Stealth virus??
in [Windows Performance]
|
Prev: Final Reminder - Microsoft Responds to the Evolution of Community
Next: Is it safe - please help
From: beto on 30 May 2010 21:05 Hi all, A few days ago on May 27th, I was online and Norton Anti-virus 2010 removed a few things it detected. It said "Download Insight detected launch of ynhupl.exe" and it was quarantined, medium level risk at 12:06 AM. Next, "Download Insight detected launch of fkvfto.exe", also quarantined, medium level risk at 12:07 AM. At 12:08 AM "Suspicious.MLApp detected by Auto-Protect" was quarantined, high level risk. And now here is where things got more complicated. At 12:20 AM Norton anti-virus began to block intrusion attempts by an attacking computer(s). The first was "An intrusion attempt by 91.212.226.67 was blocked. The attacking computer is: 91.212.226.67, 443 and it said the attack was resulted from \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE At 12:30 and 12:40 AM there was an intrusion attempt by 91.212.226.59, 443 that were also blocked. At 12:50 and 1:00 AM an intrusion attempt by 202.157.171.207, 443 were also blocked. I received a total of 19 blocked intrusion attempts the last one at 3:54 AM. The next day on May 28 I went online again and the intrusion notifications began at 1:39 AM. There were 12 intrusion attempts blocked until 3:52 AM which was the last. Also on May 28, in between the intrusion attempts two viruses were quarantined at 2:47 AM, ynhupl.exe (Trojan.FakeAV) and fkvfto.exe (Backdoor.Tidserv) and were detected by Auto-Protect. When I shut down the PC around 4 AM on May 28, I noticed it took a while longer than usual for it to shut off. It stayed at the empty blue screen for about a minute and then finally turned off. On May 29 the next day around 1:30 AM I turned on the PC to go online and it took a while longer for the PC to start and the original Windows XP theme was changed to Windows Classic. The theme I had, the original one with the blue task bar and the green start button was now in classic mode. I disconnected the router in case the intrusion attempts continued. Norton Anti-virus 2010 was still working, the icon for it was in the bottom right of the task bar and I could launch it, but there was also a red Windows Security Center shield that I could not get rid of. So I went to msconfig and restarted the PC in safe mode. I did a full system scan and 32 threats were detected. About 31 of them were tracking cookies which were removed and 1 virus needed to be manually removed which I did. I believe the file was tcpip6 and it was located in C:\Windows\System32\Drivers. After I removed it I restarted the PC in normal mode without doing a system restore. It started up taking a while longer to boot up as it did earlier and now Norton Anti-virus no longer worked. The red Windows Security Center shield was still there at bottom right of task bar. I ran Norton Anti-virus from bottom right task bar, which the icon now had a blinking red dot over it, and when it launched it said there were 2 things needing attention. They were both something to do with emailing out and in. I couldn't look at the recent history or do a full system scan. So I did a system restore to May 12 but it was unsuccessful, it could not be restored. So I restarted in safe mode, and I was able to do a full system scan. Nothing was detected, so I did a system restore to May 12, but it still couldn't be restored. Today May 30 I turned on PC and Norton-Antivirus no longer appeared in the bottom right taskbar. It was still under Start and Programs but when I tried opening it nothing happens. Until about a minute later when this tiny 1 inch window appears with no title just the Norton anti-virus icon and a minimize _ and X. It's just like the top of a window, the bar, with the icon and the minimize and close options. I restarted in safe mode and tried a system restore to May 19, and it worked this time, but the PC loading took a while longer than usual again and nothing seemed to change. The red Windows Security Center shield is no longer on the bottom right taskbar, but Norton Anti-virus also doesn't load, doesn't appear on taskbar. The taskbar theme is still on Windows Classic, and when I right click on the desktop and go to display properties, I could not find the original theme. I did a search for themes and I found it but I couldn't set it until I started the Windows Theme service in Control Panel under Administrative Tools and Computer Management. So the PC still needs to be repaired, but I don't know what else to do other than a full re-install. Norton Anti-virus seems to still be installed, but doesn't work, I try running ipconfig in run mode to see my IPs and a window pops up for a second and disappears. I am wondering if there is a way to run a full anti-virus scan with another program that would detect whatever is causing this, but if having Norton Anti-virus 2010 was compromised, who knows what could work. I have an HP Media Center PC m370n, Windows XP Service Pack 2, 2.8 GHz, 512 MB. Thanks for any help, Beto
From: nass on 31 May 2010 05:04 "beto" wrote: > Hi all, > > A few days ago on May 27th, I was online and Norton Anti-virus 2010 removed > a few things it detected. It said "Download Insight detected launch of > ynhupl.exe" and it was quarantined, medium level risk at 12:06 AM. Next, > "Download Insight detected launch of fkvfto.exe", also quarantined, medium > level risk at 12:07 AM. At 12:08 AM "Suspicious.MLApp detected by > Auto-Protect" was quarantined, high level risk. > > And now here is where things got more complicated. At 12:20 AM Norton > anti-virus began to block intrusion attempts by an attacking computer(s). The > first was "An intrusion attempt by 91.212.226.67 was blocked. The attacking > computer is: 91.212.226.67, 443 and it said the attack was resulted from > \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE > > At 12:30 and 12:40 AM there was an intrusion attempt by 91.212.226.59, 443 > that were also blocked. At 12:50 and 1:00 AM an intrusion attempt by > 202.157.171.207, 443 were also blocked. I received a total of 19 blocked > intrusion attempts the last one at 3:54 AM. The next day on May 28 I went > online again and the intrusion notifications began at 1:39 AM. There were 12 > intrusion attempts blocked until 3:52 AM which was the last. Also on May 28, > in between the intrusion attempts two viruses were quarantined at 2:47 AM, > ynhupl.exe (Trojan.FakeAV) and fkvfto.exe (Backdoor.Tidserv) and were > detected by Auto-Protect. When I shut down the PC around 4 AM on May 28, I > noticed it took a while longer than usual for it to shut off. It stayed at > the empty blue screen for about a minute and then finally turned off. > > On May 29 the next day around 1:30 AM I turned on the PC to go online and it > took a while longer for the PC to start and the original Windows XP theme was > changed to Windows Classic. The theme I had, the original one with the blue > task bar and the green start button was now in classic mode. I disconnected > the router in case the intrusion attempts continued. Norton Anti-virus 2010 > was still working, the icon for it was in the bottom right of the task bar > and I could launch it, but there was also a red Windows Security Center > shield that I could not get rid of. So I went to msconfig and restarted the > PC in safe mode. I did a full system scan and 32 threats were detected. About > 31 of them were tracking cookies which were removed and 1 virus needed to be > manually removed which I did. I believe the file was tcpip6 and it was > located in C:\Windows\System32\Drivers. After I removed it I restarted the PC > in normal mode without doing a system restore. It started up taking a while > longer to boot up as it did earlier and now Norton Anti-virus no longer > worked. The red Windows Security Center shield was still there at bottom > right of task bar. I ran Norton Anti-virus from bottom right task bar, which > the icon now had a blinking red dot over it, and when it launched it said > there were 2 things needing attention. They were both something to do with > emailing out and in. I couldn't look at the recent history or do a full > system scan. > > So I did a system restore to May 12 but it was unsuccessful, it could not be > restored. So I restarted in safe mode, and I was able to do a full system > scan. Nothing was detected, so I did a system restore to May 12, but it still > couldn't be restored. Today May 30 I turned on PC and Norton-Antivirus no > longer appeared in the bottom right taskbar. It was still under Start and > Programs but when I tried opening it nothing happens. Until about a minute > later when this tiny 1 inch window appears with no title just the Norton > anti-virus icon and a minimize _ and X. It's just like the top of a window, > the bar, with the icon and the minimize and close options. I restarted in > safe mode and tried a system restore to May 19, and it worked this time, but > the PC loading took a while longer than usual again and nothing seemed to > change. The red Windows Security Center shield is no longer on the bottom > right taskbar, but Norton Anti-virus also doesn't load, doesn't appear on > taskbar. The taskbar theme is still on Windows Classic, and when I right > click on the desktop and go to display properties, I could not find the > original theme. I did a search for themes and I found it but I couldn't set > it until I started the Windows Theme service in Control Panel under > Administrative Tools and Computer Management. So the PC still needs to be > repaired, but I don't know what else to do other than a full re-install. > Norton Anti-virus seems to still be installed, but doesn't work, I try > running ipconfig in run mode to see my IPs and a window pops up for a second > and disappears. > > I am wondering if there is a way to run a full anti-virus scan with another > program that would detect whatever is causing this, but if having Norton > Anti-virus 2010 was compromised, who knows what could work. I have an HP > Media Center PC m370n, Windows XP Service Pack 2, 2.8 GHz, 512 MB. Thanks for > any help, > > > Beto Hi, Download the Hijackthis and send the report to one of many forums for analysis and troubleshooting or you can send it to me on my email provided at the bottom: When all else fails, HijackThis v2.0.2 (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php) Can you please send me a copy at to_you_rossREMOVETHISCAPS(a)yahoo.co.uk , remove the obvious to email me. HTH nass --- http://www.nasstec.co.uk ..
From: Ǝиçεl on 1 Jun 2010 01:01 Hello Beto, Because you had one piece of malware, the chances are also high that you had others. It would be a good idea to scan. I recommend downloading and installing MalwareBytes' Antimalware (MBAM) and SUPERAntiSpywaяe (SAS). Do a FULL scan with MalwaяeBytes' and SUPERAntiSpywaяe. <http://www.malwarebytes.org/mbam.php> Reboot -=- <http://www.superantispyware.com/> Reboot The programs are free. (There is a paid version but you don't need to buy it to remove malware.) -=- Windows Live OneCare Safety Scan Windows XP <http://onecare.live.com/site/en-us/default.htm> expect your computer to be unavailable for some time. Don't work on your computer whilst the scanners running though, it messes things up. Please let us know if this helps Ǝиçεl -=- "beto" wrote: > Hi all, > > A few days ago on May 27th, I was online and Norton Anti-virus 2010 removed > a few things it detected. It said "Download Insight detected launch of > ynhupl.exe" and it was quarantined, medium level risk at 12:06 AM. Next, > "Download Insight detected launch of fkvfto.exe", also quarantined, medium > level risk at 12:07 AM. At 12:08 AM "Suspicious.MLApp detected by > Auto-Protect" was quarantined, high level risk. > > And now here is where things got more complicated. At 12:20 AM Norton > anti-virus began to block intrusion attempts by an attacking computer(s). The > first was "An intrusion attempt by 91.212.226.67 was blocked. The attacking > computer is: 91.212.226.67, 443 and it said the attack was resulted from > \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE > > At 12:30 and 12:40 AM there was an intrusion attempt by 91.212.226.59, 443 > that were also blocked. At 12:50 and 1:00 AM an intrusion attempt by > 202.157.171.207, 443 were also blocked. I received a total of 19 blocked > intrusion attempts the last one at 3:54 AM. The next day on May 28 I went > online again and the intrusion notifications began at 1:39 AM. There were 12 > intrusion attempts blocked until 3:52 AM which was the last. Also on May 28, > in between the intrusion attempts two viruses were quarantined at 2:47 AM, > ynhupl.exe (Trojan.FakeAV) and fkvfto.exe (Backdoor.Tidserv) and were > detected by Auto-Protect. When I shut down the PC around 4 AM on May 28, I > noticed it took a while longer than usual for it to shut off. It stayed at > the empty blue screen for about a minute and then finally turned off. > > On May 29 the next day around 1:30 AM I turned on the PC to go online and it > took a while longer for the PC to start and the original Windows XP theme was > changed to Windows Classic. The theme I had, the original one with the blue > task bar and the green start button was now in classic mode. I disconnected > the router in case the intrusion attempts continued. Norton Anti-virus 2010 > was still working, the icon for it was in the bottom right of the task bar > and I could launch it, but there was also a red Windows Security Center > shield that I could not get rid of. So I went to msconfig and restarted the > PC in safe mode. I did a full system scan and 32 threats were detected. About > 31 of them were tracking cookies which were removed and 1 virus needed to be > manually removed which I did. I believe the file was tcpip6 and it was > located in C:\Windows\System32\Drivers. After I removed it I restarted the PC > in normal mode without doing a system restore. It started up taking a while > longer to boot up as it did earlier and now Norton Anti-virus no longer > worked. The red Windows Security Center shield was still there at bottom > right of task bar. I ran Norton Anti-virus from bottom right task bar, which > the icon now had a blinking red dot over it, and when it launched it said > there were 2 things needing attention. They were both something to do with > emailing out and in. I couldn't look at the recent history or do a full > system scan. > > So I did a system restore to May 12 but it was unsuccessful, it could not be > restored. So I restarted in safe mode, and I was able to do a full system > scan. Nothing was detected, so I did a system restore to May 12, but it still > couldn't be restored. Today May 30 I turned on PC and Norton-Antivirus no > longer appeared in the bottom right taskbar. It was still under Start and > Programs but when I tried opening it nothing happens. Until about a minute > later when this tiny 1 inch window appears with no title just the Norton > anti-virus icon and a minimize _ and X. It's just like the top of a window, > the bar, with the icon and the minimize and close options. I restarted in > safe mode and tried a system restore to May 19, and it worked this time, but > the PC loading took a while longer than usual again and nothing seemed to > change. The red Windows Security Center shield is no longer on the bottom > right taskbar, but Norton Anti-virus also doesn't load, doesn't appear on > taskbar. The taskbar theme is still on Windows Classic, and when I right > click on the desktop and go to display properties, I could not find the > original theme. I did a search for themes and I found it but I couldn't set > it until I started the Windows Theme service in Control Panel under > Administrative Tools and Computer Management. So the PC still needs to be > repaired, but I don't know what else to do other than a full re-install. > Norton Anti-virus seems to still be installed, but doesn't work, I try > running ipconfig in run mode to see my IPs and a window pops up for a second > and disappears. > > I am wondering if there is a way to run a full anti-virus scan with another > program that would detect whatever is causing this, but if having Norton > Anti-virus 2010 was compromised, who knows what could work. I have an HP > Media Center PC m370n, Windows XP Service Pack 2, 2.8 GHz, 512 MB. Thanks for > any help, > > > Beto > > > >
|
Pages: 1 Prev: Final Reminder - Microsoft Responds to the Evolution of Community Next: Is it safe - please help |