Daugher's PC has new Malware/Virus that can't be detected.

Post by **Timothian** » Sat Feb 21, 2009 5:20 pm

My daugher's PC had fake annoying pop up security center and very latest update of Mcafee did find the AV1i trojan on PC, and deleted the files. I manualy edited registry chasing down any reference to those executables and cleaned it up.

However, the PC was still acting hosed up. Windows Explorer would not open, disc error checkng wont start and google was acting strange. The links in search results would not work, and when manually entered in, would go to some odd sites. Ran System Mechanic (a general purpose PC maintenance program), it found a disc error it could not fix until I ran it multiple times.

I looked at every process running on PC, and nothing out of place. I am minimalistic with my computer installs, and it looked clean. Reran adaware, Mcafee, etc, updated them, etc, .. nothing found.

Ran a program called, "Wireshark" it is a cool freebie program that monitors network traffic. Anyway, my daughter's PC, sitting there with no programs running, including Internet Explorer off is sending traffic to two websites:

DO NOT TYPE IN THESE IP ADDRRESSES

195.24.77.252 (Edit, did some furher checking, one of IP addresses was for my router, t)

When I googled feelyouinside.com I found some references to it being a malware server so DO NOT GO THERE!

I captured the wireshark log, printed it out. Shut off my daughter's PC, and then immeadiatly blocked these IP addresses on my router, I suggest you block them also if you know how.

Anyway, I am weighing my options:

1. Keep PC off and hope that Mcafee gets an update to take care of whatever is running and generating all that traffic.

2. Just clean hard drive (safest, but most painful due to my daughter's music library)

3. Try to manually find this thing. At a lost here, going blind looking at registry, but perhaps I will get inspired and find it, some string in message traffic or variation of web sites it is transmitting to should show up someplace.

Any suggestions on tracking this thing down? I am assuming it is just a simple trojan that is not yet identified. so waiting for Mcafee update should get rid of it, but ...never now, could be something more complex.

Post by **beornj** » Sat Feb 21, 2009 5:28 pm

I had something similar happen to my sons computer. Nothing I did would remove it including safe mode deletion of files and everything else that I could do. I ended up getting off what information I could and did an fdisk and format. Hope you don't have to, it is a pain, but it will get rid of it.

Post by **fazin** » Sat Feb 21, 2009 6:56 pm

can't you just backup your daughter music library before doing a HD cleansing?

Post by **Taunto** » Sat Feb 21, 2009 7:01 pm

I think it's time to have "the talk"....

Tell her to stop downloading hardcore porn torrents. :/

Post by **Whipsnade** » Sat Feb 21, 2009 7:39 pm

you could try installing PC Tools Spyware Doctor.
It's like Adawre but much better.

Alsmack · Post by **Alsmack** » Sat Feb 21, 2009 9:17 pm

Run HijackThis and post the log here. I will point out which things are nasty little bastards.

Trend Micro bought the company that made it, but it's still an invaluable utility in finding new stuff.

http://www.download.com/Trend-Micro-Hij ... 27353.html

Post by **Timothian** » Sat Feb 21, 2009 9:42 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:53 PM, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKUS\S-1-5-18\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9084605832
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4624 bytes

Most of this seems legitimate to me. She has Ipod, Iolo software (system mechanic), etc, not sure of all of it though.

Post by **kanadezzra** » Sun Feb 22, 2009 1:52 am

i personally use malwarebytes anti malware and super anti spyware for spyware stuff...use spybot for the immunise function only.

virus i use AVG.

with this combo in the past i took out a nasty little rewrite trojan bugger that kept infecting all over the place.

havent found better so far for combo of program.

Post by **opirion** » Sun Feb 22, 2009 1:58 am

malware bytes rocks and avg

http://eq.magelo.com/profile/1402278 · Post by **kasantitz** » Sun Feb 22, 2009 2:07 am

O4 - HKUS\S-1-5-18\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe" /autorun (User 'Default user')

Those are not good...they look legitimate, but do you have anything actually installed called MS Antispyware???
This is a common (and nasty

) malware/spyware product that people overlook because it DOES look legitimate.

I have had machines that I could not remove this completely from and had to wipe them and start fresh, but your best bet is to google -> ""MS Antispyware removal", or something to that affect.

Kas

Post by **kanadezzra** » Sun Feb 22, 2009 2:13 am

oo i had that ms antispyware virus...took a while but its how i discovered malware bytes..googled it when i had and suggested that to remove it

on a funny note

once had a spyware that was advertising for a spyware program..it was a pain to remove. google the program, check their website..BEHOLD! a 1-800 number! call them up get a sales person and ask why are they infecting my pc with their crap to try and sell me the program to fix a problem they created. get the run around for abit get a manager give him shit. they assure me its not them yadda yadda a few threats later they offered me a free liscence to their crapware...so i refused it told em where to stick it and removed the program after some effort. never seen or heard of the program or company since!

Post by **Timothian** » Sun Feb 22, 2009 4:32 pm

Thanks. Yes, that crucial "MS AntiSpyware" seems to be the problem, but the executable was hidden, did not show up as running. I googled this and manually deleted the related files and registry keys. When I deleted the crucial stuff, System mechanic was able to find a suspcious MS Config autoconfiguration file at start up (not sure if it was not present, or if hidden). Veified with wireshark that PC is not sending traffic to "feelyouinside.com" When I cut off the IP address, it still tried to contact the site, just that volume was way diminished and no incoming traffic. Not sure why Ad-Aware or Mcafee with latest updates would not find it.

Computer still acting flakey in certain ways, assuming it is colateral damage from that software, but still checking stuff. Weird disc problem that cant be found, disck check will not even run, can't run MS Update, get errors, Windows exploer won't open. Other than this, compuer actually running ok and running everything else ok. Will work through this.

Thanks for help.

Alsmack · Post by **Alsmack** » Sun Feb 22, 2009 5:14 pm

Code: Select all

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

These two bother me. They look okay, but I don't remember office putting extra buttons in IE.

The only one I know for sure is bad is the one Kasantitz pointed out.

Honestly, if that much wierd stuff is happening... put all that music on an external hard drive and reinstall. It's not worth the headache, and you can be done in 2 hours. That's just my opinion though.

http://eq.magelo.com/profile/1402278 · Post by **kasantitz** » Sun Feb 22, 2009 10:26 pm

Office CAN actually add those buttons, but I am paranoid and don't trust Microsoft either so I always remove entries like that. Also, I agree with Alsmack, back it up and rebuild; it is the easiest way. Programs can always be downloaded and re-installed.

Post by **Timothian** » Mon Feb 23, 2009 1:26 am

Gonna think on this, rebuilding looking better all the time, I can wait, it is my kids computer.