Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible BlackholeExploit, not sure if I was infected.


  • Please log in to reply
9 replies to this topic

#1 Rehio

Rehio

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 10 February 2013 - 10:36 AM

Edit: My god, how did I manage to mess up the title. I am ashamed. Edit2: Boopme fixed my shame. They are lovely.

Alright, sorry to bother you folks, but I'm in that post-mess-up terror mode that only seems to happen with viruses.



Running Windows 7. Was using Firefox.



Here's the original derp: Clicked a link in a phishing e-mail. Was an
absolute idiot and when it made it through G-mail while marked as
important I acted like an absolute fool.



Never clicked anything on the web page itself and never entered any
information. Returned immediately after that moment of "What the heck
did I just click?"



Did some searching around, and the e-mail was part of the Verizon
phishing e-mails. Supposedly leads to a page that will re-direct you and
download some malware onto your computer. Blackhole exploit, if the
pages I'm looking into are correct.



Weird part: The info pages about the exploit I looked into talked
about an obvious redirect in the browser when you click the link, and
I'm 99% sure that no redirect happened while I was on the page.



Current Status: Malwarebytes is coming up completely clean. Microsoft
Security Essentials hasn't made a peep about anything. Nothing
malicious seems to be happening with the computer other than a higher
than normal SVChost.exe running on the task manager. I can't tell if
it's running high because I'm running virus scans or something, though
(That's my hope talking).



I've heard high Svchost can indicate malware, but I'm also pretty
paranoid at the moment and I'm not sure if I'm panicking over that for
no reason.



Info about this exploit says that it's a Java exploit? I think. I updated Java pretty recently (within the last week or two).

 

This is the info about the possible infection I found: http://www.hoax-slayer.com/verizon-bill-malware-emails.shtml


 

Sorry for the long post, I'm pretty worried at the moment. Ever feel
like.. flashes of heat down your back from the shame of having messed up
so badly? :D



Any info would be welcome.

 

 

Edit:Fixed Title spelling..


Edited by Rehio, 10 February 2013 - 05:45 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 AM

Posted 11 February 2013 - 02:23 PM

Hello, I'm back.. I thought someone would get here as I had to leave after the Edit.

 

Run these and tell me how it is after....

 

Please download TFC[/b] (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link

  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.

 

 

 

Please download [b][url=http://www.malwarebytes.org/products/malwarebytes_free]Malwarebytes Anti-Malware[/url] and save it to your desktop.

  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.

[color=green]Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.[/color]

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.

  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When the scan is complete, click OK, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that'
s the case, use [URL=http://helpdesk.malwarebytes.org/entries/20872371-use-chameleon-to-run-malwarebytes-on-infected-systems]Malwarebytes Chameleon[/URL] and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

 

 

 

MiniToolBox
Please download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Rehio

Rehio
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 12 February 2013 - 12:53 AM

Malwarebytes Log -

 

Computer runs fine, but to be honest I haven't had any problems with the computer running correctly. I'm just worried that I was infected in more of a "Steal all my passwords" way than a "Mess up the computer's functions" way.

 

 

Thanks for taking care of me here, Boop, I really appreciate it. Been having trouble sleeping with this whole deal going on.


Edited by Rehio, 12 February 2013 - 08:08 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 AM

Posted 12 February 2013 - 11:06 AM

You're welcome ! I'd say you are getting infected from torrent downloads of free stuff..

 

Let run these 2.... As i am sure there will be more. First is quick and second slow,

 

ADW Cleaner

Please download [URL="http://www.bleepingcomputer.com/download/adwcleaner/dl/125/"]AdwCleaner[/URL][/B] by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

>>>>

Now I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the   button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

[B]NOTE:Sometimes if ESET finds no infections it will not create a log.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Rehio

Rehio
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 12 February 2013 - 02:08 PM

I have more problems with Java exploits than torrent files. :D

 

ADW Log -


Edited by Rehio, 12 February 2013 - 08:08 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 AM

Posted 12 February 2013 - 03:13 PM

When you downloading.. Sometmes there is a biox to unceck foe these toolbars. I also usuually will not use the "reconmmended " install. Looking the the other install option you will see things they are trying to add..Toolbars,homepage....

 

 

Looks good now..

Uninstall this from the Control Panel,prorams,Uninstall... older versions are exploitable.

Java™ 6 Update 31 (64-bit) (Version: 6.0.310)

 

Now you should Create a New Restore Point (alternate method) to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

  • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

Then use Disk Cleanup to remove all but the newly created Restore Point.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Rehio

Rehio
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 12 February 2013 - 03:24 PM

Alright, older version of Java was deleted, Restore Point was created, and I removed all but the newest Restore Point.

 

 

Everything seem to be in order, then?

 

 

Edit: Another e-mail from the same folks trying to phish me again. So terrible. =/ Have to teach g-mail that it's spam.


Edited by Rehio, 12 February 2013 - 03:30 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 AM

Posted 12 February 2013 - 03:41 PM

Change your Email password,just in case.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Rehio

Rehio
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 12 February 2013 - 05:37 PM

All changed. Thanks, Boop! :D

 

So no more scans to run or anything, I'm all clean as far as you can tell?



#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 AM

Posted 12 February 2013 - 06:11 PM

Yep Rehio,you are good to go. Thanks for visiting.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users