Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NortonAV constantly blocking Bedep and ExploitKitRedirects


  • Please log in to reply
5 replies to this topic

#1 CheNation

CheNation

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 AM

Posted 27 April 2016 - 02:52 PM

(Toshiba laptop, approx 3 years old, Win 8.1 64-bit, InternetExplorer v11)

 

At this moment, my symptoms are

 

1) NortonAV constantly notifies me that it's blocking various attacks by:

    - System Infected: Trojan Bedep Activity

    - System Infected: Trojan.Backdoor Activity 129

    - Web attack: Exploit Kit Redirection 4

    - Web attack: Exploit Kit Redirection 7

    - Web attack: Exploit Kit Redirection 13

Within NAV, it says some of the attacks are coming from qrwzoxcjatynejejsz.com (104.193.252.241), and allofuslikesforums.com(207.182.148.92).

 

2) thousands of temporary internet files are constantly being created (10,000 in about 10 minutes, using 120MB storage); however, it doesn't stop.  I have to run CCleaner every 10-15 minutes to clear out files, else, the files keep growing and InternetExplorer will stop working.

 

3) large amounts of network activity, connections, listening ports, etc..., are immediately started, even without opening IE.  It appears #2 and #3 are related.

 

Now, to start somewhat at the beginning.  As best I can tell, I was attacked by some type of ranson malware (not the encryption type as nothing yet appears to be encrypted), while I was multi-tasking.  For example, I had multiple instances open of the following: MSExcel, MSWord, MSVisio, AdobeAcrobat, Internet Explorer (with probably 10 tabs open), and maybe MSPaint.  That's alot of stuff open at one time, but if I run CCleaner every hour or so, it'll keep IE running okay.

 

Anyway, as the computer was just starting to slow down, and just before I was going to run CCleaner, the ranson page came up.  I didn't have time to read it exactly, as I immediately killed IE, via TaskManager, and unplugged the internet connection.  I closed all the programs, ran CCleaner, then shutdown completely.

 

Waited a few minutes, then rebooted.  All seemed normal, and I was slowly getting back into my work routine.  At some point things seemed to slow down a little bit.  Then all of a sudden, NortonAV tells me that there's an abnormal amount of outgoing network traffic, and thinks it's a malware that it can fix.  It mainly deleted a file named recovery60.dll (I think it did so via the Power Eraser).  Of course, it had to reboot, and then I ran full scans with NortonAV, MalwareBytes(free), Spybot, CCleaner, and updated SpywareBlaster.  I also updated and ran AdwCleaner, and ran JRT.

 

Everything pretty-much says the system is clean.  However, then I start getting the notifications that NAV is blocking miscellaneous attacks.  The notifications are constant, and IE gets slow fairly quickly, but I have to continuously run CCleaner to stay online.

 

I've re-run the above softwares several times, but nothing is stopping the current symptoms.  But at least the computer is somewhat usable for now.

 

Now I need help from this forum.

 

For what it's worth, I've noticed that BleepingComputer always advises to not change anything while performing their tasks, but I'll have to continuously run CCleaner if I'm to stay on the computer for some length of time.

 

Thanks in advance,

Fred

 



BC AdBot (Login to Remove)

 


#2 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 AM

Posted 27 April 2016 - 05:01 PM

ZHP Scan.

 

Please download Zhp Cleaner & save it to your desktop.  Right Click the icon and select run as administrator.

 

 

 

2. Once you have started the program, you will need to click the scanner button.

EgsT69u.png

The program will close all open browsers!

3. Once the scan is completed, the you will want to click the Repair button.

6QJjV50.png

At the end of the process you may be asked to reboot your machine. After you reboot a report will open on your desktop.

Copy and paste the report here in your next reply.

 


 

 Zemana Scan

 

 

Run a full scan with Zemana AntiMalware!

Install and select deep scan.

jdmyscF.jpg

Remove any infections found.

Then click on the icon in the pic below.

DOLGyto.jpg

Double click on the scan log, copy and paste here in your reply.

 

Junkware Removal Tool.

 

Please download Junkware Removal Tool and save it on your desktop.

 

 

  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Please post the JRT log.


#3 CheNation

CheNation
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 AM

Posted 27 April 2016 - 06:37 PM

I've been thinking really hard about implementing your proposal, however, I'm going to pass for now.  From the little research I've done on this site, it seems that ZHPCleaner isn't the norm for the start of the removal process (even thou JRT & Zemana have been mentioned).  Sorry, up front, if I'm mistaken.  I was expecting something like Farbar software etc..

 

Before jumping in, I want to wait a little bit more, to hear other proposals.  I've already done many attempts on my own to remedy this situation, but I need to take a step back.  Either way, thanks for the suggestion and for taking time to look into my problem.  While I wait for other responses, I'll continue to research your proposal.

 

thanks again,

Fred



#4 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 AM

Posted 27 April 2016 - 06:40 PM

I assume you are worried about the amount of post that I have.... These programs are legit. If you want help using advanced tools then I suggest you read this.

 

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help



#5 CheNation

CheNation
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 AM

Posted 28 April 2016 - 07:25 PM

LostpasswordlA:    Nope.  Not worried about the amount of posting, nor am I questioning the legitimacy of your proposed strategy.  I'm new to this site, so I'm rather cautious about running full speed too soon.  But all said, I still appreciate your input.

 

UPDATE ON MY SITUATION:

 

it looks like MalwareBytesAM resolved my problem!  Not really sure why on the 4th or 5th full scan, but MBAM finally recognized a .dll as being a Trojan.Bedep.  It also found 3 registry keys as also being Trojan.Bedep.

 

I tried so many different softwares (see original posting), and in different orders, and reran them to no avail.  Got so frustrated, that I finally joined this site and posted my problem.  However, while waiting for some responses, I continued surfing/researching on the internet, but then my computer started acting crazy.  Screens kept disappearing and reappearing, and finally the desktop disappeared.  I had to manually power-off the laptop.  Thinking my computer was hosed, I simply went to bed.

 

So, this morning, I rebooted and it came up normally.  However, I ran MBAM prior to connecting to the router, and that's when it found the Trojan.Bedep's.  Rebooting deleted the malware, and everything is back to normal.  The temporary internet files do not grow wildly out of control, nor to I have excessive TCP connections, network processes, listening ports, etc...  I've been testing/using the computer all day expecting the malware to rear it's ugly head, but so far nothing.

 

Though I'm tempted to submit FRST.txt and Addition.txt files for further analysis of any remnants, but I'm going to wait a few more days to decide.  If I do, I'll open a new topic.

 

Please close out this topic.

 

thanks,

Fred



#6 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 AM

Posted 29 April 2016 - 04:15 PM

Glad you got it fixed, but I would certainly open a new thread in the malware area. There may be something lurking on your machine. Malwarebytes certainly is not a cure all. :)

 

Good luck either way.....






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users