Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Infection by nasty malware 2

Status
Not open for further replies.

johncp

Technical User
Aug 28, 2005
47
GB
Folks

Over the past few weeks my PC has been repeatedly infected with a very nasty piece of malware, the purpose of which seems to be to redirect web searches to ad. sites, particularly for Groupon. It creates hidden dirs in the root dir. and reg. keys to run exes located in user/../temp dirs. Reinfections occur by crashing my browser (Firefox 3.6.17). If I remove the malware/keys I get reinfected again within a day or two.

I suspect that Silverlight is involved. Here is a dir /s listing of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight
I know very little about Silverlight so would be grateful if someone more knowledgable can comment on whether its contents are 'kosher'

dir /s C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight
gives:-

31/05/2011 23:04 <DIR> is
11/07/2011 21:56 77 mssl.lck
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is
31/05/2011 23:04 <DIR> utb2fraa.jah
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah
31/05/2011 23:04 <DIR> zgznrtuj.qtb
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb
31/05/2011 23:04 <DIR> 1
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
18/06/2011 12:03 <DIR> g
31/05/2011 23:04 <DIR> l
18/06/2011 12:03 <DIR> s
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1\g
31/05/2011 23:04 <DIR> gcdjzxxajx2n1cbv4jurqx3yfvqbgmuprn5pq5wiiwc0vhfzmyaaagha
18/06/2011 12:03 <DIR> zyrvs3qsra0qmqdkjnogznvtdjoizt0kfep5hwwtoqo4itg5elaaaaba
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1\g\gcdjzxxajx2n1cbv4jurqx3yfvqbgmuprn5pq5wiiwc0vhfzmyaaagha
31/05/2011 23:04 34 id.dat
31/05/2011 23:04 8 quota.dat
31/05/2011 23:04 8 used.dat
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
\g\zyrvs3qsra0qmqdkjnogznvtdjoizt0kfep5hwwtoqo4itg5elaaaaba
18/06/2011 12:03 18 id.dat
18/06/2011 12:03 8 quota.dat
18/06/2011 12:03 8 used.dat
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1\l
File not found
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1\s
31/05/2011 23:04 <DIR> gcdjzxxajx2n1cbv4jurqx3yfvqbgmuprn5pq5wiiwc0vhfzmyaaagha
18/06/2011 12:03 <DIR> pkbdxfnitekap1o0ei3wfxgq5twsk5xgoqkxhmx3bj4gdqbtpdaaacca
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
\s\gcdjzxxajx2n1cbv4jurqx3yfvqbgmuprn5pq5wiiwc0vhfzmyaaagha
31/05/2011 23:04 <DIR> f
31/05/2011 23:04 56 group.dat
31/05/2011 23:04 34 id.dat
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
\s\gcdjzxxajx2n1cbv4jurqx3yfvqbgmuprn5pq5wiiwc0vhfzmyaaagha\f
31/05/2011 23:05 2,989 __LocalSettings
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
\s\pkbdxfnitekap1o0ei3wfxgq5twsk5xgoqkxhmx3bj4gdqbtpdaaacca
18/06/2011 12:06 <DIR> f
21/06/2011 15:56 56 group.dat
18/06/2011 12:03 64 id.dat
Directory of C:\Users\johnp\AppData\LocalLow\Microsoft\Silverlight\is\utb2fraa.jah\zgznrtuj.qtb\1
\s\pkbdxfnitekap1o0ei3wfxgq5twsk5xgoqkxhmx3bj4gdqbtpdaaacca\f
18/06/2011 15:48 154 __LocalSettings

Regards

John


 
Hmm, based on BadBigBen's post linked below, I think you may want to just use FileHippo.com or MajorGeeks.com at least for a while as opposed to download.com

thread760-1658790
 
Hi Mako

"You really need to start your own thread"
Definately

"I got it a month ago and didnt pay much attention to it, since MBAM didnt detect anything"
Antivirus s/w does not pick up everything and imo should not be relied on.

kjv advises a reinstall. This is the hairy chested solution . . . but it can be a real pita to restore your m/c afterwards, particularly if you have legacy stuff.
F'instance are you sure you know which codecs to reinstall to allow classis media player to run those old vids. or what you did to get those Office97 .hlp files to work under Vista, or which driver version fixed that adapter problem.

You don't report any steps taken to look for the malware. Have you done really basic stuff like looking at your running tasks/services to see if there is stuff you don't recognise ?

The cmd shell is always my first resort. It only takes a few minutes to search for stuff installed circa the date your problems commenced. The following paginates a list of all exes installed in july 2011. Execute it from the root dir. [/a:s][a:h] are exclusive options which list system/hidden exes.

>dir /s /t:c [/a:s][/a:h] *.exe | find "07/2011" | more

In Vista the command to run windows defender for file scanning is

>MSASCui.exe

and the command (options) to check the integrity of/fix windows system files is

>sfc /?

What steps have you taken to find the malware ?

John
 
johncp said:
kjv advises a reinstall. This is the hairy chested solution . . . but it can be a real pita to restore your m/c afterwards, particularly if you have legacy stuff.
F'instance are you sure you know which codecs to reinstall to allow classis media player to run those old vids. or what you did to get those Office97 .hlp files to work under Vista, or which driver version fixed that adapter problem.

I'll go out on a limb... well, I don't think I have to go far to say... that for most people... most situations... most computers... it is WAY faster and easier to just go through a reinstall than it is to track down all possible malware. MOST people don't have problems with specific codecs, etc. True, you can run into them, but most of those issues can be avoided. I'm probably just got a fried brain from work right now, but what does m/c stand for in your post?

Anyway, examples for issues:
1. MS Windows - If it's an OEM machine such as Dell or HP, and you have your original Windows install Disk, just use that... at least since Windows XP, you shouldn't usually (best I can remember) have to even worry about the Product ID for that.

2. MS Office - Just make sure you've got your disk and SN. If you paid the price for Office, then surely it was important enough to keep in a file drawer or something.

3. Codecs - MOST of these issues can be resolved by using a player that can handle most everything without having to install codec packages. For instance, vlcplayer and kmplayer. Others as well, I'm sure. But if you never installed a particular codec or package in the first place, then you won't have to worry about that now.

4. Really, this may should have been #1. Unless you made any complex tweaks/changes to your system since you bought it, if it has a system recovery partition or disk/set of disks, then you can also use that - that will cover all your drivers, etc... just leaving you with putting your backed up data back onto the machine, changing software and settings as you see fit, and making sure everythign is up to date. Frankly, if you use Windows/Microsoft Update, then most updates will pretty much be taken care of.

5. Drivers - just make sure you've got the info for your network adapter driver available before the reinstall. Well... if you have an Acer, Emachine, or Gateway, you may have more issues with drivers than HP or Dell... at least that's what I've found... and even so, it's usually not horribly difficult. Windows Update will usually take care of most or all your drivers for you. Also, if you have an Intel system or any Intel component, they have a nifty driver checker on their site.

Well, I gotta go... I'll try to check back later..

 
let me add to KJV's excellent post, under #3:

CoDecs are no problem at all, even for the OLD stuff, all one has to do is download the K-Lite Mega Codec Pack {clean and tested) from Free-Codec.com or Codec Guide...

but I agree also that installing a media player such as VLC takes care of most encoding/container formats that are out there...


and spending more than a week on trying to hunt down malware and cleaning their effects on the OS, is a waste of time and does not always resolve the issues at hand, thus if a system is infected the most prudent way to deal with it would be to nuke it and reinstall...



Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top