A big, bad virus... 11 replies

  • 1
  • 2

Please wait...

Guest

I didn't make it!

0 XP

 
#1 9 years ago

So, my sister decided to go pick up a virus from who knows where (she has no clue, but suspects an e-mail) a few days ago, and it is quite a strange and interesting virus. I don't know much about it yet, but I do know a few things:

-It is related to 'Security Tool', a program that is quite obviously part of the virus package, due to its very shady characteristics (it randomly appears and scans the PC, or gives a random warning that a hacker is about to come through, then disappears 10 minutes later and everything is back to normal until it pops up again) -When the 'security tool' is running, it seems to disable the task manager, by closing it as soon as I open it. -First, it said it found lsas.blaster.keylogger in wisptis.exe, then it 'ran a scan' of the computer in 20 seconds, claiming to find 20 or so infections, and lots of other junk, but doing a full scan with Avast! found absolutely nothing. -Yesterday, I got it to go dormant for a while by disabling the NIC

I've never used anything other than Avast and something like Security Task Manager, so any suggestions on what might help? BTW, this is Windows 7 we're talking about.




ConstanceJill

Huh yeah, whatever ^^

38,777 XP

6th December 2006

0 Uploads

3,246 Posts

1 Threads

#2 9 years ago

Try running a scan with HiJackThis and post the log here, we'll see if we can help ^^




Guest

I didn't make it!

0 XP

 
#3 9 years ago

Here is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:01:01 PM, on 2/20/2010 Platform: Unknown Windows (WinNT 6.01.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal

Running processes: C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\DAEMON Tools Lite\DTLite.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\system32\wuauclt.exe C:\Windows\system32\taskmgr.exe D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Welcome to Facebook | Facebook R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe" O4 - HKLM\..\Run: [17561222] C:\ProgramData\17561222\17561222.exe O4 - HKLM\..\Run: [84583432] C:\ProgramData\84583432\84583432.exe O4 - HKLM\..\Run: [61311012] C:\ProgramData\61311012\61311012.exe O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html O13 - Gopher Prefix: O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

-- End of file - 4701 bytes




>Omen<

Modern Warfare

50 XP

1st January 2005

0 Uploads

7,395 Posts

0 Threads

#4 9 years ago

That bug, most commonly known as "Smitfraud", has been around for some time. It appears on the lower right above the taskbar and gives fake virus warnings and tries to get you to click on something which if you do, downloads more bugs. SpyBot has had it in it's database for some time. As long as you have SpyBot updated (Immunize recommended too), it should find and be able to remove it. I got that bug long ago before common tools could detect it, but fortunately a guy had just written a specific tool for it call SmitRem, which worked.

Besides what Jill recommended, other good tools that can be had free are SpyBot, a-Squared, Malwarebytes, SUPERAntiMalware, Glary Utilities, CCleaner, and GMER.

This is what the HighjackThis online analyzer found in your log: (The rest was completely safe)

hjtlog.jpg

After running the scan in HjT, check the 3 items shown, and click "Fix Checked". I highly recommend some follow up scans with the above tools though, including a safe mode deep scan with a-Squared, which can take some time.




ConstanceJill

Huh yeah, whatever ^^

38,777 XP

6th December 2006

0 Uploads

3,246 Posts

1 Threads

#5 9 years ago

Yup, "randomly-named" executables almost always are malwares... when they also are in randomly named folders you can be sure they are indeed ^^




>Omen<

Modern Warfare

50 XP

1st January 2005

0 Uploads

7,395 Posts

0 Threads

#6 9 years ago
ConstanceJill;5247771Yup, "randomly-named" executables almost always are malwares... when they also are in randomly named folders you can be sure they are indeed ^^

So true, interesting to note though, is that GMER, a tool designed specifically to find rootkits, is randomly named too, to avoid malware detecting and disabling it.




Guest

I didn't make it!

0 XP

 
#7 9 years ago
ConstanceJill;5247771Yup, "randomly-named" executables almost always are malwares... when they also are in randomly named folders you can be sure they are indeed ^^

Interesting... Anyways, I downloaded and am currently running Spybot S/D, and it looks like it already found something called Fraud. Security Tool, which I'm quite sure is the problem. I'll update later to see what happens.




>Omen<

Modern Warfare

50 XP

1st January 2005

0 Uploads

7,395 Posts

0 Threads

#8 9 years ago
The Soleutator;5247834Interesting... Anyways, I downloaded and am currently running Spybot S/D, and it looks like it already found something called Fraud. Security Tool, which I'm quite sure is the problem. I'll update later to see what happens.

Like I said above, it was originally called SmitFraud. I'm sure it's the same thing and SpyBot is just abbreviating it.




Guest

I didn't make it!

0 XP

 
#9 9 years ago
>Omen<;5248340Like I said above, it was originally called SmitFraud. I'm sure it's the same thing and SpyBot is just abbreviating it.

I guess we'll see when we find whether the problem is gone. BTW, it did find more spyware on her computer, and quite a bit on my PC as well. I make relatively few downloads however, so I assume a lot of it comes from random googling, etc. right?

Anyways, thanks for the help, if it did remove the problem, it saved a lot of time. I should probably try some of the other software you mentioned to see what that finds as well.




&gt;Omen&lt;

Modern Warfare

50 XP

1st January 2005

0 Uploads

7,395 Posts

0 Threads

#10 9 years ago

The Soleutator;5248395I guess we'll see when we find whether the problem is gone. BTW, it did find more spyware on her computer, and quite a bit on my PC as well. I make relatively few downloads however, so I assume a lot of it comes from random googling, etc. right?

Anyways, thanks for the help, if it did remove the problem, it saved a lot of time. I should probably try some of the other software you mentioned to see what that finds as well.

Well Google has been a problem since the holidays and it happened last holiday season too. There's a hack called the redirect bug that takes you to 3rd party shop search sites and such when clicking on a Google search link. In my experience it only happened with Firefox and IE though.

However I did via searching find that the tools some on the Google forum were using that had this problem (Malwarebytes & SUPERAntiMalware) were effective. Also an a-Squared deep scan in safe mode, which takes a long time.

Even after clearing my PC of the bugs and getting my rig back in top shape though, I still got the redirect thing a few times even with FF set with the phishing filter enabled, "Warn of websites trying to redirect..." checked, and Adblock Plus.

When I switched to the Iron browser, all that stopped. I also enable Phishing & Malware protection in Iron and use the AdSweep extension. I have been using Google a lot since switching to Iron though and zero problems with redirects.

One of the scans I did found several registry entries detected as trojans designated as "msupdate". The several XP "security" updates I installed crashed my PC into a continual reboot loop. I had to do an XP repair to get back into Windows without losing all my files.




  • 1
  • 2