Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vbc.exe Network Usage, Non-Passively Hacked - Related?


  • Please log in to reply
4 replies to this topic

#1 NicciAdonai

NicciAdonai

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 22 January 2012 - 12:23 AM

Question number one (the short one): could constant network usage from vbc.exe (as seen from Process Explorer) be an indication of general nefariousness?

Question number two (the long one): I am currently working on a computer for a customer who, apparently, was actively hacked. Her grandson plays an MMO (Play Wizard101, but maybe another one, too; it's too late right now to call her and ask her which). She used her Paypal account to get him full access. While he was playing a screen popped up saying something like: "I've hacked your mom's Paypal account; send $20." He ran to get her. She closed the window. Then another screen popped up with, according to her, a blue "i" information icon, that said something like: "I'm serious about this. You can pay $20 or $1,500 dollars. Your choice." Oh, and it, you know, displayed her actual Paypal password on her screen. She immediately Googled for a Paypal telephone number, called them, and had them temporarily shut her account down, but not before they had her try to change her password. When she tried, something kept preventing her (a window pop-up or something? I didn't quite get that part). Then she had Norton remote into her computer, but every time they tried to do something, her computer would spontaneously shut down. She said they told her that someone had "hacked her IP address." ... :/ Hey, I'm just telling you what they said.

So she called me. I told her to use another computer to change her password for every important site to something good--at least 9 characters, special characters/numbers/upper- and lower-case, etc--and to make them all different. If someone remoted her PC then it would be a piece of cake to look up the saved Firefox passwords (a weakness of Firefox that I have never thought about), and I am assuming there are tools to retrieve those from IE, as well. She was able to change her Paypal password, so at least she's out of that water.

So now it's in my "shop" (bedroom with a table on top of a coffee table so's I can work standing up). First I ran an Avira bootable CD. Then I logged into her XP and ran eScan Toolkit. That was when the first weird thing happened. After the scan ran, the results log should have stayed on-screen, but by the time I got around to looking at it, it was gone and I was at the initial program window. I then opened Task Manager to look at the network usage: a constant 10-15 kbps. I then opened Autoruns and unticked some things. Then I opened Process Explorer, and that's when I saw that vbc.exe was using the network. I did not kill it because Combofix was next and I wanted it to remain in memory because I figured that that was a place Combofix would definitely check, and I wanted CF to see it. Ran Combofix, updated. "Combofix shall now restart." Pressed enter. Nothing. Tried running Combofix again... nothing. Well, it had already updated, so let's go to network connections and disable the NIC. Could not disable it, so I tried to go to device manager... and the computer shut itself down (nicely; as in, it closed all the programs and went through the "Logging Off," "Shutting Down," etc.). Before I turned it back on I unplugged the network cable (should have done that instead of disabling NIC, don't know what I was thinking). Then I used Process Explorer to kill vbc.exe.

Ran Combofix again, and the first thing it found was Rootkit.ZeroAccess (or something like that); the message said it had inserted itself into the tcp/ip stack, and I had to reboot to get rid of it. After that it found some other things. I can post the log if you want.

So what I need is to be as sure as possible that nothing else like this remains on her computer. If someone with good reputation here on bleepingcomputer tells me that I need to do a system recovery on her machine, then I think she would be amenable, but if someone thinks they can get me going without that, that would likely be preferable.

Thanks in advance. You all are great. The tools on this site are awesome (I've used Combofix, rkill, and unhide). I'd recommend you to anyone. I'd probably be more of a contributor but am sooo busy; I work an 8-5 job and do the computer work after hours, on weekends, and on holidays. I've usually taken care of malware by myself (or by searching forums if nothing fixes the symptoms) but this time I'm going to the experts directly. :)

BC AdBot (Login to Remove)

 


#2 NicciAdonai

NicciAdonai
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 23 January 2012 - 08:36 PM

A full scan with Microsoft Security Essentials found: Win32/Rebhip.A and Java/Jasapryt

One allows commands from an attacker and one self-propagates over a network. Yikes! Maybe we're good now, though...

Edit: the strange network usage seems to have gone away. I also installed ZoneAlarm just in case.

Edited by NicciAdonai, 23 January 2012 - 08:37 PM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:32 AM

Posted 24 January 2012 - 10:04 PM

If you still want to check this run these next.
Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.



Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1 <<<== Use this one first.

Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware




I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 NicciAdonai

NicciAdonai
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 26 January 2012 - 12:04 AM

Thank you for the response! I have already given it back to her, though. The strange network usage seemed to be gone. I explained how to use ZoneAlarm, and I installed Malwarebytes for her and started a full scan before I left her house. I told her that scanners play catch-up and so she should run a routine scan every so often, and that the catch-up game is one of the pitfalls of relying exclusively on real-time scanning.

Thanks again for replying!

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:32 AM

Posted 26 January 2012 - 11:19 AM

OK, thanks for the update. If she has the free MBAM tell her to update first and scan weekly.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users