File downloaded automatically? in Security

File downloaded automatically? in Security http://www.dslreports.com/forum/r21122897 en Wed, 11 Nov 2009 16:01:47 EDT Wed, 11 Nov 2009 16:01:47 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21159396 redwolfe_98 : fartness, if NAV keeps finding new malware on your computer, you must have some malware on your computer that is downloading it..

you should go to the "security cleanup" forum, for expert assistance in removing the malware from your computer..]]> http://www.dslreports.com/forum/remark,21159396 Wed, 24 Sep 2008 07:22:29 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21154604 fartness : Norton said I have twext.exe - and it still keeps saying it found things.]]> http://www.dslreports.com/forum/remark,21154604 Tue, 23 Sep 2008 11:00:46 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21135112 redwolfe_98 : fartness, to update flash player, you have to uninstall the old version first and then install the new version..

you can download the flash player uninstaller from this webpage:

»kb.adobe.com/selfservice/viewCon···liceId=1

after you uninstall the old version, go back to the adobe website and install the new version, from there.. on the adobe homepage, on the right side of the webpage, you will see a "button" that says "get adobe flash player"..

here is a link for the webpage, for installing "flash player":

»www.adobe.com/shockwave/download···id=BUIGP]]> http://www.dslreports.com/forum/remark,21135112 Fri, 19 Sep 2008 04:04:25 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21135087 The Snowman :

Looks like : " Spy-Agent.bw ".....a trojan.

The latest infection comes by way of email...regarding a "Flight Ticket".........can also come by way of P2P and Chat, and infected websites.

Installs several hidden folders and makes registry changes.

Middle of August was the lateness noticed of this infection......so just about any decent anti-virus should remove it.

Of course I could be in-correct.]]> http://www.dslreports.com/forum/remark,21135087 Fri, 19 Sep 2008 03:27:18 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21134649 ZOverLord : I just removed this from someones computer 2 days ago with:

»www.malwarebytes.org/

Even Windows Once Care, SpyBot and other tools could NOT remove this.
--
The Best Phone Services and 3rd Party Applications With The Highest Quality Worldwide »SaveOnTelephoneBills.com]]> http://www.dslreports.com/forum/remark,21134649 Fri, 19 Sep 2008 00:03:36 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21134317 redwolfe_98 : just a comment.. even with a "flash player" that has no publicly known vulnerabilities, one is still vulnerable to flash player "malvertizements", through flash player..

i don't know the ins-and-outs of the risks from flash player "malvertizements"..

fartness, you should start a thread in the "security cleanup" forum, if you want some expert assistance in cleaning the malware from your computer.. there must be a problem, somewhere, i would think, if something keeps regenerating the regkey that "malwarebytes", supposedly, removes..]]> http://www.dslreports.com/forum/remark,21134317 Thu, 18 Sep 2008 22:53:51 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21134293 fartness : I have 9.0.28.0]]> http://www.dslreports.com/forum/remark,21134293 Thu, 18 Sep 2008 22:48:32 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21133470 MagnusM : Go here and it will tell you your current Flash version number:

»www.macromedia.com/software/flash/about/
--
Mischel Internet Security - Developer of TrojanHunter]]> http://www.dslreports.com/forum/remark,21133470 Thu, 18 Sep 2008 20:01:37 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21133375 fartness : How do I find my current version?]]> http://www.dslreports.com/forum/remark,21133375 Thu, 18 Sep 2008 19:43:58 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21132649 mysec : Do we know enough from what the OP has said to assume it installed through a Flash player vulnerability?

---]]> http://www.dslreports.com/forum/remark,21132649 Thu, 18 Sep 2008 17:29:34 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21132403 MagnusM :

said by mysec

said by MagnusM

:

This is a new variant by the same people who brough you XP Antivirus.

Is this variant a drive-by download attack, or click-to-install?

It's a drive-by download. We've seen it being installed through the recent Flash player vulnerability. I'd recommend everyone to upgrade to the latest version of Flash -- you need to be running version 9.0.124.0.]]> http://www.dslreports.com/forum/remark,21132403 Thu, 18 Sep 2008 16:49:42 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21130813 mysec :

said by MagnusM

:

This is a new variant by the same people who brough you XP Antivirus.

Is this variant a drive-by download attack, or click-to-install?

---]]> http://www.dslreports.com/forum/remark,21130813 Thu, 18 Sep 2008 11:53:38 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21130651 redwolfe_98 : you can download "hijackthis" from "trendmicro".. i would download the zipped version, and unzip it.. here is a link for it:

»www.trendsecure.com/portal/en-US···download

just run the program, save the log, and copy-n-paste it.. ]]> http://www.dslreports.com/forum/remark,21130651 Thu, 18 Sep 2008 11:24:47 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21130411 fartness : I will see if I can get the thread moved.

I have tried in safe mode too.

I'll look around to see what hijackthis is.]]> http://www.dslreports.com/forum/remark,21130411 Thu, 18 Sep 2008 10:40:03 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21130125 redwolfe_98 : fartness, you could move over to the "security cleanup" forum and ask for help, there.. you haven't said anything about scanning with an antivirus program, but i assume that you did that..

if i were you, when you post in the security cleanup forum, i would mention that you have tried scanning with various programs but that you are still having problems, and, in your post, you may as well include a "hijackthis" log.. there are experts, there, who will help you finish cleaning the computer..

you didn't say whether or not you ever did any scans in safe mode.. i assume that you did..

you can get to the "security cleanup" forum by clicking the "tab" for it, at the top of this forum.. ]]> http://www.dslreports.com/forum/remark,21130125 Thu, 18 Sep 2008 09:43:04 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21129823 fartness : I created the file, so it must be gone.

I think I still have other stuff too.

This second screen shot, it keeps finding and deleting that registry key.

I also posted a netstat -an

My websites do not keep me logged in anymore (cookie seems to be deleted everytime).

Also this is a Sony laptop. The battery management keeps disabling each reboot. I have it set up so if I unplug the power cord, the screen goes darker. It stays on the same brightness without it enabled.

Ideas? Thanks!

]]> http://www.dslreports.com/forum/remark,21129823 Thu, 18 Sep 2008 08:17:27 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21129660 Kayrac : Good stuff magnus ;)

interesting to see they moved to using rootkits, i was wondering why a program called it a rootkit, never seen them with one before, but i suppose there always changing :)

-Brian]]> http://www.dslreports.com/forum/remark,21129660 Thu, 18 Sep 2008 06:38:51 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21129609 MagnusM : This is a new variant by the same people who brough you XP Antivirus. This one is called Antivirus XP (very creative of them). As you can see you have a rootkit on there now (TDSServ.sys). This is used to hide the proceses for Antivirus XP but in the variants we've seen it actually fails to do this because it isn't properly interacting with the rootkit code.

You should boot into Safe Mode (or even better: Recovery Console) and remove the file C:\Windows\System32\drivers\TDSServ.sys. You can verify that the driver file has been removed by creating an empty text file in the C:\Windows\System32\drivers directory and renaming it TDSServ.sys. If that works and you don't get any error message about the file already existing then you've successfully removed the driver file.

The rootkit also creates registry entries under HKLM\System\CurrentControlSet\Services\TDSServ, but you can worry about those later when rebooting in normal mode.

As for the Antivirus XP files, they will be in your C:\Program Files folder, under a random directory name. Kill the process and remove the folder and you should be all set.

I would also recommend that you download Process Explorer and look very carefully for instances of svchost.exe that are not running under the SYSTEM/LOCAL SERVICE/NETWORK SERVICE account (i.e. running under a user account). This would be the actual downloader which you should also kill and delete to avoid any futher malware being downloaded and installed.]]> http://www.dslreports.com/forum/remark,21129609 Thu, 18 Sep 2008 05:50:48 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21129411 mysec :

said by OZO

:

I, personally, have never seen, that IE6 (or IE7) may download a file without my explicit consent. But, at the same time, I'm open to see a proof of its possibility.

Actually, there are a number of remote code execution exploits still being targeted against IE6.

said by fartness

:

I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet. I didn't allow it.

The use of the filename svchost is an obvious ploy.

Use of this trick in an IE6 exploit appeared most recently in mpack and gpack exploits.

Here is a typical one. A malicious file -- often a spoofed executable to get by anything filtering *.exe -- is downloaded by remote code execution (drive-by download), renamed to svchost.exe, copied to a system folder, executed, and attempts to connect out to download more junk.

»www.urs2.net/rsj/computing/tests···uth.html

There are variations on this, so in your particular case, without seeing the exploit run, it's hard to know exactly what happened.

Which is why I asked earlier in the thread if you had the URL.

The question of how Windows Firewall alerted (which has no outbound protection) was not answered. Do you have other security which would alert to this?

Since this seems to be a drive-by download, it doesn't fit the recent WinAntiVirus XP Antirvirus exploits, since bcastner remarked in another thread that they are click-to-install exploits. I too have not seen any recent ones that are drive-by downloads.

said by fartness

:

I ran those programs. They took out a bunch of stuff

Unfortunately, without seeing that bunch of stuff, we can't analyze the exploit.

The fact that you didn't allow svchost.exe to connect out raises the question as to how other malicious files became installed.

So, it is possible that you encountered multiple exploits - several things going on at once.

Here is an old one that uses a WinAntiVirus screen but it is simply to divert the user while a trojan downloader is installed in the background.

If the user declines to install the antivirus and simply closes the window, she/he may not realize that anything has happened until later.

»www.urs2.net/rsj/computing/tests/driveby

---]]> http://www.dslreports.com/forum/remark,21129411 Thu, 18 Sep 2008 02:20:14 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21128962 OZO : Don't hope for a big difference between IE7 and IE6. From the security perspective they are almost the same. The rumors about higher security of IE7 are just result of marketing.

Try to catch why and how it happened. I, personally, have never seen, that IE6 (or IE7) may download a file without my explicit consent. But, at the same time, I'm open to see a proof of its possibility.

Good luck!

P.S. I run IE with Javascript always 'on' and use native MSJVM (v.5.0.3810.0), not Sun Java.]]> http://www.dslreports.com/forum/remark,21128962 Wed, 17 Sep 2008 23:58:10 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21127385 fartness : Yes to the java question.

I don't like IE 7 though.]]> http://www.dslreports.com/forum/remark,21127385 Wed, 17 Sep 2008 19:29:09 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21126676 Trel :

said by fartness

:

I always keep IE 6 updated, and Java has been updated too. Not sure what caused this.

I ran those programs. They took out a bunch of stuff but I ran it again and see I have a root kit... is there anything else I should do?

That Vundo removal tool didn't find anything... odd.

Based on that pic, you're using XP, I didn't say that IE6 wasn't updated. I said I think there may be vulnerabilitys in 6 that Microsoft won't fix because of the update to IE7.

When you update java, do you go to add/remove programs and uninstall the old versions?
--
/chown -R us:us /yourbase]]> http://www.dslreports.com/forum/remark,21126676 Wed, 17 Sep 2008 17:24:51 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21123614 Kayrac : Can't say i've seen many xp antivirus variants running rookit installs, usually just a few files and super easy cleanup

that being said, what files are superantispyware detecting exactly?, full path would help figure out exactly whats going on

-Brian

also a hijackthis log would be of assistance ;)

and to answer your original post, ie 6 is an issue right there, atleast upgrade to IE 7, hell theres IE 8 beta's out, your like 5years behind

that being said, your also almost certainly running some out of date software, as these drive by downloads ALWAYS use some exploit, be it an IE 6 exploit, realplayer, adobe, or whatever

download and install this

»secunia.com/vulnerability_scanning/personal/

it's quite possibly the coolest piece of software i've ever found, it scans your system for programs with vulnerbilities, lets you know about them, gives you the download link etc etc, i suggest leaving that program running to be up to date all the time

I'll put money that the secunia PSI finds alot of stuff on your computer with security holes

another good piece of software

»filehippo.com/updatechecker/

(just disable showing beta updates after you install it)]]> http://www.dslreports.com/forum/remark,21123614 Wed, 17 Sep 2008 07:31:54 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21123547 redwolfe_98 : so, fartness, SAS (superantispyware) won't remove the "rootkit" that it is detecting? if that is the case, and if you have already tried running a scan while in safe mode, i think you should create a "support ticket" with "superantispyware" and try working with them to try to resolve the issue..

i would say to post about the issue in the SAS forum, but they always reply by saying "create a support ticket"..

i am not saying that you can't try other things, but i think it would be good to contact SAS by creating a support ticket with them since SAS is flagging something..]]> http://www.dslreports.com/forum/remark,21123547 Wed, 17 Sep 2008 06:58:49 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21123511 SipSizzurp :

said by redwolfe_98

:

.. in safe mode, the rootkit will not load and so it will be easier for the antimalware programs to detect and remove the malware..

Bullshit, young man. This virus runs great in safe mode, fake desktop with panic pop-ups and all. Most anti-malware / anti-virus programs will not run, or run in limited command line mode only. You obvioulsy have no first hand experience with this vermin, but the rest of the advice you have read and repeated is pretty sound.
--
I spent most of my money on Women and Beer, and the rest I just wasted !]]> http://www.dslreports.com/forum/remark,21123511 Wed, 17 Sep 2008 06:16:22 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21123478 redwolfe_98 : you could try booting into "safe mode" and do scans with your antimalware programs while in safe mode.. try that..

to boot into "safe mode", restart the computer and then tap the "F8" key as the computer is booting up.. that should give you a DOS-looking screen with options for booting into safe mode.. follow the prompts to boot into safe mode..

in the DOS window, use the up and down arrow-keys (on your keyboard) to navigate the screen..

otherwise, you can get expert assistance with removing the malware in the "security cleanup" forum.. also, you could ask for help in the "superantispwyare" forum, or get help from "superantispyware" by creating a "support ticket" with them..

did you scan with the "malwarebytes" program? if not, you should try that.. as i said before, it could help to do the scanning while in "safe mode".. in safe mode, the rootkit will not load and so it will be easier for the antimalware programs to detect and remove the malware.. again, you still might wind up needing expert assistance in removing the malware, which you can get in the "security cleanup" forum.. here is a link for it:

»Security Cleanup ]]> http://www.dslreports.com/forum/remark,21123478 Wed, 17 Sep 2008 05:41:21 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21123404 Cudni :

said by fartness

:

I ran those programs. They took out a bunch of stuff but I ran it again and see I have a root kit... is there anything else I should do?

make sure that you followed steps listed
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
and post in SCU forum for further assistance

Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008]]> http://www.dslreports.com/forum/remark,21123404 Wed, 17 Sep 2008 04:09:17 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21123386 fartness : I always keep IE 6 updated, and Java has been updated too. Not sure what caused this.

I ran those programs. They took out a bunch of stuff but I ran it again and see I have a root kit... is there anything else I should do?

That Vundo removal tool didn't find anything... odd.

]]> http://www.dslreports.com/forum/remark,21123386 Wed, 17 Sep 2008 03:47:18 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21123208 Trel :

said by fartness

:

I'm using IE 6 and never had this happen. What settings should I change? It's always asked me in the past if I want to download files, etc.

Honestly I think that's your problem. I may be wrong, but MS might not be giving security updates to IE6 anymore. I'm almost positive there's a multitude of ways that this can get in with an insecure IE. I'm not knowledgeable with securing IE, so I can't help you with that, but unless you're using Windows 2000, I'd recommend going to IE 7 at the very least, though switching browswers to Firefox (or Seamonkey) and using Noscript would be even better).
--
/chown -R us:us /yourbase]]> http://www.dslreports.com/forum/remark,21123208 Wed, 17 Sep 2008 01:35:36 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21123150 redwolfe_98 : you could do scans with "superantispyware" and/or "malwarebytes", and see if they find anything.. those two programs have good reputations for removing malware-infections.. there are free versions of both of those programs..

here is a link for "superantispyware":

»www.superantispyware.com/

here is a link for downloading the free version of "malwarebytes":

»www.besttechie.net/mbam/mbam-setup.exe]]> http://www.dslreports.com/forum/remark,21123150 Wed, 17 Sep 2008 01:16:53 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21123139 anon : XP Antivirus needs a swift kick in the nuts..... :mad:]]> http://www.dslreports.com/forum/remark,21123139 Wed, 17 Sep 2008 01:13:09 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21123117 anon :

said by fartness

:

I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet.

In XP, the Windows Firewall does not watch outbound traffic so the svchost access warning had to come from something else. That can't be good.]]> http://www.dslreports.com/forum/remark,21123117 Wed, 17 Sep 2008 01:05:51 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21123010 mysec :

said by fartness

:

I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet.

Do you still have the link where the download occurred?

---]]> http://www.dslreports.com/forum/remark,21123010 Wed, 17 Sep 2008 00:31:30 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21122985 anon : Sorry, make that "XP Antivirus". Here you go...

»/nsearch?board···virus%22

To make a long story short and to stave off the customary nerdz endlessly posting a link to the clean up forum, run the utilities MalwareBytes and SuperAntiSpyware to repair. Then follow up with Exaspery's tool and SpyBot. You will be good to go.]]> http://www.dslreports.com/forum/remark,21122985 Wed, 17 Sep 2008 00:24:50 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21122939 anon : Do a forum search on "WinAntivirus".]]> http://www.dslreports.com/forum/remark,21122939 Wed, 17 Sep 2008 00:15:45 EDT Re: File downloaded automatically? http://www.dslreports.com/forum/remark,21122931 fartness : My desktop image also changed to this.

I'm going to run adaware now.

Any good online virus scans to use?

Seems my cookies keep getting deleted too.

]]> http://www.dslreports.com/forum/remark,21122931 Wed, 17 Sep 2008 00:13:58 EDT File downloaded automatically? http://www.dslreports.com/forum/remark,21122897 fartness : I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet. I didn't allow it.

I then got an install dialogue for some anti-virus (which was probably a virus)... I didn't even download anything... what happened? Ideas?

I'm using IE 6 and never had this happen. What settings should I change? It's always asked me in the past if I want to download files, etc.

Thanks.]]> http://www.dslreports.com/forum/remark,21122897 Wed, 17 Sep 2008 00:06:30 EDT