Malware trouble - Performed all steps, do things seem fine?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tech, Mar 22, 2006.

  1. tech

    tech Private E-2

    Hey, you guys are awesome. You're serious geeks -- I salute you!

    I just registered, but I've read your forum for awhile. I even used data in "READ & RUN ME FIRST" to repair a malware problem a year ago -- thanks! But on this one, I think I need a little help.

    I'm fixing a malware problem on my aunt's computer. (Compaq Presario 6310us, XP SP1.) At first I worked on my own, then followed the steps in "READ & RUN ME FIRST Before Asking for Support". I need to run this by an expert, to see if things seem fine (this one thing keeps bugging me, more on that later).


    WHAT HAPPENED:

    She was web surfing Saturday night, and a ton of popups came out of nowhere. Norton Antivirus 2005 produced some virus alerts, said it was attempting repair/deleting files, etc. A download window popped out of nowhere which she couldn't cancel, and she frantically closed down the popups. Afterwards, she noticed NAV Auto-Protect was off. Whenever trying to turn it on, an error message appears. At some point during all this a ZoneAlarm alert appeared, which she hardly glanced at, and denied internet access to the program.


    WHAT I DID ON MY OWN:

    I emptied Temporary Internet Files (TIF).

    I downloaded all NAV updates and scanned, found nothing. I ran the NAV online scan from their website, found nothing. At some point, I got the attached ZA alert, and made sure this program was denied internet access.

    I tried to run the online Trend Micro scan twice, for some reason it wouldn't work. Ran Mcafee's online scan, found what I believe was a "false positive":

    File Name: C:\hp\bin\Terminator.exe
    Threat Name: KillApp
    (A search on Google produced attached link1 and link2)

    The program which tried to access the internet earlier, I looked it up in ZA (attached screenshot). After looking around, I discover that neither the file or directory are present at that location. Where'd it go?

    I ran Symantec's Automated Support Assistant. ASA detected 3 problems: 1) Virus/threats were detected, 2) I needed to install the latest version of LiveUpdate, 3) NAV registry/keys were damaged and NAV needed reinstalling.

    None of the earlier Norton scans detected any virus/threats, but this one did? I believe it was checking the NAV scan logs and making sure the threats which were detected before the crash weren't present. (They were mainly located in TIF, which I already cleared.) I was instructed to clear out the NAV scan logs afterwards.

    I followed their instructions to handle these three issues, reinstalled NAV and fully updated. NAV was working fine.

    I wasn't going to take any chances, so next I went through "READ & RUN ME FIRST".


    PER YOUR INSTRUCTIONS:

    I did everything exactly, except where noted:

    "Uninstall Malware via Add/Remove Programs" - I uninstalled all of the Wild Tangent games.

    Skipped "Microsoft Windows Defender" because it requires SP2. Used CounterSpy.

    Booted into Safe Mode and ran CCleaner, then I scanned with NAV (found nothing), before continuing.

    Spybot and CounterSpy found some things alright. A number of virus/trojan files in C:/Windows and C:/Windows/system32/. I went to those actual directories and checked the files out. There were a number of 0 byte files created between 7:20-7:35pm Saturday night, mainly EXE's. I figured they must be mostly harmless, except just this one, which neither program spotted:

    C:\WINDOWS\system32\scmt16.exe (5.09 KB) 7:20:01pm

    Getting concerned, I renamed it "scmt16.txt" and moved it to the desktop. Later, BitDefender detected and deleted the "scmt16.txt" text file!

    I had trouble scanning with Panda ActiveScan. I was in safe mode, now with the internet connection active (comp is on a network, Linksys router and a DSL modem). Problem was, the connection would go dead on this comp after about 15 minutes. Only way to get it back was to restart! The Panda scan could complete no problem (took about 20 minutes each time), but to click the report button I need an active connection.

    I stopped the scan prematurely to see the report, and scanned again twice. I deleted any files detected, except the three "false-positives" (see the attached logs, link1 and link2).

    Once I rebooted into normal mode, I scanned a third time with Panda, and was able to view the report just fine (no connection difficulties). I assume my trouble earlier must've been caused by some sort of network incompatibility by being in safe mode.


    Questions:

    1) So how does the HJT log look? (I'm no good at reading HJT logs.)

    2) Do you think those three HP files from the Panda scan are just "false positives", or do you think they've become infected?

    3) And do you think there's anything suspicious about how I never found that program which tried to access the internet? Nothing I scanned with seemed to find it, or delete it. It just disappeared on its own...

    4) Also, why do you think all those files found were 0 bytes? Perhaps NAV prevented most of them from installing correctly?

    I would greatly appreciate any help you can give me.

    -- Tech
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    1) Your HJT log is clean.

    2) Yes they are false positives. HP just needs their heads examined for naming the processes like they did and because of where they put them.

    3) WSoopscan.exe is (as best as I can tell) World Series Of Online Poker related. Does this mean anything to anyone? Does some one play all those stupid casino/poker games online? Exactly where did you look for it? Did you look for it in the folder that ZoneAlarm named?

    4) Zero byte size files happen all the time in the malware world.

    Are you currently having any problems?
     
  3. tech

    tech Private E-2

    1) Whew, good to know!

    2) No kidding!

    3) No one on that computer plays online poker games, nor did my aunt install that program, at least not intentionally (frantically closing down popups, you never know what someone might've clicked).

    As listed in ZoneAlarm:
    "C:\Documents and Settings\Wedemeyer\Application Data\WholeSecurity\CAT\WSOOPScan.exe"

    First I used the Start Menu/Run... command to try and open the directory WholeSecurity\CAT\, and then WholeSecurity. Not there.

    I manually went into My Computer and Application Data and it definitely wasn't there.

    Then I used the windows Search feature to search for:

    wsoopscan.exe
    *wsoop*.*
    ws00pscan.exe (in case what looked like the letter "O" was a zero)
    *ws00p*.*

    I searched in the same way you detail here:
    http://forums.majorgeeks.com/showthread.php?t=74219

    Nothing, naughta. The program appeared out of nowhere that night, tried to access the internet, and around an hour later when I checked it had just disappeared, if it was ever there. Can a program fool ZA into thinking it has another name/dir? Or did it just delete the file/dir afterwards?

    There were two times when ZA crashed, comp froze, and I had to restart. Keeps me worried.

    4) Ahh, I have much to learn.

    No problems, things seem fine now. Now that I know the HJT log is clean, I guess I'm just paranoid about that missing WSOOPscan. "Just because you're paranoid, doesn't mean they aren't out to get you."

    Thank you very much for your help. You're the man, chaslang!

    -- Tech
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    Firewalls can get fooled when a DLL hooks (attaches) itself to another process and is run via that process. This happens very often when malware attaches itself to Internet Explorer and all the firewall sees is iexplore.exe which we all allow to have full access.
     
  5. tech

    tech Private E-2

    Ahh, tricky! In that case would ZoneAlarm tell me it was a "Changed Program", or might it not detect the hooked DLL?

    Can I ask you one more question, I just thought of this:

    There were no profiles set up on the computer. But when I log into Safe Mode, it shows an "Administrator" and "Owner" account. Should I perform the recommended malware scans from both these profiles?

    Thanks again chaslang! Dang, you help a lot people on this forum. Hope you have a good weekend,

    -- Tech
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! That was my point. If a DLL is attached to a running process, all a firewall sees is the running process which in the case of iexplore.exe (Internet Explorer) has full access. That is why malware try's to use BHO's (Browser Helper Objects) which attach to IE.

    When you boot in safe mode, only accounts that have administrator priviledges will be listed. The Administrator account is on your PC by default (make sure you have given it a password - the default is none and this is a security hole which is discussed in How to Protect yourself from malware!.

    Your Owner account is the one you created when you first powered up your PC and it is an admin account too since it shows in safe mode. To be really sure you are clean, all accounts should be cleaned. Each account has it's own registry entries. I would not worry about runny Panda & Bitdefender on them, but you should use all the other scans.

    Which account did you run the steps in before you posted message number 1? You had to choose one of these to run in safe mode.
     
  7. tech

    tech Private E-2

    Wow, I guess I always thought ZA afforded me a little more security concerning things that might already be on a system. Thanks for clueing me in!

    To answer your question, before I posted message number 1, I performed all scans in the "Owner" account. A number of items were found and cleaned. Then I posted, you looked at the HJT log, etc.

    After my last post, I went ahead and performed all scans in the "Administrator" account, just in case. Things were clean fortunately, nothing found.

    Question: Does that sound fine for all the malware scanning?

    Thanks for all the info on XP accounts! It cleared things up for me, I've had confusions on how they work. I'll be sure to give the "Administrator" account a password. I'll also be sure to follow the advice in "How to Protect yourself from malware!" next.

    Question: I used to think the only use for password-protecting user accounts was to prevent access when someone is physically sitting in front of the computer. But does this also give some additional security when it comes to malware and internet threats?

    One more question: Of course all accounts that appear in safe mode (which would have administrator priviledges) should be scanned. Would it be a good idea to also run scans on any non-admin accounts that only appear in normal mode, if there ever were any?
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    All firewalls work the same way. Security starts with you and what you run on your PC. iexplore.exe is a valid process that a firewall cannot block. If it does, you will not have any access to the internet from your browser. If you install something that you allow to attach to IE, you are the one giving it permission to run not ZA.

    Yes that sounds good.

    Yes! That is why you need to protect your Administrator account (and also others). It is also why the Guest account on a PC in normally disabled for security reasons.

    Yes! All user accounts can get infected. It does not mean they are infected just because one or more others ones gets infected. But it also does not mean they are clean. Malware can do all kinds of unexpected things.
     
  9. tech

    tech Private E-2

    Thank you for all the valuable information, and all your help. I greatly appreciate it! Consider this one well-resolved thread.

    The system's clean, security soon to reinforced, and I'm good to go! :cool:

    -- Tech out
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds