dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3998
fartness (banned)
Donald Trump 2016
join:2003-03-25
Look Outside

fartness (banned)

Member

File downloaded automatically?

I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet. I didn't allow it.

I then got an install dialogue for some anti-virus (which was probably a virus)... I didn't even download anything... what happened? Ideas?

I'm using IE 6 and never had this happen. What settings should I change? It's always asked me in the past if I want to download files, etc.

Thanks.
fartness

fartness (banned)

Member

Click for full size
My desktop image also changed to this.

I'm going to run adaware now.

Any good online virus scans to use?

Seems my cookies keep getting deleted too.

KiZiller
@rr.com

KiZiller to fartness

Anon

to fartness
Do a forum search on "WinAntivirus".
KiZiller

KiZiller to fartness

Anon

to fartness
Sorry, make that "XP Antivirus". Here you go...

»/nsear ··· virus%22

To make a long story short and to stave off the customary nerdz endlessly posting a link to the clean up forum, run the utilities MalwareBytes and SuperAntiSpyware to repair. Then follow up with Exaspery's tool and SpyBot. You will be good to go.
mysec
Premium Member
join:2005-11-29

mysec to fartness

Premium Member

to fartness
said by fartness:

I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet.

Do you still have the link where the download occurred?


---

Nimbus
@verizon.net

Nimbus to fartness

Anon

to fartness
said by fartness:

I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet.
In XP, the Windows Firewall does not watch outbound traffic so the svchost access warning had to come from something else. That can't be good.

Anon Name
@telus.net

Anon Name to fartness

Anon

to fartness
XP Antivirus needs a swift kick in the nuts.....
redwolfe_98
Premium Member
join:2001-06-11

1 edit

redwolfe_98 to fartness

Premium Member

to fartness
you could do scans with "superantispyware" and/or "malwarebytes", and see if they find anything.. those two programs have good reputations for removing malware-infections.. there are free versions of both of those programs..

here is a link for "superantispyware":

»www.superantispyware.com/

here is a link for downloading the free version of "malwarebytes":

»www.besttechie.net/mbam/ ··· etup.exe

Trel
Good Evening
Premium Member
join:2002-10-08
USA

Trel to fartness

Premium Member

to fartness
said by fartness:

I'm using IE 6 and never had this happen. What settings should I change? It's always asked me in the past if I want to download files, etc.
Honestly I think that's your problem. I may be wrong, but MS might not be giving security updates to IE6 anymore. I'm almost positive there's a multitude of ways that this can get in with an insecure IE. I'm not knowledgeable with securing IE, so I can't help you with that, but unless you're using Windows 2000, I'd recommend going to IE 7 at the very least, though switching browswers to Firefox (or Seamonkey) and using Noscript would be even better).
fartness (banned)
Donald Trump 2016
join:2003-03-25
Look Outside

fartness (banned)

Member

Click for full size
I always keep IE 6 updated, and Java has been updated too. Not sure what caused this.

I ran those programs. They took out a bunch of stuff but I ran it again and see I have a root kit... is there anything else I should do?

That Vundo removal tool didn't find anything... odd.

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

2 recommendations

Cudni

MVM

said by fartness:

I ran those programs. They took out a bunch of stuff but I ran it again and see I have a root kit... is there anything else I should do?
make sure that you followed steps listed
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
and post in SCU forum for further assistance

Cudni
redwolfe_98
Premium Member
join:2001-06-11

3 edits

redwolfe_98 to fartness

Premium Member

to fartness
you could try booting into "safe mode" and do scans with your antimalware programs while in safe mode.. try that..

to boot into "safe mode", restart the computer and then tap the "F8" key as the computer is booting up.. that should give you a DOS-looking screen with options for booting into safe mode.. follow the prompts to boot into safe mode..

in the DOS window, use the up and down arrow-keys (on your keyboard) to navigate the screen..

otherwise, you can get expert assistance with removing the malware in the "security cleanup" forum.. also, you could ask for help in the "superantispwyare" forum, or get help from "superantispyware" by creating a "support ticket" with them..

did you scan with the "malwarebytes" program? if not, you should try that.. as i said before, it could help to do the scanning while in "safe mode".. in safe mode, the rootkit will not load and so it will be easier for the antimalware programs to detect and remove the malware.. again, you still might wind up needing expert assistance in removing the malware, which you can get in the "security cleanup" forum.. here is a link for it:

»Security Cleanup
SipSizzurp
Fo' Shizzle
Premium Member
join:2005-12-28
Houston, TX

SipSizzurp

Premium Member

said by redwolfe_98:

.. in safe mode, the rootkit will not load and so it will be easier for the antimalware programs to detect and remove the malware..
Bullshit, young man. This virus runs great in safe mode, fake desktop with panic pop-ups and all. Most anti-malware / anti-virus programs will not run, or run in limited command line mode only. You obvioulsy have no first hand experience with this vermin, but the rest of the advice you have read and repeated is pretty sound.
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98 to fartness

Premium Member

to fartness
so, fartness, SAS (superantispyware) won't remove the "rootkit" that it is detecting? if that is the case, and if you have already tried running a scan while in safe mode, i think you should create a "support ticket" with "superantispyware" and try working with them to try to resolve the issue..

i would say to post about the issue in the SAS forum, but they always reply by saying "create a support ticket"..

i am not saying that you can't try other things, but i think it would be good to contact SAS by creating a support ticket with them since SAS is flagging something..

BKayrac
Premium Member
join:2001-09-29

2 edits

BKayrac to fartness

Premium Member

to fartness
Can't say i've seen many xp antivirus variants running rookit installs, usually just a few files and super easy cleanup

that being said, what files are superantispyware detecting exactly?, full path would help figure out exactly whats going on

-Brian

also a hijackthis log would be of assistance

and to answer your original post, ie 6 is an issue right there, atleast upgrade to IE 7, hell theres IE 8 beta's out, your like 5years behind

that being said, your also almost certainly running some out of date software, as these drive by downloads ALWAYS use some exploit, be it an IE 6 exploit, realplayer, adobe, or whatever

download and install this

»secunia.com/vulnerabilit ··· ersonal/

it's quite possibly the coolest piece of software i've ever found, it scans your system for programs with vulnerbilities, lets you know about them, gives you the download link etc etc, i suggest leaving that program running to be up to date all the time

I'll put money that the secunia PSI finds alot of stuff on your computer with security holes

another good piece of software

»filehippo.com/updatechecker/

(just disable showing beta updates after you install it)

Trel
Good Evening
Premium Member
join:2002-10-08
USA

Trel to fartness

Premium Member

to fartness
said by fartness:

I always keep IE 6 updated, and Java has been updated too. Not sure what caused this.

I ran those programs. They took out a bunch of stuff but I ran it again and see I have a root kit... is there anything else I should do?

That Vundo removal tool didn't find anything... odd.
Based on that pic, you're using XP, I didn't say that IE6 wasn't updated. I said I think there may be vulnerabilitys in 6 that Microsoft won't fix because of the update to IE7.

When you update java, do you go to add/remove programs and uninstall the old versions?
fartness (banned)
Donald Trump 2016
join:2003-03-25
Look Outside

fartness (banned)

Member

Yes to the java question.

I don't like IE 7 though.
OZO
Premium Member
join:2003-01-17

1 edit

OZO

Premium Member

Don't hope for a big difference between IE7 and IE6. From the security perspective they are almost the same. The rumors about higher security of IE7 are just result of marketing.

Try to catch why and how it happened. I, personally, have never seen, that IE6 (or IE7) may download a file without my explicit consent. But, at the same time, I'm open to see a proof of its possibility.

Good luck!

P.S. I run IE with Javascript always 'on' and use native MSJVM (v.5.0.3810.0), not Sun Java.
mysec
Premium Member
join:2005-11-29

mysec

Premium Member

said by OZO:

I, personally, have never seen, that IE6 (or IE7) may download a file without my explicit consent. But, at the same time, I'm open to see a proof of its possibility.

Actually, there are a number of remote code execution exploits still being targeted against IE6.
said by fartness:

I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet. I didn't allow it.

The use of the filename svchost is an obvious ploy.

Use of this trick in an IE6 exploit appeared most recently in mpack and gpack exploits.

Here is a typical one. A malicious file -- often a spoofed executable to get by anything filtering *.exe -- is downloaded by remote code execution (drive-by download), renamed to svchost.exe, copied to a system folder, executed, and attempts to connect out to download more junk.

»www.urs2.net/rsj/computi ··· uth.html

There are variations on this, so in your particular case, without seeing the exploit run, it's hard to know exactly what happened.

Which is why I asked earlier in the thread if you had the URL.

The question of how Windows Firewall alerted (which has no outbound protection) was not answered. Do you have other security which would alert to this?

Since this seems to be a drive-by download, it doesn't fit the recent WinAntiVirus XP Antirvirus exploits, since bcastner See Profile remarked in another thread that they are click-to-install exploits. I too have not seen any recent ones that are drive-by downloads.
said by fartness:

I ran those programs. They took out a bunch of stuff

Unfortunately, without seeing that bunch of stuff, we can't analyze the exploit.

The fact that you didn't allow svchost.exe to connect out raises the question as to how other malicious files became installed.

So, it is possible that you encountered multiple exploits - several things going on at once.

Here is an old one that uses a WinAntiVirus screen but it is simply to divert the user while a trojan downloader is installed in the background.

If the user declines to install the antivirus and simply closes the window, she/he may not realize that anything has happened until later.

»www.urs2.net/rsj/computi ··· /driveby


---

MagnusM
Premium Member
join:2001-07-07

2 edits

1 recommendation

MagnusM to fartness

Premium Member

to fartness
This is a new variant by the same people who brough you XP Antivirus. This one is called Antivirus XP (very creative of them). As you can see you have a rootkit on there now (TDSServ.sys). This is used to hide the proceses for Antivirus XP but in the variants we've seen it actually fails to do this because it isn't properly interacting with the rootkit code.

You should boot into Safe Mode (or even better: Recovery Console) and remove the file C:\Windows\System32\drivers\TDSServ.sys. You can verify that the driver file has been removed by creating an empty text file in the C:\Windows\System32\drivers directory and renaming it TDSServ.sys. If that works and you don't get any error message about the file already existing then you've successfully removed the driver file.

The rootkit also creates registry entries under HKLM\System\CurrentControlSet\Services\TDSServ, but you can worry about those later when rebooting in normal mode.

As for the Antivirus XP files, they will be in your C:\Program Files folder, under a random directory name. Kill the process and remove the folder and you should be all set.

I would also recommend that you download Process Explorer and look very carefully for instances of svchost.exe that are not running under the SYSTEM/LOCAL SERVICE/NETWORK SERVICE account (i.e. running under a user account). This would be the actual downloader which you should also kill and delete to avoid any futher malware being downloaded and installed.

BKayrac
Premium Member
join:2001-09-29

BKayrac

Premium Member

Good stuff magnus

interesting to see they moved to using rootkits, i was wondering why a program called it a rootkit, never seen them with one before, but i suppose there always changing

-Brian
fartness (banned)
Donald Trump 2016
join:2003-03-25
Look Outside

fartness (banned) to MagnusM

Member

to MagnusM
Click for full size
Click for full size
I created the file, so it must be gone.

I think I still have other stuff too.

This second screen shot, it keeps finding and deleting that registry key.

I also posted a netstat -an

My websites do not keep me logged in anymore (cookie seems to be deleted everytime).

Also this is a Sony laptop. The battery management keeps disabling each reboot. I have it set up so if I unplug the power cord, the screen goes darker. It stays on the same brightness without it enabled.

Ideas? Thanks!
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98 to fartness

Premium Member

to fartness
fartness, you could move over to the "security cleanup" forum and ask for help, there.. you haven't said anything about scanning with an antivirus program, but i assume that you did that..

if i were you, when you post in the security cleanup forum, i would mention that you have tried scanning with various programs but that you are still having problems, and, in your post, you may as well include a "hijackthis" log.. there are experts, there, who will help you finish cleaning the computer..

you didn't say whether or not you ever did any scans in safe mode.. i assume that you did..

you can get to the "security cleanup" forum by clicking the "tab" for it, at the top of this forum..
fartness (banned)
Donald Trump 2016
join:2003-03-25
Look Outside

fartness (banned)

Member

I will see if I can get the thread moved.

I have tried in safe mode too.

I'll look around to see what hijackthis is.
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98

Premium Member

you can download "hijackthis" from "trendmicro".. i would download the zipped version, and unzip it.. here is a link for it:

»www.trendsecure.com/port ··· download

just run the program, save the log, and copy-n-paste it..
mysec
Premium Member
join:2005-11-29

mysec to MagnusM

Premium Member

to MagnusM
said by MagnusM:

This is a new variant by the same people who brough you XP Antivirus.

Is this variant a drive-by download attack, or click-to-install?


---

MagnusM
Premium Member
join:2001-07-07

MagnusM

Premium Member

said by mysec:

said by MagnusM:

This is a new variant by the same people who brough you XP Antivirus.

Is this variant a drive-by download attack, or click-to-install?

It's a drive-by download. We've seen it being installed through the recent Flash player vulnerability. I'd recommend everyone to upgrade to the latest version of Flash -- you need to be running version 9.0.124.0.
mysec
Premium Member
join:2005-11-29

mysec

Premium Member

Do we know enough from what the OP has said to assume it installed through a Flash player vulnerability?


---
fartness (banned)
Donald Trump 2016
join:2003-03-25
Look Outside

fartness (banned)

Member

How do I find my current version?

MagnusM
Premium Member
join:2001-07-07

MagnusM

Premium Member

Go here and it will tell you your current Flash version number:

»www.macromedia.com/softw ··· h/about/