Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, Trojan, Router DNS Hijack?


  • This topic is locked This topic is locked
5 replies to this topic

#1 Steve23

Steve23

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:12:52 PM

Posted 10 September 2011 - 03:10 AM

Good Morning Bleeping Computer!

Dell Latitude D620, WinXP Pro SP3, Intel Core2 CPU T7200 @ 2GHz, 2.0GB RAM, 945GM Chipset.

Iíll mention upfront that I got a Vundo infection about 1.5 years ago and despite seeming eradication, I think I have lasting effects.

I had prepared logs per http://www.bleepingcomputer.com/forums/topic34773.html but want to redo them cleanly and so will post ASAP tomorrow (it's 4AM in Upstate New York and I've been up for 20 hours, again -- you know the feeling).

I purchased the above described used laptop from an authorized Dell reseller. The OS was freshly installed. I connect to an unsecured network at my community college and downloaded and installed some minor stuff (Adobe Reader, Flash, Shockwave, Google Chrome and a college PDF of accessing their encrypted sight) and Symantec Endpoint Protection (SEP) v11.0.6100.645. I did a small regedit on SEP (same edit I did on my other two Dell PC's) to disable admin established weekly scans and startup scans, because I prefer scan manually. All good. I get home and the WiFi catches my router. I install Microsoft Office XP Professional off CD. I reboot. Before the WiFi connects, before SEP gets a green light (it is just a yellow shield in the system tray; it doesn't yet have the "all's well" green dot) I get a File Download message: Do you want to open or save this file? Name: bsbsyncvp.png (seems to always be 4 consonants, 1 vowel, 4 consonants), Type: MS Photo Ed, From: C:\Doc&Setting\Owner\Local SeÖ and the rest is cut off. If I choose Open, MS Photo always shows a 22px W x 15px H 24bit color French Flag at 1320 KB, which seems way too many KBís given that the size and color add up to less than 0.99KB. If I choose Save, then scan with SEP I get zero risk detection. So I choose Cancel now.

Yesterday evening Internet Explorer (IE8) would give me Google results, but any click on a result sent me to a seemingly random place, and in the instance I checked, the displayed URL was spoofed for the site. This occurred for a period of time but then stopped at some point. Google Chrome did not have this problem during the same time period.

Last night I performed a surface scan with error fix enabled. No issues in log file. I did a SEP scan: one tracking cookie.

I have a Belkin 54g router, FW ver F5D7230-4_UK_8.01.09. Since http://www.bleepingcomputer.com/forums/topic418146.html sounded close, last night I also flushed the DNS, stopped and restarted DNS Client, shut down, reset the router (pushed pinhole about 10+ times until lights briefly went off and came back on), restarted, and reset to my typical router config. Hereís some highlights: IP Pool limited to 9; I do broadcast the SSID until I get the laptop WiFi settled; ICMP Ping is blocked; WPA/WPA2-Personal(PSK) WPA-PSK TKIP passworded Security.

I donít see the IE8 redirect behavior today.

Since problems started, upon shut down I sometimes get End Program - Sunupdt32 (Symantec Update?), which sometimes self-resolves, but I always get End Program - rundll32.exe and I have to click End Now.

Tonight I rebooted and let the laptop sit idle for about 15 minutes. I ran CCleaner after enabling a couple extra items on the Windows tab of the Cleaner function, namely Autocomplete Form History, Saved Passwords, and Old Prefetch data. CCleaner removed 24MB in 790 IE Temp Internet files plus 76 cookies, 2 System - Temporary Files, 7 System - Windows Log Files, and 15 Multimedia - Adobe Flash Player files. I reset CCleaner to defaults, sat for 5 minutes, and hit the CCleaner Analyze button: 2,260 KB in 226 IE Temp Internet Files, and 9 cookies. 10 minutes later, 7,514KB in 565 IE Temp Internet files, 43 cookies, 2 Flash files. You get the idea.

So I go to look at these Temp IE files and Windows Explorer does not show a C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files directory, despite my having set options to display system folder contents, and to show hidden files and folders. So I chose to get to the folder via, IE8>Tools>Internet Options>Settings button in Browsing history>View files button. Refresh shows there's new files every minute or so. It looks like someone is surfing using my laptop, yet it is just sitting here untouched. There are alot of small KB JPG files. They only display the default JPG icon ion thumbnail view. When I tried to open one I get an Internet Explorer message: "Running a system command on this item might be unsafe. Do you wish to continue?" I hit no. I scan the Temporary Internet Files directory and SEP finds nothing. I close Win Explorer and get a message that Win Explorer has encountered a problem and needs to close. etc. For more info Click Here. It does not give me the usual button to send an error report. Click Here's error signature has APPName: explorer.exe, AppVer: 6.0.2900.5512, ModName: shlwapi.dll, ModVer:6.0.2900.5912, Offset: 00008434. There's a Click Here for tech info about the report in an appcompat.txt.

Next I shut the Hardware Radio Switch off at 2:40AM. So my state is no WiFi internet, NIC active, and no CAT5 connected. I have one last cookie at 2:40AM, but the next nine most recent files over six minutes are files with internet files with Internet Address res://ieframe.dll/<filename>, where filename is for example httpErrorPagesScripts.js. The Last Accessed date and time stamp for these 9 files updates every few minutes.

Some side info: (1) I have the OEM CDís. It'd be really easy for me to start over. However, this 'no data / low risk' environment provides an excellent learning experience as also I need to tackle the two misbehaving desktops which basically contain my and my wife's life. (2) This is my daughters laptop. I bought it used for her for college. I have had the D620 for three days. Since my daughter's school has been in session two days already I am on borrowed time to do my virus removal learning on the laptop. I wanted to let you know in case my daughter needs this for school and I need to cut bait and just reinstall the OS and drivers. However, I feel the problem will re-occur as it seems likely related to my router, to which all three of my computers are connected so I really want to stick in and solve this. My daughter is wonderfully patient, which makes me want to help her as much as I can.

I am sorry this is very long. I would appreciate comments aimed at helping me improve my write ups. I want this to be what's best for you. I've read the many pages of good instruction and looked for examples, but feedback on how to make things easiest for you would be great.

Thanks to every potential helping BC member who reads this. Especially thank you to the person who picks this up for being willing to try helping. Itís awesome that there are people like you. It makes up for the people who hijack PCís.

BC AdBot (Login to Remove)

 


#2 ranget

ranget

  • Members
  • 250 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 PM

Posted 10 September 2011 - 05:06 AM

you should wait for the spyware remove helper to aid in the process

in the mean time you shouldn't do anything

A big thanks to Dider Stevens

sorry for not being around

 


#3 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:12:52 PM

Posted 10 September 2011 - 10:14 AM

It shall be as you wish! :-)

#4 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:12:52 PM

Posted 10 September 2011 - 12:40 PM

I have rethought this.
I appreciate your advise ranget. I am brand new to using BC, so when I said Ďas you wish,Ē I thought you were an Expert or Moderator. So excuse me please if I am incorrect, but I will assume that your request does not supersede instructions in http://www.bleepingcomputer.com/forums/topic34773.html "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". In order to follow BCís stated protocol, I will therefore still run defogger, dds, and gmer and post logs. I believe this is necessary to get proper Expert attention to my request.

I am trying to be a good candidate for help; doing all I can myself and not expecting a handout from someone else putting in extra effort.

Thanks

#5 Steve23

Steve23
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Rochester New York area
  • Local time:12:52 PM

Posted 10 September 2011 - 11:08 PM

Per Animal, created a new topic: Malware, Trojan, Vundo? Router DNS Hijack? in the Virus, Trojan, Spyware, and Malware Removal Logs forum.

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:52 PM

Posted 11 September 2011 - 09:36 PM

Hello,

Now for the hard and frustrating part: waiting.

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic418433.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users