have are greatly appreciated.

Thanks,

Tom




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users