fartness
Computersoc Dot Com
Premium
join:2003-03-25
Look Outside
clubs:
| File downloaded automatically?
I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet. I didn't allow it.
I then got an install dialogue for some anti-virus (which was probably a virus)... I didn't even download anything... what happened? Ideas?
I'm using IE 6 and never had this happen. What settings should I change? It's always asked me in the past if I want to download files, etc.
Thanks. |
|
fartness
Computersoc Dot Com
Premium
join:2003-03-25
Look Outside
clubs:
| My desktop image also changed to this.
I'm going to run adaware now.
Any good online virus scans to use?
Seems my cookies keep getting deleted too. |
|
KiZiller
@rr.com | reply to fartness
Do a forum search on "WinAntivirus". |
|
KiZiller
@rr.com
| reply to fartness
Sorry, make that "XP Antivirus". Here you go...
»/nsearch?board···virus%22
To make a long story short and to stave off the customary nerdz endlessly posting a link to the clean up forum, run the utilities MalwareBytes and SuperAntiSpyware to repair. Then follow up with Exaspery's tool and SpyBot. You will be good to go. |
|
mysec
Premium
join:2005-11-29
| reply to fartness
said by fartness  :I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet.
Do you still have the link where the download occurred?
--- |
|
Nimbus
@verizon.net
| reply to fartness
said by fartness :I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet. In XP, the Windows Firewall does not watch outbound traffic so the svchost access warning had to come from something else. That can't be good. |
|
Anon Name
@teksavvy.com |  reply to fartness
XP Antivirus needs a swift kick in the nuts.....  |
|
redwolfe_98
join:2001-06-11
 ·RoadRunner Cable
edit:
September 17th, @01:26AM
| reply to fartness
you could do scans with "superantispyware" and/or "malwarebytes", and see if they find anything.. those two programs have good reputations for removing malware-infections.. there are free versions of both of those programs..
here is a link for "superantispyware":
»www.superantispyware.com/
here is a link for downloading the free version of "malwarebytes":
»www.besttechie.net/mbam/mbam-setup.exe |
|
Trel
Good Evening
Premium
join:2002-10-08
Hillsborough, NJ
 ·surpasshosting
| reply to fartness
said by fartness :I'm using IE 6 and never had this happen. What settings should I change? It's always asked me in the past if I want to download files, etc. Honestly I think that's your problem. I may be wrong, but MS might not be giving security updates to IE6 anymore. I'm almost positive there's a multitude of ways that this can get in with an insecure IE. I'm not knowledgeable with securing IE, so I can't help you with that, but unless you're using Windows 2000, I'd recommend going to IE 7 at the very least, though switching browswers to Firefox (or Seamonkey) and using Noscript would be even better).
--
/chown -R us:us /yourbase |
|
fartness
Computersoc Dot Com
Premium
join:2003-03-25
Look Outside
clubs:
| reply to fartness
I always keep IE 6 updated, and Java has been updated too. Not sure what caused this.
I ran those programs. They took out a bunch of stuff but I ran it again and see I have a root kit... is there anything else I should do?
That Vundo removal tool didn't find anything... odd. |
|
Cudni
La Merma - La Guerrilla
Premium,MVM
join:2003-12-20
Someshire
 ·BTOpenworld
| said by fartness :I ran those programs. They took out a bunch of stuff but I ran it again and see I have a root kit... is there anything else I should do? make sure that you followed steps listed
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance
and post in SCU forum for further assistance
Cudni
--
"what we know we know the same, what we don't know, we don't know it differently."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008 |
|
redwolfe_98
join:2001-06-11
·RoadRunner Cable
edit:
September 17th, @05:57AM
| reply to fartness
you could try booting into "safe mode" and do scans with your antimalware programs while in safe mode.. try that..
to boot into "safe mode", restart the computer and then tap the "F8" key as the computer is booting up.. that should give you a DOS-looking screen with options for booting into safe mode.. follow the prompts to boot into safe mode..
in the DOS window, use the up and down arrow-keys (on your keyboard) to navigate the screen..
otherwise, you can get expert assistance with removing the malware in the "security cleanup" forum.. also, you could ask for help in the "superantispwyare" forum, or get help from "superantispyware" by creating a "support ticket" with them..
did you scan with the "malwarebytes" program? if not, you should try that.. as i said before, it could help to do the scanning while in "safe mode".. in safe mode, the rootkit will not load and so it will be easier for the antimalware programs to detect and remove the malware.. again, you still might wind up needing expert assistance in removing the malware, which you can get in the "security cleanup" forum.. here is a link for it:
»Security Cleanup |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
| said by redwolfe_98 :.. in safe mode, the rootkit will not load and so it will be easier for the antimalware programs to detect and remove the malware.. Bullshit, young man. This virus runs great in safe mode, fake desktop with panic pop-ups and all. Most anti-malware / anti-virus programs will not run, or run in limited command line mode only. You obvioulsy have no first hand experience with this vermin, but the rest of the advice you have read and repeated is pretty sound.
--
I spent most of my money on Women and Beer, and the rest I just wasted ! |
|
redwolfe_98
join:2001-06-11
·RoadRunner Cable
| reply to fartness
so, fartness, SAS (superantispyware) won't remove the "rootkit" that it is detecting? if that is the case, and if you have already tried running a scan while in safe mode, i think you should create a "support ticket" with "superantispyware" and try working with them to try to resolve the issue..
i would say to post about the issue in the SAS forum, but they always reply by saying "create a support ticket"..
i am not saying that you can't try other things, but i think it would be good to contact SAS by creating a support ticket with them since SAS is flagging something.. |
|
Kayrac
Premium
join:2001-09-29
Lee, NH
edit:
September 17th, @07:43AM
| reply to fartness
Can't say i've seen many xp antivirus variants running rookit installs, usually just a few files and super easy cleanup
that being said, what files are superantispyware detecting exactly?, full path would help figure out exactly whats going on
-Brian
also a hijackthis log would be of assistance 
and to answer your original post, ie 6 is an issue right there, atleast upgrade to IE 7, hell theres IE 8 beta's out, your like 5years behind
that being said, your also almost certainly running some out of date software, as these drive by downloads ALWAYS use some exploit, be it an IE 6 exploit, realplayer, adobe, or whatever
download and install this
»secunia.com/vulnerability_scanning/personal/
it's quite possibly the coolest piece of software i've ever found, it scans your system for programs with vulnerbilities, lets you know about them, gives you the download link etc etc, i suggest leaving that program running to be up to date all the time
I'll put money that the secunia PSI finds alot of stuff on your computer with security holes
another good piece of software
»filehippo.com/updatechecker/
(just disable showing beta updates after you install it) |
|
Trel
Good Evening
Premium
join:2002-10-08
Hillsborough, NJ
·surpasshosting
| reply to fartness
said by fartness :I always keep IE 6 updated, and Java has been updated too. Not sure what caused this. I ran those programs. They took out a bunch of stuff but I ran it again and see I have a root kit... is there anything else I should do? That Vundo removal tool didn't find anything... odd. Based on that pic, you're using XP, I didn't say that IE6 wasn't updated. I said I think there may be vulnerabilitys in 6 that Microsoft won't fix because of the update to IE7.
When you update java, do you go to add/remove programs and uninstall the old versions?
--
/chown -R us:us /yourbase |
|
fartness
Computersoc Dot Com
Premium
join:2003-03-25
Look Outside
clubs: | Yes to the java question.
I don't like IE 7 though. |
|
OZO
Premium
join:2003-01-17
edit:
September 18th, @12:04AM
| Don't hope for a big difference between IE7 and IE6. From the security perspective they are almost the same. The rumors about higher security of IE7 are just result of marketing.
Try to catch why and how it happened. I, personally, have never seen, that IE6 (or IE7) may download a file without my explicit consent. But, at the same time, I'm open to see a proof of its possibility.
Good luck!
P.S. I run IE with Javascript always 'on' and use native MSJVM (v.5.0.3810.0), not Sun Java. |
|
mysec
Premium
join:2005-11-29
| said by OZO :I, personally, have never seen, that IE6 (or IE7) may download a file without my explicit consent. But, at the same time, I'm open to see a proof of its possibility.
Actually, there are a number of remote code execution exploits still being targeted against IE6.
said by fartness :I was surfing the web and I got a Windows Firewall notice that svchost or something wanted to access the internet. I didn't allow it.
The use of the filename svchost is an obvious ploy.
Use of this trick in an IE6 exploit appeared most recently in mpack and gpack exploits.
Here is a typical one. A malicious file -- often a spoofed executable to get by anything filtering *.exe -- is downloaded by remote code execution (drive-by download), renamed to svchost.exe, copied to a system folder, executed, and attempts to connect out to download more junk.
»www.urs2.net/rsj/computing/tests···uth.html
There are variations on this, so in your particular case, without seeing the exploit run, it's hard to know exactly what happened.
Which is why I asked earlier in the thread if you had the URL.
The question of how Windows Firewall alerted (which has no outbound protection) was not answered. Do you have other security which would alert to this?
Since this seems to be a drive-by download, it doesn't fit the recent WinAntiVirus XP Antirvirus exploits, since bcastner remarked in another thread that they are click-to-install exploits. I too have not seen any recent ones that are drive-by downloads.
said by fartness :I ran those programs. They took out a bunch of stuff
Unfortunately, without seeing that bunch of stuff, we can't analyze the exploit.
The fact that you didn't allow svchost.exe to connect out raises the question as to how other malicious files became installed.
So, it is possible that you encountered multiple exploits - several things going on at once.
Here is an old one that uses a WinAntiVirus screen but it is simply to divert the user while a trojan downloader is installed in the background.
If the user declines to install the antivirus and simply closes the window, she/he may not realize that anything has happened until later.
»www.urs2.net/rsj/computing/tests/driveby
--- |
|
MagnusM
Premium
join:2001-07-07
edit:
September 18th, @05:54AM
| reply to fartness
This is a new variant by the same people who brough you XP Antivirus. This one is called Antivirus XP (very creative of them). As you can see you have a rootkit on there now (TDSServ.sys). This is used to hide the proceses for Antivirus XP but in the variants we've seen it actually fails to do this because it isn't properly interacting with the rootkit code.
You should boot into Safe Mode (or even better: Recovery Console) and remove the file C:\Windows\System32\drivers\TDSServ.sys. You can verify that the driver file has been removed by creating an empty text file in the C:\Windows\System32\drivers directory and renaming it TDSServ.sys. If that works and you don't get any error message about the file already existing then you've successfully removed the driver file.
The rootkit also creates registry entries under HKLM\System\CurrentControlSet\Services\TDSServ, but you can worry about those later when rebooting in normal mode.
As for the Antivirus XP files, they will be in your C:\Program Files folder, under a random directory name. Kill the process and remove the folder and you should be all set.
I would also recommend that you download Process Explorer and look very carefully for instances of svchost.exe that are not running under the SYSTEM/LOCAL SERVICE/NETWORK SERVICE account (i.e. running under a user account). This would be the actual downloader which you should also kill and delete to avoid any futher malware being downloaded and installed. |
|
