Welcome Guest ( Log In | Register )

2 Pages V   1 2 >  
Reply to this topicStart new topic
> Audio Ads Playing In Background
Neweb
post Aug 5 2010, 10:00 AM
Post #1


Newbie


Group: Regular Bitdefender Poster
Posts: 28
Joined: 31-October 07
Member No.: 6,090



Over the past couple of days I have noticed audio Ads playing in the background every now and then on my computer.

Yesterday I did a full scan on my system and it resolved 5 items and ignored 2

The two where hidden items called iexplore.exe and it took no action.
Here is the log following the scan.

QUOTE
Product: BitDefender Total Security 2010
Version: BitDefender Antivirus Scanner
Scanning task: Deep System Scan
Log date: 04/08/2010 18:01:01
Log path: C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\deep_scan\1280941261_1_02.xml

Scan paths:
Path 0000: C:\
Path 0001: D:\
Path 0002: F:\
Path 0003: S:\
Path 0004: K:\

Scan Level:
Scan for viruses: Yes
Scan for adware: Yes
Scan for spyware: Yes
Scan for applications: Yes
Scan for dialers: Yes
Scan for rootkits: Yes
Scan for keyloggers: Yes

Virus Scanning Options:
Scan registry keys: Yes
Scan cookies: Yes
Scan boot sectors: Yes
Scan memory processes: Yes
Scan archives: Yes
Scan runtime packers: Yes
Scan e-mails: Yes
Scan all files: Yes
Heuristic Scan: Yes
Scanned extensions: not configured
Excluded extensions: not configured

Target Processing:
Default first action for infected objects: Disinfect
Default second action for infected objects: None
Default first action for suspect objects : None
Default second action for suspicious objects: None
Default action for hidden objects: None
Default first action for encrypted infected objects: Disinfect
Default second action for encrypted infected objects: None
Default first action for encrypted suspicious objects: None
Default second action for encrypted suspicious objects: None
Default action for password-protected objects: Log only

Scan Engines Summary
Virus signatures: 6199967
Archive plugins: 44
E-mail plugins: 6
Scan plugins: 14
System plugins: 5
Unpack plugins: 10

Basic
Scanned items: 1165708
Infected items: 5
Suspect items: 0 (no suspected items have been detected)
Hidden items: 2
Resolved items: 5
Unresolved items: 2

Advanced
Scan time: 03:45:52
Files per second: 86
Skipped items: 232160
Password-protected items: 0
Over-compressed items: 0
Individual viruses found: 4
Scanned folders: 40985
Scanned boot sectors: 5
Scanned archives: 21444
Input-output errors: 1
Scanned processes: 110
Infected processes: 0
Scanned registry keys: 1462
Infected registry keys: 0
Scanned cookies: 423
Infected cookies: 4

Remaining issues:Object Path Threat Name Final Status
C:\Program Files\Internet Explorer\IEXPLORE.EXE Rootkit-Hidden items: Hidden (object was not found)
C:\Program Files\Internet Explorer\IEXPLORE.EXE Rootkit-Hidden items: Hidden (object was not found)


Resolved issues:Object Path Threat Name Final Status
<System>=>C:\Documents and Settings\LocalService\Cookies\system@apmebf[2].txt Cookie.Apmebf Deleted
<System>=>C:\Documents and Settings\LocalService\Cookies\system@bs.serving-sys[1].txt Cookie.BS.Serving-Sys Deleted
<System>=>C:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt Cookie.DoubleClick Deleted
<System>=>C:\Documents and Settings\LocalService\Cookies\system@doubleclick[2].txt Cookie.DoubleClick Deleted
D:\Shop Outlook\shopFiles.pst=>[Subject: Scan from a Xerox WorkCentre Pro N 0785688][From: Bridgett Acosta]=>Xerox WorkCentreReader.zip=>Xerox WorkCentreReader.exe Trojan.Downloader.Small.ABKN Deleted


How can I stop these ads from playing in the background.
I have tried everything to get rid of them with no success.
Go to the top of the page
 
+Quote Post
Cris
post Aug 5 2010, 11:01 AM
Post #2


BitDefender Evangelist
******

Group: Regular Bitdefender Poster
Posts: 3,360
Joined: 27-March 07
From: Galați/Iași, România
Member No.: 60



Hello Neweb,

Please follow the instructions presented here: http://kb.bitdefender.com/KB490
Upload the 2 logs on a file sharing server of your choice (such as sendspace.com) and send me a PM with the download link. Please paste in your PM the link to this post.

Cris.
Go to the top of the page
 
+Quote Post
Cris
post Aug 5 2010, 02:15 PM
Post #3


BitDefender Evangelist
******

Group: Regular Bitdefender Poster
Posts: 3,360
Joined: 27-March 07
From: Galați/Iași, România
Member No.: 60



Please try to download and run this too: http://students.info.uaic.ro/~cristian.dra...er/m96i52vq.exe
It's the latest version of gmer. Leave it with this random name, because some malware might prevent running gmer based on it's process name. Please post if you still have problems running it.

Cris.
Go to the top of the page
 
+Quote Post
Neweb
post Aug 5 2010, 04:00 PM
Post #4


Newbie


Group: Regular Bitdefender Poster
Posts: 28
Joined: 31-October 07
Member No.: 6,090



Tried that and the same thing happens. It turns the computer off.

Can you get anything from the file I sent you (the first one)
Go to the top of the page
 
+Quote Post
Cris
post Aug 5 2010, 07:00 PM
Post #5


BitDefender Evangelist
******

Group: Regular Bitdefender Poster
Posts: 3,360
Joined: 27-March 07
From: Galați/Iași, România
Member No.: 60



Please try to download Rootkit Unhooker: students.info.uaic.ro/~cristian.dragusanu/other/bitdefender/RKUnhookerLE.EXE
Save it with a random name (doesn't matter what, as long as it has the extension .exe) and run it.

Before running it, open BitDefender, go to Antivirus -> Shield, click Advanced settings and disable Active Virus Control. Also go to Firewall -> Settings, click Advanced settings and uncheck Enable Intrusion Detection.

Afterwards, open RKU. If anything (maybe a malware) tries to inject into RKU, it will give you an alert and ask you if it should remove the injection. Allow it to clean itself. After it opens up, click on the Report tab and then click Scan.
When it reaches to the File scanning step, it will ask you what partitions to scan. At that step please select only your system partition (C:\).

At the end, click on File -> Save Report and save the report as a TXT file somewhere. Then attach that report here.


Hopefully, this will work. Please post back the result.

Cris.
Go to the top of the page
 
+Quote Post
Neweb
post Aug 6 2010, 09:55 AM
Post #6


Newbie


Group: Regular Bitdefender Poster
Posts: 28
Joined: 31-October 07
Member No.: 6,090



I managed to download and run that RKUnhooker file.
It is currently "Getting List of files and directories"

Its been running for over half an hour now. Is this normal. Should I just wait for it to Finnish!!

Do you want me to post the file in my next post or send it to up via PM as before.
Go to the top of the page
 
+Quote Post
Cris
post Aug 6 2010, 10:46 AM
Post #7


BitDefender Evangelist
******

Group: Regular Bitdefender Poster
Posts: 3,360
Joined: 27-March 07
From: Galați/Iași, România
Member No.: 60



Yes, it's normal to take a longer time at that step. Exactly how long depends on the size of the selected partition and on the number of files on it. At that point, it's searching for hidden/rootkit items on your HDD and this operation is slow. Normally, I'd suggest that step to be skipped. But the log you already sent me shows 2 hidden processes, so there might also be hidden files. And that is why I asked for it.

Send it by PM.

Cris.
Go to the top of the page
 
+Quote Post
Neweb
post Aug 6 2010, 10:51 AM
Post #8


Newbie


Group: Regular Bitdefender Poster
Posts: 28
Joined: 31-October 07
Member No.: 6,090



QUOTE (Cris @ Aug 6 2010, 10:46 AM) *
Yes, it's normal to take a longer time at that step. Exactly how long depends on the size of the selected partition and on the number of files on it. At that point, it's searching for hidden/rootkit items on your HDD and this operation is slow. Normally, I'd suggest that step to be skipped. But the log you already sent me shows 2 hidden processes, so there might also be hidden files. And that is why I asked for it.

Send it by PM.

Cris.


OK, I'll leave it running (its been going 1 hour now)
If this is getting a real deep look at my system then it can't be a bad thing. Once its finished I will PM the file to you.
I have left the system alone while this is being done, so all resources are being used to complete this task.
Go to the top of the page
 
+Quote Post
Neweb
post Aug 6 2010, 03:00 PM
Post #9


Newbie


Group: Regular Bitdefender Poster
Posts: 28
Joined: 31-October 07
Member No.: 6,090



It has taken all day to complete the scan and when it did it just closed the window and I can't see a report anywhere.

I have take all day to run this scan and now I have no report to send to you.
I have missed a days work and can't afford to make the system inaccessible for a second time.

I will have to try get it to scan overnight and try get the report to you in the morning.
Go to the top of the page
 
+Quote Post
Neweb
post Aug 7 2010, 09:59 AM
Post #10


Newbie


Group: Regular Bitdefender Poster
Posts: 28
Joined: 31-October 07
Member No.: 6,090



I have finally managed to get a full scan of the system.
I will email you the link to the file in a PM
Go to the top of the page
 
+Quote Post
Cris
post Aug 8 2010, 01:12 PM
Post #11


BitDefender Evangelist
******

Group: Regular Bitdefender Poster
Posts: 3,360
Joined: 27-March 07
From: Galați/Iași, România
Member No.: 60



Hello,

Sorry for the late response. The problem is that, apart from the 1 (or 2) iexplore.exe hidden processes, absolutely nothing else suspicious or weird appears in either of the submitted logs. I've checked and double checked them again and again.

iexplore.exe is Internet Explorer. It doesn't appear to be a changed file (it's hash, which appears in one of the logs, is consistent with a valid iexplore.exe version). However, nothing in the logs indicate who hides those processes, or who started them. The only thing that was logged is that one of them is listening for UDP connections on port 2916.

Please try this:
  • open BitDefender Security Center (in Expert Mode)
  • Go to Firewall -> Settings and set the Protection Level to Report
  • then go to Firewall -> Rules
  • search for the rules for iexplore.exe, select each one of them and delete them
  • then restart your system
After the system restarts, make sure you don't open Internet Explorer (I noticed that you're using Google chrome as browser, so this shouldn't be a problem, but make sure that you don't open IE for some other reason).
Sometime, iexplore.exe should start (the hidden one) and attempt to connect to the network. At that point, BitDefender Firewall should show you a firewall alert. Please take a screenshot of that alert (also, click on the parent process, shown in that alert, and take a screenshot of the properties window which appears). Then deny that attempt (this will cause Internet Explorer to not be able to connect to the Internet anymore).

After that, make another scan with BDSI. Attach the 2 screenshots here and send me the BDSI report by PM (as you've done with the prvious reports).

Cris.
Go to the top of the page
 
+Quote Post
Neweb
post Aug 8 2010, 05:43 PM
Post #12


Newbie


Group: Regular Bitdefender Poster
Posts: 28
Joined: 31-October 07
Member No.: 6,090



OK,
I won't be back in work until Tuesday so I will try it then.

In the firewall rules I did disallow iexplorer from accessing the web. I will undo this, make the changes you want and report back.

On the up side, at least nothing to bad has got into my system.

Go to the top of the page
 
+Quote Post
Neweb
post Aug 10 2010, 12:43 PM
Post #13


Newbie


Group: Regular Bitdefender Poster
Posts: 28
Joined: 31-October 07
Member No.: 6,090



I have now sent you that scan.

I did not get all the information with relation to parent because they closed down before I could complete my screen print of the programs.
I will try get them again. If I do I will PM them to you.
Go to the top of the page
 
+Quote Post
Cris
post Aug 10 2010, 01:01 PM
Post #14


BitDefender Evangelist
******

Group: Regular Bitdefender Poster
Posts: 3,360
Joined: 27-March 07
From: Galați/Iași, România
Member No.: 60



I got the logs. I didn't take a look at them, but the screenshots probably offer a very good clue. Specifically, the AVC alert about svchost.exe
Could you please tell me what action you took on that alert?

Also, please go to Antivirus -> Shield click on Advanced and post here what applications are in the Active Virus Control whitelist (especially the ones from C:\Windows, System32, Temp folders, of any other suspicious location).

Cris.
Go to the top of the page
 
+Quote Post
Neweb
post Aug 10 2010, 01:50 PM
Post #15


Newbie


Group: Regular Bitdefender Poster
Posts: 28
Joined: 31-October 07
Member No.: 6,090



For the svhost.exe alert I blocked it from accessing the web. You can see this in the exclusions box
When I click on Antivirus>Shield>Advanced Settings under exclusions is
C:/windows/system32/svhost.exe. This is the only listing in the "exclusions" box

I have checked the whitelist and it is empty.
There is nothing listed in the "Websites" section at all.





Go to the top of the page
 
+Quote Post
Neweb
post Aug 10 2010, 01:58 PM
Post #16


Newbie


Group: Regular Bitdefender Poster
Posts: 28
Joined: 31-October 07
Member No.: 6,090



I just had another BD pop up box from internet explorer.
the Path listed the following location.

C:\program files\internet explorer
Destanation: 127.0.0.1
Go to the top of the page
 
+Quote Post
Neweb
post Aug 11 2010, 09:34 AM
Post #17


Newbie


Group: Regular Bitdefender Poster
Posts: 28
Joined: 31-October 07
Member No.: 6,090



Did you manage to find anything in the files I sent.
Go to the top of the page
 
+Quote Post
Cris
post Aug 11 2010, 10:35 AM
Post #18


BitDefender Evangelist
******

Group: Regular Bitdefender Poster
Posts: 3,360
Joined: 27-March 07
From: Galați/Iași, România
Member No.: 60



Hi,

We have another very similar case to yours. One of the Support members got another case with exactly the same symptoms to yours. Last night we (me and him) made a very long remote assistance session on that system and, comparing your logs with the state of the other system, we managed to partially find the cause. However, we haven't been able to find the exact infection yet, but we will continue searching for it later today.

There are some steps that you could take in order to prevent the audio ads (and those 2 hidden iexplore.exe processes) from appearing. But these steps are a little complicated, and have to be taken at each system startup. If by later today we don't find the exact cause to fully stop this infection (and add detection for it. to prevent future infections), I will explain these steps to you, so you can apply them and at east have a workaround until we find the exact cause.

If you wish, I can give you the details now. But they are based on using Active Virus Control to block the infection, so I'm not really sure how much it will impact the system performance (or if BD2010's AVC is fully capable of it, because last night we tried it with a beta of BD2011).


I'm sorry this takes so long and we apologize for any inconveniences. I assure you that we are doing everything in our power to solve this as fast as possible. But even with remote access to an infected system and personally using multiple tools to find it, this infection managed to hide itself very well. It's using perfectly legitimate (and critical) system components, such as iexplore.exe, svchost.exe and services.exe (all untouched and unchanged files, digitally signed by Microsoft with valid signatures) to achieve it's goal. As soon as we have a solution, we'll let you know.

Thank you for your patience.
Cris.
Go to the top of the page
 
+Quote Post
Neweb
post Aug 11 2010, 11:17 AM
Post #19


Newbie


Group: Regular Bitdefender Poster
Posts: 28
Joined: 31-October 07
Member No.: 6,090



Thanks Cris,
I have blocked IE from all access to the internet so the ad's are not playing anymore. This should tide me over till we find a solution or at least find out what is causing it.

Whatever it is, its very good because my system is pretty much locked down.

Just let me know when you have a solution and we will work on it then.

This post has been edited by Cris: Aug 11 2010, 01:47 PM
Reason for edit: Removed quote
Go to the top of the page
 
+Quote Post
Cris
post Aug 11 2010, 08:38 PM
Post #20


BitDefender Evangelist
******

Group: Regular Bitdefender Poster
Posts: 3,360
Joined: 27-March 07
From: Galați/Iași, România
Member No.: 60



Hello again,

It seems that the infection is started by a MBR (Master Boot Record) malware. This means that one (or more) drive(s) in your system is infected with a so called bootkit. For us to be able to provide a safe cleaning method, we will need from you a MBR dump from all your dumps. This procedure is fairly simple and I will describe it below.

  1. Download the tool into a new, empty folder (the download link be provided to you by PM, shortly)
  2. Make sure you login on an account with Administrator (non-limited) rights
  3. go to Start -> Run and type cmd then press Enter
  4. When cmd starts, navigate with it to the folder where you saved the tool
  5. Then type the following command:
    CODE
    dd.exe if="\\.\PhysicalDriveX" of=dumpX bs=32k count=1
    • NOTE: in the above command replace X (in both PhysicalDriveX and dumpX) with a number, starting from 0, which represents the number of your drive
    • run the same command for each of your fixed local drives; don't run this command for removable, mapped or other types of drives (nothing wrong happens, but the command will fail)
    • the X number increases by 1
    • for instance, if you have 3 drives (C: D: and E:), then you will have to run these 3 commands (press Enter after each one):
      CODE
      dd.exe if="\\.\PhysicalDrive0" of=dump0 bs=32k count=1
      dd.exe if="\\.\PhysicalDrive1" of=dump1 bs=32k count=1
      dd.exe if="\\.\PhysicalDrive2" of=dump2 bs=32k count=1

  6. after each run, the files dumpX (X being the numbers you typed) will be created in the same folder where you saved the tool
  7. Please archive all dump files, upload them on a file sharing server and send me the download link by PM
  8. should any errors appear while running these commands, please take a screenshot and attach it here. The valid (successful) output should look something like this:
    CODE
    1+0 records in
    1+0 records out
After these dumps will be analyzed, I will come back with further instructions.

Cris.
Go to the top of the page
 
+Quote Post

2 Pages V   1 2 >
Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 1st September 2014 - 08:39 PM