Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop ups of ugly face, webcam and unknown chat


  • Please log in to reply
11 replies to this topic

#1 AsterixTheGaul

AsterixTheGaul

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:28 PM

Posted 28 June 2012 - 10:12 AM

Just got back from a family trip to France, where I did (stupidly) use a couple of different hotel wi-fi networks (password protected, but still). As soon as I turned on my computer here in the USA, it had an abnormally long start up. Within a few minutes after start up, firefox (my default browser) popped up an ugly flashing face. So I immediately started up a manual McAfee virus scan. A few minutes later, while the scan was running, the webcam turned on (it is normally never on, I don't use skype or anything similar). The ugly face popped up again, and subsequently a chat program (unknown which type of chat program) started up. It said it was watching us; they didn't want to do anything bad to us; and that our kids had downloaded something bad. It then said "I can see everything you are doing" and "I see your virus scan is at 94%" (which it was).

I immediately turned off the computer, rebooted in safe mode, and ran McAfee again (which found nothing, and says it's fully updated.) I deleted all cached internet files from firefox.

My young kids are complete Minecraft nuts, but I watch them on this laptop which is normally kept on the kitchen table, and they don't have email accounts; but who knows what they could have done when I wasn't looking.

Would really appreciate any thoughts. I generally follow virus software stories but the "knowing" nature of this one really concerns me.

Many thanks in advance. -- AsterixTheGaul

BC AdBot (Login to Remove)

 


#2 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:28 AM

Posted 28 June 2012 - 10:15 AM

Run a scan With MBAM:

Download Malwarebytes' Anti-Malware free version (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Edited by ElFasso, 28 June 2012 - 10:15 AM.


#3 AsterixTheGaul

AsterixTheGaul
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:28 PM

Posted 28 June 2012 - 12:43 PM

ElFasso, thanks for the quick reply!

I followed your instructions -- here's what the log came up with. Malwarebytes found 17 items that McAfee didn't. Based on that, it looks like I will be subscribing to Malwarebytes shortly.


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.28.09

Windows Vista Service Pack 2 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
[name deleted] :: [name deleted]-PC [administrator]

6/28/2012 1:06:16 PM
mbam-log-2012-06-28 (13-06-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211991
Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|rundll (Trojan.Agent.DLLGen) -> Data: C:\Users\[name deleted]\AppData\Local\Temp\rundll.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Windll (Trojan.Agent.DLLGen) -> Data: C:\Users\[name deleted]\AppData\Local\Temp\Sysdll.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Microsoft® Windows® Operating System (Backdoor.Messa) -> Data: C:\Users\[name deleted]\AppData\Roaming\Microsoft\Windows\Templates\THEMECPL.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|HKCU (Backdoor.HMCPol.Gen) -> Data: C:\Users\[name deleted]\AppData\Local\Temp\wincfg.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\[name deleted]\AppData\Roaming\dclogs (Stolen.Data) -> Quarantined and deleted successfully.

Files Detected: 11
C:\Users\[name deleted]\AppData\Roaming\238787407.crypted4killuminati.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\AppData\Roaming\.minecraft\saves\schematic (2)(1).exe (PUP.HackTool.ACGen) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\AppData\Local\Temp\sppnp.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\Downloads\schematic (2)(1).exe (PUP.HackTool.ACGen) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\Downloads\schematic (2)(2).exe (PUP.HackTool.ACGen) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\Downloads\schematic (2).exe (PUP.HackTool.ACGen) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\AppData\Roaming\test1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\AppData\Roaming\dclogs\2012-06-26-3.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\AppData\Roaming\dclogs\2012-06-27-4.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\AppData\Roaming\dclogs\2012-06-28-5.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\AppData\Roaming\Microsoft\Windows\Templates\THEMECPL.exe (Backdoor.Messa) -> Quarantined and deleted successfully.

(end)

#4 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:28 AM

Posted 28 June 2012 - 12:53 PM

That cleaned out some infected files.

Please perform a Eset online scan;


Note: You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin
Go to the Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic


#5 AsterixTheGaul

AsterixTheGaul
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:28 PM

Posted 28 June 2012 - 03:25 PM

Thanks again, ElFasso. ESET found one threat:

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe
a variant of Win32/HiddenStart.A application

I haven't removed it yet because you said to "Make sure that the option Remove found threats is unticked". Nevertheless I assume it should be removed?

thanks again --
Asterix

#6 ElFasso

ElFasso

  • Members
  • 229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:28 AM

Posted 28 June 2012 - 03:46 PM

We need to check this file why it's defined as Win32/HiddenStart.A application.

I think it's a false positive.

Go to Virustotal

Then let Virustotal website analyse the following file: C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe

The reason I let people do this "Make sure that the option Remove found threats is unticked" because some infections will be removed and some files are patched by malware. This files may not be removed but must replaced.

Edited by ElFasso, 28 June 2012 - 03:47 PM.


#7 AsterixTheGaul

AsterixTheGaul
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:28 PM

Posted 28 June 2012 - 04:14 PM

Thanks ElFasso -- looks like you're right, a false positive.

The comment at VirusTotal is "False positive detected by eSet NOD32. File appears to be part of the Dell Datasafe Local Backup software.
#goodware #hiddenstart"

https://www.virustotal.com/file/118c5a83d03b9f1b5d5ec5b7e7c771a18f7cffacc89c4679377977d8e71a2f0f/analysis/1340917797/

#8 Pizza and Pepsi

Pizza and Pepsi

  • Members
  • 277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:06:28 PM

Posted 28 June 2012 - 04:22 PM

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.28.09

Windows Vista Service Pack 2 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
[name deleted] :: [name deleted]-PC [administrator]

6/28/2012 1:06:16 PM
mbam-log-2012-06-28 (13-06-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211991
Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\Software\DC3_FEXEC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|rundll (Trojan.Agent.DLLGen) -> Data: C:\Users\[name deleted]\AppData\Local\Temp\rundll.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Windll (Trojan.Agent.DLLGen) -> Data: C:\Users\[name deleted]\AppData\Local\Temp\Sysdll.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Microsoft® Windows® Operating System (Backdoor.Messa) -> Data: C:\Users\[name deleted]\AppData\Roaming\Microsoft\Windows\Templates\THEMECPL.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|HKCU (Backdoor.HMCPol.Gen) -> Data: C:\Users\[name deleted]\AppData\Local\Temp\wincfg.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\[name deleted]\AppData\Roaming\dclogs (Stolen.Data) -> Quarantined and deleted successfully.

Files Detected: 11
C:\Users\[name deleted]\AppData\Roaming\238787407.crypted4killuminati.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\AppData\Roaming\.minecraft\saves\schematic (2)(1).exe (PUP.HackTool.ACGen) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\AppData\Local\Temp\sppnp.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\Downloads\schematic (2)(1).exe (PUP.HackTool.ACGen) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\Downloads\schematic (2)(2).exe (PUP.HackTool.ACGen) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\Downloads\schematic (2).exe (PUP.HackTool.ACGen) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\AppData\Roaming\test1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\AppData\Roaming\dclogs\2012-06-26-3.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\AppData\Roaming\dclogs\2012-06-27-4.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\AppData\Roaming\dclogs\2012-06-28-5.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\[name deleted]\AppData\Roaming\Microsoft\Windows\Templates\THEMECPL.exe (Backdoor.Messa) -> Quarantined and deleted successfully.

(end)




AsterixTheGaul and ElFasso, I would like to inform you that I think a Backdoor trojan was found. I have contacted a moderator to further investigate this.
Malware shall not pass!

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:28 PM

Posted 29 June 2012 - 06:00 AM

The scan indicates two Backdoor Bots were detected, both of which were quarantined and deleted successfully

Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.

If your computer was used for online banking, paying bills, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for taxes, email, eBay, paypal and any other online activities. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password before connecting again.

Although the infection was identified and removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


I cannot make this decision for you as to what to do. I am just providing information so you are aware and can make an informed decision but as a minimum, you should change all passwords.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 AsterixTheGaul

AsterixTheGaul
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:28 PM

Posted 29 June 2012 - 06:38 AM

Thanks quietman. I did most of that immediately from a different computer but it sounds like you're right that reformat and reinstall is the only way to go.

Ironically we were warned repeatedly in Paris about the danger of pickpockets, that they are worse than ever, etc. (and we met another American couple who had been robbed). So it turns out that I *was* pickpocketed, after all.

Thanks again to the forum for all the help.

#11 Pizza and Pepsi

Pizza and Pepsi

  • Members
  • 277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CA
  • Local time:06:28 PM

Posted 29 June 2012 - 12:42 PM

Thanks quietman! :thumbsup:

I have been recently helping out in the AII forum and stumbled upon this topic (just look at the title, who wouldn't want to check it out). El Fasso was doing a great job helping the OP, but I guess he just missed the Backdoor or was unaware of the security compromise it causes. I am just glad that we got to inform AsterixTheGaul in time that he had to reformat his computer.
Malware shall not pass!

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:28 PM

Posted 29 June 2012 - 02:25 PM

You're welcome all.

AsterixTheGaul, if you're not sure how to reformat and reinstall Windows, please review:These links include specific step-by-step instructions with screenshots:Vista users can refer to these instructions:Windows 7 users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq, Toshiba, Gateway, Dell or other manufacturer built computer, you may not have an original CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. Please read Technology Advisory Recovery Media.

If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recovery disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support.

If you have made a disk image with an imaging tool (i.e. Acronis True Image, Drive Image, Ghost, Macrium Reflect, etc.) before your system was infected, then using it is another option. Disk Imaging allows you to take a complete snapshot (image) of your hard disk which can be used for system recovery in case of a hard disk disaster or malware resistent to disinfection. The image is an exact, byte-by-byte copy of an entire hard drive (partition or logical disk) which can be used to restore your system at a later time to the exact same state the system was when you imaged the disk or partition. Essentially, it will restore the computer to the state it was in when the image was made. You will then have to reinstall all programs that you added afterwards. This includes all security updates and patches from Microsoft.

Reformatting a hard disk deletes all data. You can back up all your important documents, personal data files, photos, music, videos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), dynamic link library (*.dll), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.
If your computer will not boot properly, please refer to:If you need additional assistance with reformatting, partitioning or reinstalling the OS, you can start a new topic in the Operating Systems Subforums.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users