Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Shockwave object possible vector for infection


  • Please log in to reply
4 replies to this topic

#1 Eqwatz

Eqwatz

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida USA
  • Local time:11:32 PM

Posted 16 February 2012 - 03:48 PM

I found system unresponsive to right click on desktop links and closing of windows in Firefox after watching a few TV programs on PutLocker--Yes, it is risky behavior I know that.
System highjack --> shut down using power switch. Booted on puppy Linux. Mounted /dev/sda2 (C:\)cleaned temp files and Cookies in: C:\Documents And Settings\All Users, C:\Documents And Settings\Owner (main user of computer), C:\Documents And Settings\NetworkService, ..\Default User, ..\LocalService.

Then I looked for new files modified/dated for the same day and found --> C:\Documents And Settings\"Owner"\Application Data\Adobe\Shockwave Player 11\Shockwave.log.
In the log was the installation of the file: C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1163633.exe

I have been looking for the codecs or plugins or BHO which have been inserted by advertisers on the link sites for TV Shows and I think that this is it.

I know that the means of infection lately has had to be Adobe, because it doesn't play well in the sandbox. They insist on putting their polluted cr*p on everyone's computer and insist on having hardware access. Can I be sure? No, especially because I didn't open it in a editor--I just nuked it along with the other things as part of a cleanup.

PS: The aforementioned file was on the system I reloaded as well--there were binary patches applied to the native networking stack of XP--these connections were observed using netstat /b at the command prompt which pointed to FireFox, the actual network modules and other modules with kernel access. The install was too stale to bother repairing.

PSS: I would appreciate confirmation or "You're terribly, tragically wrong--misinformed, possibly paranoid and delusional. I want my 30 seconds back."

PSSS: The current system shows no signs of infection or root-kit after cleanup. AFAIK it is no longer infected. I was asking for confirmation about: SwHelper_1163633.exe.

Edited by Eqwatz, 16 February 2012 - 04:20 PM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:32 AM

Posted 17 February 2012 - 02:43 PM

Hello, the file is in the proer location.
To be certain there is no infection we need a deeper look. Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run skip it and move on.

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Eqwatz

Eqwatz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida USA
  • Local time:11:32 PM

Posted 18 February 2012 - 11:23 PM

Hi, thanks for reading the post.
I checked running processes with GMER and process explorer and found no processes which should not be running. Also ran netstat /a and netstat /b to check for open ports and unusual connections.
System is cherry. But, as I said I shut it down and cleaned all temp files, internet temp files, caches for all browsers and all cookies everywhere by any program using a live CD. Oh, and I always check the desktop.ini files.

I also ran the Microsoft "Fix-it" which contains the current versions of: explorer.exe, iexplorer.exe and the entire networking stack objects--the files which are binary patched by the worst of the offenders. The files were hashed and checked by the Fix-it.
Also, the MSRT was run as part of the process.

I still think that flash is the vector for careful users, others are saying that the templates are sloppy and the extensions of html are flawed.

eric

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:32 AM

Posted 19 February 2012 - 04:17 PM

It may well be. Would need to see a DDS log and see if we can see it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Eqwatz

Eqwatz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida USA
  • Local time:11:32 PM

Posted 19 February 2012 - 10:54 PM

Well, since I watch most of my television shows via: ch131, alluc, tv-links,eu and several other sites; you probably won't have to wait long. But as of now, there are no processes which do not belong and no programs running periodically or polling local network and no ports "listening" which don't belong. Current logs would do no good.
Something of note: the C:\Windows\System32\Adobe\Shockwave 11\SwHelper_1163633.exe --has not been replaced by Adobe. I don't think that it is used with the current player. Also, there have been two hurried updates from flash AND Firefox since I did the manual disinfect.

I have been selecting PutLocker as often as I can get it to stream quickly enough, and SockShare (and others that are obviously sharing sources.)
Lately I have been working my way through all of the seasons of "Midsomer Murders"--and I didn't even have to go to China to get them (that was Marple.)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users