Показано с 1 по 3 из 3.

AV warned I was infected by W32/Sality.aa + 4 Trojans, but under odd circumstances

  1. #1
    Junior Member Репутация
    Регистрация
    17.04.2010
    Сообщений
    2
    Вес репутации
    25

    AV warned I was infected by W32/Sality.aa + 4 Trojans, but under odd circumstances

    Greetings from Beverly Hills, California.
    I have followed your instructions carefully, (after a full 60 hours of many other attempts, so I'll be brief but there are factors you'll want to know), and have attached the three log files requested.

    Facts not included in the logs:
    • At 1 pm on Thurs 4/15, I was online using GoToMeeting (citrix.com) a reputable service for letting my writing client see my computer screen; I used the latest Firefox, had trusted site fluentself.com open and was typing the address to open my favorite ittybiz.com, when a different, unknown domain suddenly showed in the address field (scaner32.org) and two warning screens instantly popped up --
    • Because I'd just scanned with McAfee that morning, and had not typed in the domain, and 1 screen said I had a Virus and to download a software I'd never heard of, and the other looked like a fake MS Security warning about 4 trojans (listed below), I thought it was a phishing scam and took a screenshot of it, discussed it with my client who could see it via the GoToMeeting portal before I ended that session, and tried to close out of the browser.
    • My screen was frozen, none of the YES/NO buttons on the two warning pop-ups would work, I had to unplug my (secure) USB-wireless connection (to a router in the next room for a cable connection) and shut down the CPU.
    I mention all this because a week before, I'd installed SP3 and used 1-Click Fix It (before or after, can't recall, sorry), and my system started having two distinct problems:
    1) many browser failures with error 0xc0000005 -- the protected memory error (I read up on DEP) -- and:
    2) my right-click stopped working for 90% of my usual tasks, like emptying the trash, or opening a file, etc. It would give me the same error box for 0xc0000005 and close out whatever, including the desktop, often losing my desktop and requiring an "active desktop" series of confirming settings.

    So before 4/15 happened, I'd been trying to solve those issues:

    I got an account at openDNS.com;
    I changed the DEP settings to include an exception for explorer.exe;
    I changed the open port settings so only the http port 80 was open;
    I confirmed that no one was on my network -- I have always had remote access OFF and all the other vulnerabilities listed in #8 of the avz log are things I do not allow, like net meeting, IM, that junk, I had disabled that access all along.
    .

    A few others things like that -- anything I could find on the net about private memory and Data Execution Prevention and what might have gone wrong.

    I ran several free scanners, like malwareBytes, TuneUp Utilities 09, 4 others I can tell you... and my McAfee said all was fine...

    And this was BEFORE the Virus/Trojan attack/warnings on 4/15.

    I have the screenshot (jpg) of the warning screens, but I couldn't find any site called scaner32.org, so that worried me. That's the domain that popped a warning saying I had Virus.Win32.Sality.aa.

    The MS Security Center, which I confirmed later did look real, warned of these 4 problems:
    • Trojan.JS.Popupper.f -- in -- regedit.exe
    • Trojan.Win32.Agent.ae --in-- cryptsvc.dll
    • TrojanJS.Redirector --in-- dpnaddr.dll
    • Email-worm.Win.32.Merond.a --in-- idndl.dll
    (I'd had a few email worms back in '98, 2000, like Ethan, but they'd been archived years ago -- still, they got found in the big scan.)

    So Friday night I downloaded and ran the latest Kaspersky Virus Removal Tool autoscan -- but it ran (in safe mode) from 1 am until 9 am and was only 57% finished (and over 500,000 or 5,000,000 objects -- I only glanced) but I tried to minimize the screen and accidentally shut it down ~ ! OH NO! Still, I have that log file of the vulnerabilities (patched by MS today per securelist.com), and of the disinfected old emails, plus some that were untreated as "could not be written" (?), and so on.

    But in that long 8+ hour scan, Kaspersky did not find any of the Trojans or the Virus I was warned of.

    I DO have access to safe boot (but both McAfee and MS Security System says my firewall and scanning are off and can't be started due to "error" when in safe mode -- in regular mode they look fine, but that's a symptom of Sality.aa...

    I DID see the Registry keys for "security center" saying 'disabled" but I don't know what the ones and zeros stand for, which is yes, and which is no, so I didn't try to edit the Registry, although I can access it, and I could delete the leftovers of a program, Bonjour, that I don't remember and uninstalled just in case it was allowing access.

    But having the AV programs funky, and getting the Data Execution Prevention error 0xc0000005 almost every time I right-click, try to open, start, rename or delete a file/icon/anything, and those warning screens... I'm a mess!

    I did disable System Restore before any scans;
    I did re-enable the DEP for its default with no exceptions;
    I did remove my Outlook Express and a few other programs from Start-Up because I was worried about a virus getting into my email address book and haven't opened it; and,
    I have disabled access for anything I thought might auto-start and didn't want the bad guys to access -- I hate just being online right now (although most of my job needs to be connected and I'm losing work!) because I don't trust these AV/firewalls that say they're fine...

    OH MAN! Sorry I've gone into such detail! But these things are not in the log and ARE a big part of the context...

    So I followed the instructions on the Kaspersky Tool to do the Manual Removal because I thought it would just be a cut and paste! They are not clear that when I clicked their "submit file" link, I'd find you guys and needs to sign up, download scanners, upload logs, etc... So I still have their log too -- but I'll let you ask if you need it, per your instructions.

    Many thanks for your help -- I hope this is intriguing enough that you can help me soon... my business is just me and my computer and my screenwriting clients online... ("scripts" are screenplays in my world, not strings of java or whatever -- ha!)

    Let me know if you need anything else, like the quarantined file (it's 10 years old and hasn't been touch, and only suspicious...), and I'll be much, much shorter -- !

    Thanks -- from the middle of the night (yikes! I'm exhausted!) --

    Blair
    PS: sorry, one last thing: I saw a log that said things were done "by user" or something like that, and they didn't sound familiar, but because my I keep losing my net connection -- even though I have a strong and constant wireless connection per my status bar signal -- every time it shuts down when I'm in the middle of something, I worry what it's doing to it all.
    Thanks for listening... gotta go get some beauty sleep ~ with the stress of this last week with the computer, I need all the help I can get ~ ha!
    Вложения Вложения

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2997
    Hello,
    I found nothing suspicious in your logs.
    Remove Bonjour if you don't use it.

  3. #3
    Junior Member Репутация
    Регистрация
    17.04.2010
    Сообщений
    2
    Вес репутации
    25

    Interesting, but still a mysterious problem, right?

    Thanks so much, Rene-gad -- you (and the other scanning programs) didn't find the warnings (see attached jpg of the warning screen with the domain that I did not enter, hxxp://Scaner32.org) --

    I had already uninstalled Bonjour hours before the scan, thanks for the reminder to get rid of any last bits you may have seen.

    Bust since I still have the horrible issues that preceded the virus alert, do you think that the warnings were phishing, and that McAfee might have stopped anything from entering, even though it shows no events? (No other virus scanners or removal tools or MS security show anything about those Trojans & Sality.aa on my system...!)

    It's a terrible mystery -- got any ideas for where I can look to solve this, Detectives?

    Many thanks with big appreciation for your advice --

    ~Blair
    PS: I tried to upload the jpg of the warning screen, by again got the "can't find server" and 0xc0000005 errors and crash; now I've come back an rewritten this, and don't see the jpg attachment, but it says I've uploaded that about of kb, so maybe it's in here somewhere... these symptoms make everything nearly impossible...

Похожие темы

  1. Multiple Trojans, some unremovable
    От Mxbn0 в разделе Malware Removal Service
    Ответов: 2
    Последнее сообщение: 03.09.2010, 05:35
  2. Can't rid of of trojans.
    От jumbo255 в разделе Malware Removal Service
    Ответов: 9
    Последнее сообщение: 31.08.2009, 20:12
  3. Several Trojans
    От jgudiel99 в разделе Malware Removal Service
    Ответов: 15
    Последнее сообщение: 16.03.2009, 05:50
  4. rootkit and trojans
    От unseen666 в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 20.02.2009, 12:32
  5. Ответов: 5
    Последнее сообщение: 04.09.2008, 11:00

Метки для этой темы

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.01168 seconds with 20 queries