Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential infection threatens user and turns on camera


  • Please log in to reply
4 replies to this topic

#1 tizzo

tizzo

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:11:32 PM

Posted 04 June 2013 - 12:26 AM

I'll have to apologize in advance for the very limited information I have.  The computer is not mine, the person who asked me to look at it didn't provide a whole lot of detail, and has taken steps on her own which seem to have eliminated the worst of the symptoms leaving me unable to observe them for myself or report on them in any kind of detail.

 

Let's start with what I was told.  After visiting a web site containing some racy material, the computer started popping up messages threatening some kind of harm (not sure exactly what, file deletion I suspect) if the owner didn't pay someone money.  I was also told that the camera on the computer was observed to have been activated when it should not have been, presumably by the suspected infection.  I was asked if I would take a look if they shipped me the computer, and I said OK.

 

So the computer was shipped, but before sending it the owner tried using Norton Security Suite (apparently a full version provided at no cost by the owner's ISP, Comcast) which seemed to eliminate the infection, but now the computer was running very slowly.

 

Once I got the computer, I was able to determine that the performance problem was caused by Norton's AutoProtect module repeatedly finding and "dealing with" a vulnerability called "Suspicious.Cloud.7.EP" in file C:\users\<username>\appdata\local\intel\dmzbsycu.dll.  The action taken by Norton in "dealing with" the vulnerability was listed as "No fix attempted", so the vulnerability remained, and Norton kept detecting it and "dealing with" it by not doing anything, repeatedly and constantly, consuming all the CPU cycles.

 

I was able to get the computer into a usable state by disabling AutoProtect temporarily.  I tried a couple of other scanners, and one of them (McAfee Stinger - I used the portable edition from PortableApps.com) was able to actually remove this file, after which Norton seems to be happy.  Having accomplished this, I tried looking back through Norton's logs to see if I could figure out what it might have fixed or removed, but they onliy go back a few days (probably because it's filled with the "Suspicious.Cloud.7.EP" detection events), which is after the owner's attempt to remove the virus herself, so I can't even tell what Norton did to eliminate the symptoms.

 

So as of right now, there are no active problems that I can detect.  But since I won't have access to the computer anymore once I send it home, I hope to get it as clean and well-protected as possible.

 

To that end - is there any chance someone would recommend and look at some scans to help me make sure everything is ship shape?  And do you have any recommendations on security software?  I've had problems with Norton in the past, and my experience here seems to indicate that it can still be a troublemaker, particularly for the novice user.  Is there a better choice?  I myself use Microsoft's free Security Essentials (on the advice of someone here a while back, actually), and it's worked well - and very transparently - for me.  And transparency is pretty key for this particular user - the more automatic, the better.  For example, the owner is not someone who would ever have figured out on her own that she needed to disable Norton just to be able to use the computer, and then remove the virus through other means.  Thanks for any help and/or advice you can offer.

 

Tony

 



BC AdBot (Login to Remove)

 


#2 tizzo

tizzo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:11:32 PM

Posted 05 June 2013 - 01:10 PM

Looks like I forgot some information that I do have.  The computer is a Dell Inspiron laptop.  OS is Windows 7 Home Premium, and it's current on updates from MS.



#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:32 PM

Posted 05 June 2013 - 10:16 PM

Hello tizzo, this malware also turns on your camera and asks for money. Please try the Automated removal instructions HERE and let us know.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 tizzo

tizzo
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL
  • Local time:11:32 PM

Posted 06 June 2013 - 10:59 PM

Followed the instructions in the referenced article.  EmsiSoft found and removed a handful of things, but not Win32/Reveton.

 

However as I said, Norton seemed to have taken care of that particular infection, so I didn't necessarily expect to find it still there anyway.

 

One thing - I used the details on the Reveton article to try and jog the memory of the computer's owner, and she said that yes, that sounded like the one.  She said the FBI in particular sounded familiar.

 

So at the moment, I feel pretty confident that she was infected by Win32/Reveton, that Norton removed it but got stuck on something else (probably unrelated), and that I was able to get rid of that.  You've helped me to get rid of some other stuff we didn't even know was there, plus helped me validate that Win32/Reveton was the original problem, and has been resolved.  Thanks for your help.

 

Before I ship this PC back to it's owner, do you have any advice on AV software?  Like I said she's already got Norton Security Suite.  My personal experiences with Norton's products, though limited, have all been negative, and I'm inclined to recommend that she remove it in favor of something else - my leading choices being AVG's free edition, or Microsoft Security Essentials.  Do you have a recommendation or preference among these three, or is it pretty much a matter of personal preference?  My feeling is that none of them is going to be perfect, so might as well go with the one that is least obtrusive, which in my experience has been the Microsoft solution.  Any thoughts or advice would be appreciated.  Thanks again.

 

Tony



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:32 PM

Posted 06 June 2013 - 11:10 PM

You're welcome!

Reveton is a common Ransomeware family.



Additional Details


Trojan:W32/Reveton is a variant in a family of ransomware applications that have been targeting European users in the last few weeks.

After the trojan successfully infects a machine, it will prevent the user from accessing the Desktop and will display a fraudulent message alleging that the system was locked by a local law enforcement authority; the specific authority mentioned varies depending on the affected user's location, though most of the samples we have seen mainly mentioned various European authorities.

The general activities of this malware, including screenshots showing the warning messages displayed by the trojan, can be seen in our Labs Weblog post discussing this topic:

Police Themed Ransomware Continues
http://www.f-secure.com/v-descs/trojan_w32_reveton.shtml
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users