Daugher's PC has new Malware/Virus that can't be detected.
Moderator: Moderators
-
- Member
- Posts: 1646
- https://www.behance.net/kuchnie-warszawa
- Joined: Tue Jan 18, 2005 10:25 pm
- Location: Orlando
Daugher's PC has new Malware/Virus that can't be detected.
My daugher's PC had fake annoying pop up security center and very latest update of Mcafee did find the AV1i trojan on PC, and deleted the files. I manualy edited registry chasing down any reference to those executables and cleaned it up.
However, the PC was still acting hosed up. Windows Explorer would not open, disc error checkng wont start and google was acting strange. The links in search results would not work, and when manually entered in, would go to some odd sites. Ran System Mechanic (a general purpose PC maintenance program), it found a disc error it could not fix until I ran it multiple times.
I looked at every process running on PC, and nothing out of place. I am minimalistic with my computer installs, and it looked clean. Reran adaware, Mcafee, etc, updated them, etc, .. nothing found.
Ran a program called, "Wireshark" it is a cool freebie program that monitors network traffic. Anyway, my daughter's PC, sitting there with no programs running, including Internet Explorer off is sending traffic to two websites:
DO NOT TYPE IN THESE IP ADDRRESSES
195.24.77.252 (Edit, did some furher checking, one of IP addresses was for my router, t)
When I googled feelyouinside.com I found some references to it being a malware server so DO NOT GO THERE!
I captured the wireshark log, printed it out. Shut off my daughter's PC, and then immeadiatly blocked these IP addresses on my router, I suggest you block them also if you know how.
Anyway, I am weighing my options:
1. Keep PC off and hope that Mcafee gets an update to take care of whatever is running and generating all that traffic.
2. Just clean hard drive (safest, but most painful due to my daughter's music library)
3. Try to manually find this thing. At a lost here, going blind looking at registry, but perhaps I will get inspired and find it, some string in message traffic or variation of web sites it is transmitting to should show up someplace.
Any suggestions on tracking this thing down? I am assuming it is just a simple trojan that is not yet identified. so waiting for Mcafee update should get rid of it, but ...never now, could be something more complex.
However, the PC was still acting hosed up. Windows Explorer would not open, disc error checkng wont start and google was acting strange. The links in search results would not work, and when manually entered in, would go to some odd sites. Ran System Mechanic (a general purpose PC maintenance program), it found a disc error it could not fix until I ran it multiple times.
I looked at every process running on PC, and nothing out of place. I am minimalistic with my computer installs, and it looked clean. Reran adaware, Mcafee, etc, updated them, etc, .. nothing found.
Ran a program called, "Wireshark" it is a cool freebie program that monitors network traffic. Anyway, my daughter's PC, sitting there with no programs running, including Internet Explorer off is sending traffic to two websites:
DO NOT TYPE IN THESE IP ADDRRESSES
195.24.77.252 (Edit, did some furher checking, one of IP addresses was for my router, t)
When I googled feelyouinside.com I found some references to it being a malware server so DO NOT GO THERE!
I captured the wireshark log, printed it out. Shut off my daughter's PC, and then immeadiatly blocked these IP addresses on my router, I suggest you block them also if you know how.
Anyway, I am weighing my options:
1. Keep PC off and hope that Mcafee gets an update to take care of whatever is running and generating all that traffic.
2. Just clean hard drive (safest, but most painful due to my daughter's music library)
3. Try to manually find this thing. At a lost here, going blind looking at registry, but perhaps I will get inspired and find it, some string in message traffic or variation of web sites it is transmitting to should show up someplace.
Any suggestions on tracking this thing down? I am assuming it is just a simple trojan that is not yet identified. so waiting for Mcafee update should get rid of it, but ...never now, could be something more complex.
Last edited by Timothian on Sat Feb 21, 2009 5:55 pm, edited 1 time in total.
Aaeadiel
you could try installing PC Tools Spyware Doctor.
It's like Adawre but much better.
It's like Adawre but much better.
<a href="http://www.magelo.com/eq_view_profile.h ... 964">Click for Whip's Profile</a>
Whipsnade - Huntmaster of Tunare
Jimro - Rogue of the 64th Season
If it bleeds we can kill it!
Run HijackThis and post the log here. I will point out which things are nasty little bastards.
Trend Micro bought the company that made it, but it's still an invaluable utility in finding new stuff.
http://www.download.com/Trend-Micro-Hij ... 27353.html
Trend Micro bought the company that made it, but it's still an invaluable utility in finding new stuff.
http://www.download.com/Trend-Micro-Hij ... 27353.html
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:53 PM, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKUS\S-1-5-18\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9084605832
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 4624 bytes
Most of this seems legitimate to me. She has Ipod, Iolo software (system mechanic), etc, not sure of all of it though.
Scan saved at 5:33:53 PM, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKUS\S-1-5-18\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9084605832
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 4624 bytes
Most of this seems legitimate to me. She has Ipod, Iolo software (system mechanic), etc, not sure of all of it though.
Aaeadiel
-
- Member
- Posts: 281
- Joined: Fri Aug 01, 2008 1:19 pm
- Location: Montreal, Quebec, Canada
i personally use malwarebytes anti malware and super anti spyware for spyware stuff...use spybot for the immunise function only.
virus i use AVG.
with this combo in the past i took out a nasty little rewrite trojan bugger that kept infecting all over the place.
havent found better so far for combo of program.
virus i use AVG.
with this combo in the past i took out a nasty little rewrite trojan bugger that kept infecting all over the place.
havent found better so far for combo of program.
use tells for buffs damnit >.<
Yours Truely, Kanadezzra
Yours Truely, Kanadezzra
O4 - HKUS\S-1-5-18\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'Default user')
Those are not good...they look legitimate, but do you have anything actually installed called MS Antispyware???
This is a common (and nasty ) malware/spyware product that people overlook because it DOES look legitimate.
I have had machines that I could not remove this completely from and had to wipe them and start fresh, but your best bet is to google -> ""MS Antispyware removal", or something to that affect.
Kas
O4 - HKUS\.DEFAULT\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'Default user')
Those are not good...they look legitimate, but do you have anything actually installed called MS Antispyware???
This is a common (and nasty ) malware/spyware product that people overlook because it DOES look legitimate.
I have had machines that I could not remove this completely from and had to wipe them and start fresh, but your best bet is to google -> ""MS Antispyware removal", or something to that affect.
Kas
<a href="http://eq.magelo.com/profile/1402278" target="_blank"><img src="http://eq.sig.magelo.com/1402278.png" border="0"></a>
You might be a little obsessed with Halloween if you've ever pulled over on the shoulder of a busy highway, risked life and limb crossing the busy highway on foot only to discover the bright bit of orange plastic you glimpsed out your car window was not a Halloween decoration but a stinkin' Tide laundry soap jug
GoogleTalk ID - Dwnocturnal
You might be a little obsessed with Halloween if you've ever pulled over on the shoulder of a busy highway, risked life and limb crossing the busy highway on foot only to discover the bright bit of orange plastic you glimpsed out your car window was not a Halloween decoration but a stinkin' Tide laundry soap jug
GoogleTalk ID - Dwnocturnal
-
- Member
- Posts: 281
- Joined: Fri Aug 01, 2008 1:19 pm
- Location: Montreal, Quebec, Canada
oo i had that ms antispyware virus...took a while but its how i discovered malware bytes..googled it when i had and suggested that to remove it
on a funny note
once had a spyware that was advertising for a spyware program..it was a pain to remove. google the program, check their website..BEHOLD! a 1-800 number! call them up get a sales person and ask why are they infecting my pc with their crap to try and sell me the program to fix a problem they created. get the run around for abit get a manager give him shit. they assure me its not them yadda yadda a few threats later they offered me a free liscence to their crapware...so i refused it told em where to stick it and removed the program after some effort. never seen or heard of the program or company since!
on a funny note
once had a spyware that was advertising for a spyware program..it was a pain to remove. google the program, check their website..BEHOLD! a 1-800 number! call them up get a sales person and ask why are they infecting my pc with their crap to try and sell me the program to fix a problem they created. get the run around for abit get a manager give him shit. they assure me its not them yadda yadda a few threats later they offered me a free liscence to their crapware...so i refused it told em where to stick it and removed the program after some effort. never seen or heard of the program or company since!
use tells for buffs damnit >.<
Yours Truely, Kanadezzra
Yours Truely, Kanadezzra
Thanks. Yes, that crucial "MS AntiSpyware" seems to be the problem, but the executable was hidden, did not show up as running. I googled this and manually deleted the related files and registry keys. When I deleted the crucial stuff, System mechanic was able to find a suspcious MS Config autoconfiguration file at start up (not sure if it was not present, or if hidden). Veified with wireshark that PC is not sending traffic to "feelyouinside.com" When I cut off the IP address, it still tried to contact the site, just that volume was way diminished and no incoming traffic. Not sure why Ad-Aware or Mcafee with latest updates would not find it.
Computer still acting flakey in certain ways, assuming it is colateral damage from that software, but still checking stuff. Weird disc problem that cant be found, disck check will not even run, can't run MS Update, get errors, Windows exploer won't open. Other than this, compuer actually running ok and running everything else ok. Will work through this.
Thanks for help.
Computer still acting flakey in certain ways, assuming it is colateral damage from that software, but still checking stuff. Weird disc problem that cant be found, disck check will not even run, can't run MS Update, get errors, Windows exploer won't open. Other than this, compuer actually running ok and running everything else ok. Will work through this.
Thanks for help.
Aaeadiel
Code: Select all
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
The only one I know for sure is bad is the one Kasantitz pointed out.
Honestly, if that much wierd stuff is happening... put all that music on an external hard drive and reinstall. It's not worth the headache, and you can be done in 2 hours. That's just my opinion though.
Office CAN actually add those buttons, but I am paranoid and don't trust Microsoft either so I always remove entries like that. Also, I agree with Alsmack, back it up and rebuild; it is the easiest way. Programs can always be downloaded and re-installed.
<a href="http://eq.magelo.com/profile/1402278" target="_blank"><img src="http://eq.sig.magelo.com/1402278.png" border="0"></a>
You might be a little obsessed with Halloween if you've ever pulled over on the shoulder of a busy highway, risked life and limb crossing the busy highway on foot only to discover the bright bit of orange plastic you glimpsed out your car window was not a Halloween decoration but a stinkin' Tide laundry soap jug
GoogleTalk ID - Dwnocturnal
You might be a little obsessed with Halloween if you've ever pulled over on the shoulder of a busy highway, risked life and limb crossing the busy highway on foot only to discover the bright bit of orange plastic you glimpsed out your car window was not a Halloween decoration but a stinkin' Tide laundry soap jug
GoogleTalk ID - Dwnocturnal