fartness (banned)Donald Trump 2016 join:2003-03-25 Look Outside |
fartness (banned)
Member
2008-Sep-17 12:06 am
File downloaded automatically?I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet. I didn't allow it.
I then got an install dialogue for some anti-virus (which was probably a virus)... I didn't even download anything... what happened? Ideas?
I'm using IE 6 and never had this happen. What settings should I change? It's always asked me in the past if I want to download files, etc.
Thanks. |
|
fartness |
fartness (banned)
Member
2008-Sep-17 12:13 am
My desktop image also changed to this. I'm going to run adaware now. Any good online virus scans to use? Seems my cookies keep getting deleted too. |
|
|
KiZiller to fartness
Anon
2008-Sep-17 12:15 am
to fartness
Do a forum search on "WinAntivirus". |
|
KiZiller |
KiZiller to fartness
Anon
2008-Sep-17 12:24 am
to fartness
Sorry, make that "XP Antivirus". Here you go... » /nsear ··· virus%22To make a long story short and to stave off the customary nerdz endlessly posting a link to the clean up forum, run the utilities MalwareBytes and SuperAntiSpyware to repair. Then follow up with Exaspery's tool and SpyBot. You will be good to go. |
|
mysec Premium Member join:2005-11-29 |
to fartness
said by fartness:I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet. Do you still have the link where the download occurred? --- |
|
|
Nimbus to fartness
Anon
2008-Sep-17 1:05 am
to fartness
said by fartness:I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet. In XP, the Windows Firewall does not watch outbound traffic so the svchost access warning had to come from something else. That can't be good. |
|
|
Anon Name to fartness
Anon
2008-Sep-17 1:13 am
to fartness
XP Antivirus needs a swift kick in the nuts..... |
|
1 edit |
to fartness
you could do scans with "superantispyware" and/or "malwarebytes", and see if they find anything.. those two programs have good reputations for removing malware-infections.. there are free versions of both of those programs.. here is a link for "superantispyware": » www.superantispyware.com/here is a link for downloading the free version of "malwarebytes": » www.besttechie.net/mbam/ ··· etup.exe |
|
TrelGood Evening Premium Member join:2002-10-08 USA |
to fartness
said by fartness:I'm using IE 6 and never had this happen. What settings should I change? It's always asked me in the past if I want to download files, etc. Honestly I think that's your problem. I may be wrong, but MS might not be giving security updates to IE6 anymore. I'm almost positive there's a multitude of ways that this can get in with an insecure IE. I'm not knowledgeable with securing IE, so I can't help you with that, but unless you're using Windows 2000, I'd recommend going to IE 7 at the very least, though switching browswers to Firefox (or Seamonkey) and using Noscript would be even better). |
|
fartness (banned)Donald Trump 2016 join:2003-03-25 Look Outside |
fartness (banned)
Member
2008-Sep-17 3:47 am
I always keep IE 6 updated, and Java has been updated too. Not sure what caused this. I ran those programs. They took out a bunch of stuff but I ran it again and see I have a root kit... is there anything else I should do? That Vundo removal tool didn't find anything... odd. |
|
CudniLa Merma - Vigilado MVM join:2003-12-20 Someshire
2 recommendations |
Cudni
MVM
2008-Sep-17 4:09 am
said by fartness:I ran those programs. They took out a bunch of stuff but I ran it again and see I have a root kit... is there anything else I should do? make sure that you followed steps listed » Security Cleanup FAQ » Mandatory Steps Before Requesting Assistanceand post in SCU forum for further assistance Cudni |
|
3 edits |
to fartness
you could try booting into "safe mode" and do scans with your antimalware programs while in safe mode.. try that.. to boot into "safe mode", restart the computer and then tap the "F8" key as the computer is booting up.. that should give you a DOS-looking screen with options for booting into safe mode.. follow the prompts to boot into safe mode.. in the DOS window, use the up and down arrow-keys (on your keyboard) to navigate the screen.. otherwise, you can get expert assistance with removing the malware in the "security cleanup" forum.. also, you could ask for help in the "superantispwyare" forum, or get help from "superantispyware" by creating a "support ticket" with them.. did you scan with the "malwarebytes" program? if not, you should try that.. as i said before, it could help to do the scanning while in "safe mode".. in safe mode, the rootkit will not load and so it will be easier for the antimalware programs to detect and remove the malware.. again, you still might wind up needing expert assistance in removing the malware, which you can get in the "security cleanup" forum.. here is a link for it: » Security Cleanup |
|
SipSizzurpFo' Shizzle Premium Member join:2005-12-28 Houston, TX |
said by redwolfe_98:.. in safe mode, the rootkit will not load and so it will be easier for the antimalware programs to detect and remove the malware.. Bullshit, young man. This virus runs great in safe mode, fake desktop with panic pop-ups and all. Most anti-malware / anti-virus programs will not run, or run in limited command line mode only. You obvioulsy have no first hand experience with this vermin, but the rest of the advice you have read and repeated is pretty sound. |
|
|
to fartness
so, fartness, SAS (superantispyware) won't remove the "rootkit" that it is detecting? if that is the case, and if you have already tried running a scan while in safe mode, i think you should create a "support ticket" with "superantispyware" and try working with them to try to resolve the issue..
i would say to post about the issue in the SAS forum, but they always reply by saying "create a support ticket"..
i am not saying that you can't try other things, but i think it would be good to contact SAS by creating a support ticket with them since SAS is flagging something.. |
|
BKayrac Premium Member join:2001-09-29 2 edits |
to fartness
Can't say i've seen many xp antivirus variants running rookit installs, usually just a few files and super easy cleanup that being said, what files are superantispyware detecting exactly?, full path would help figure out exactly whats going on -Brian also a hijackthis log would be of assistance and to answer your original post, ie 6 is an issue right there, atleast upgrade to IE 7, hell theres IE 8 beta's out, your like 5years behind that being said, your also almost certainly running some out of date software, as these drive by downloads ALWAYS use some exploit, be it an IE 6 exploit, realplayer, adobe, or whatever download and install this » secunia.com/vulnerabilit ··· ersonal/it's quite possibly the coolest piece of software i've ever found, it scans your system for programs with vulnerbilities, lets you know about them, gives you the download link etc etc, i suggest leaving that program running to be up to date all the time I'll put money that the secunia PSI finds alot of stuff on your computer with security holes another good piece of software » filehippo.com/updatechecker/(just disable showing beta updates after you install it) |
|
TrelGood Evening Premium Member join:2002-10-08 USA |
to fartness
said by fartness:I always keep IE 6 updated, and Java has been updated too. Not sure what caused this. I ran those programs. They took out a bunch of stuff but I ran it again and see I have a root kit... is there anything else I should do? That Vundo removal tool didn't find anything... odd. Based on that pic, you're using XP, I didn't say that IE6 wasn't updated. I said I think there may be vulnerabilitys in 6 that Microsoft won't fix because of the update to IE7. When you update java, do you go to add/remove programs and uninstall the old versions? |
|
|
fartness (banned)Donald Trump 2016 join:2003-03-25 Look Outside |
fartness (banned)
Member
2008-Sep-17 7:29 pm
Yes to the java question.
I don't like IE 7 though. |
|
OZO Premium Member join:2003-01-17 1 edit |
OZO
Premium Member
2008-Sep-17 11:58 pm
Don't hope for a big difference between IE7 and IE6. From the security perspective they are almost the same. The rumors about higher security of IE7 are just result of marketing.
Try to catch why and how it happened. I, personally, have never seen, that IE6 (or IE7) may download a file without my explicit consent. But, at the same time, I'm open to see a proof of its possibility.
Good luck!
P.S. I run IE with Javascript always 'on' and use native MSJVM (v.5.0.3810.0), not Sun Java. |
|
mysec Premium Member join:2005-11-29 |
mysec
Premium Member
2008-Sep-18 2:20 am
said by OZO:I, personally, have never seen, that IE6 (or IE7) may download a file without my explicit consent. But, at the same time, I'm open to see a proof of its possibility. Actually, there are a number of remote code execution exploits still being targeted against IE6. said by fartness:I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet. I didn't allow it. The use of the filename svchost is an obvious ploy. Use of this trick in an IE6 exploit appeared most recently in mpack and gpack exploits. Here is a typical one. A malicious file -- often a spoofed executable to get by anything filtering *.exe -- is downloaded by remote code execution (drive-by download), renamed to svchost.exe, copied to a system folder, executed, and attempts to connect out to download more junk. » www.urs2.net/rsj/computi ··· uth.htmlThere are variations on this, so in your particular case, without seeing the exploit run, it's hard to know exactly what happened. Which is why I asked earlier in the thread if you had the URL. The question of how Windows Firewall alerted (which has no outbound protection) was not answered. Do you have other security which would alert to this? Since this seems to be a drive-by download, it doesn't fit the recent WinAntiVirus XP Antirvirus exploits, since bcastner remarked in another thread that they are click-to-install exploits. I too have not seen any recent ones that are drive-by downloads. said by fartness:I ran those programs. They took out a bunch of stuff Unfortunately, without seeing that bunch of stuff, we can't analyze the exploit. The fact that you didn't allow svchost.exe to connect out raises the question as to how other malicious files became installed. So, it is possible that you encountered multiple exploits - several things going on at once. Here is an old one that uses a WinAntiVirus screen but it is simply to divert the user while a trojan downloader is installed in the background. If the user declines to install the antivirus and simply closes the window, she/he may not realize that anything has happened until later. » www.urs2.net/rsj/computi ··· /driveby --- |
|
MagnusM Premium Member join:2001-07-07 2 edits
1 recommendation |
to fartness
This is a new variant by the same people who brough you XP Antivirus. This one is called Antivirus XP (very creative of them). As you can see you have a rootkit on there now (TDSServ.sys). This is used to hide the proceses for Antivirus XP but in the variants we've seen it actually fails to do this because it isn't properly interacting with the rootkit code.
You should boot into Safe Mode (or even better: Recovery Console) and remove the file C:\Windows\System32\drivers\TDSServ.sys. You can verify that the driver file has been removed by creating an empty text file in the C:\Windows\System32\drivers directory and renaming it TDSServ.sys. If that works and you don't get any error message about the file already existing then you've successfully removed the driver file.
The rootkit also creates registry entries under HKLM\System\CurrentControlSet\Services\TDSServ, but you can worry about those later when rebooting in normal mode.
As for the Antivirus XP files, they will be in your C:\Program Files folder, under a random directory name. Kill the process and remove the folder and you should be all set.
I would also recommend that you download Process Explorer and look very carefully for instances of svchost.exe that are not running under the SYSTEM/LOCAL SERVICE/NETWORK SERVICE account (i.e. running under a user account). This would be the actual downloader which you should also kill and delete to avoid any futher malware being downloaded and installed. |
|
BKayrac Premium Member join:2001-09-29 |
BKayrac
Premium Member
2008-Sep-18 6:38 am
Good stuff magnus interesting to see they moved to using rootkits, i was wondering why a program called it a rootkit, never seen them with one before, but i suppose there always changing -Brian |
|
fartness (banned)Donald Trump 2016 join:2003-03-25 Look Outside |
to MagnusM
I created the file, so it must be gone. I think I still have other stuff too. This second screen shot, it keeps finding and deleting that registry key. I also posted a netstat -an My websites do not keep me logged in anymore (cookie seems to be deleted everytime). Also this is a Sony laptop. The battery management keeps disabling each reboot. I have it set up so if I unplug the power cord, the screen goes darker. It stays on the same brightness without it enabled. Ideas? Thanks! |
|
|
to fartness
fartness, you could move over to the "security cleanup" forum and ask for help, there.. you haven't said anything about scanning with an antivirus program, but i assume that you did that..
if i were you, when you post in the security cleanup forum, i would mention that you have tried scanning with various programs but that you are still having problems, and, in your post, you may as well include a "hijackthis" log.. there are experts, there, who will help you finish cleaning the computer..
you didn't say whether or not you ever did any scans in safe mode.. i assume that you did..
you can get to the "security cleanup" forum by clicking the "tab" for it, at the top of this forum.. |
|
fartness (banned)Donald Trump 2016 join:2003-03-25 Look Outside |
fartness (banned)
Member
2008-Sep-18 10:40 am
I will see if I can get the thread moved.
I have tried in safe mode too.
I'll look around to see what hijackthis is. |
|
|
you can download "hijackthis" from "trendmicro".. i would download the zipped version, and unzip it.. here is a link for it: » www.trendsecure.com/port ··· downloadjust run the program, save the log, and copy-n-paste it.. |
|
mysec Premium Member join:2005-11-29 |
to MagnusM
said by MagnusM:This is a new variant by the same people who brough you XP Antivirus. Is this variant a drive-by download attack, or click-to-install? --- |
|
MagnusM Premium Member join:2001-07-07 |
MagnusM
Premium Member
2008-Sep-18 4:49 pm
said by mysec:said by MagnusM:This is a new variant by the same people who brough you XP Antivirus. Is this variant a drive-by download attack, or click-to-install? It's a drive-by download. We've seen it being installed through the recent Flash player vulnerability. I'd recommend everyone to upgrade to the latest version of Flash -- you need to be running version 9.0.124.0. |
|
mysec Premium Member join:2005-11-29 |
mysec
Premium Member
2008-Sep-18 5:29 pm
Do we know enough from what the OP has said to assume it installed through a Flash player vulnerability?
--- |
|
fartness (banned)Donald Trump 2016 join:2003-03-25 Look Outside |
fartness (banned)
Member
2008-Sep-18 7:43 pm
How do I find my current version? |
|
MagnusM Premium Member join:2001-07-07 |
MagnusM
Premium Member
2008-Sep-18 8:01 pm
Go here and it will tell you your current Flash version number: » www.macromedia.com/softw ··· h/about/ |
|