Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infection

First a little background on my system. I have been using Symantec for 5 years since licenses are only $5 from my employer. Never really liked it, but it worked and I’ve never had any spy/malware or viruses (confirmed by multiple online scans). ~3 weeks ago I changed to Nod32, Comodo and Proxomitron - Seemed to work well. Then on recommendations (from other users of this forum) in a post I made Sunday, I also installed the trial of Ewido Anti-Spyware (Now AVG), SpywareBlaster and SafeXP on Monday evening.

Summary:
Nod32 AV– Blackspear’s setup, auto-update (I just bought a 2 year license)
Comodo Firewall – Auto-Update, very conservative custom ruleset.
Proxomitron – Set to block ads and most scripts.
AVG anti-spyware 7.5 – All shield elements on
SpywareBlaster – updated and set to the recommended
SafeXP – used the recommend setup
WinXP Pro SP2 – New install, all updated just installed the week prior.
All this behind NAT+SPI hardware firewall

Yesterday (Tuesday) afternoon I was browsing the internet when I got an e-mail from a friend. It had a link to one of those funny movie sites (user submitted videos-I can’t recall which one at the moment)… Anyways, Windows Media player 10 opens the WMV file and the whole computer slows down to a stop, SH*T! I pull up TCPMon and there must have been 30 active connections of mplayer and another 30 of proxomitron – all the connections for each program pointing to different outside IP’s. I quickly drop all of the connections and assess the damage.

Sure enough, XP event viewer lists:
-Max number of network connections reached.
-Some random service, edfghchpdq.exe, as starting, now running and stopping.
-Error: Application failed to impersonate /UserID (now on every boot since)

There was also a prefetch item for the edfghchpdq.exe file in the windows prefetch folder.
NONE of the security scanners did anything. No alarms and nothing in the logs. Firewall blocked a few of the connections from mplayer on weird ports. NAT blocked any incoming.

So I guess this looks like some Windows Media Player 10 vulnerability, the ability to download and execute a file from instructions within a WMV file, all from within the Media Player. I remember Microsoft patching a WMP 10 vulnerability like this last year.

Scanned with Nod32 and AVG Spy-ware: nothing found
Installed and scanned with A-Squared: nothing found
Installed, updated and scanned with Bitdefender 8, found nothing.
Hijackthis: everything is normal, nothing odd.
StartupList: everything is normal, nothing odd.

Did some online scans:
CA: found nothing
Symantec: found nothing
Kaspersky: Gets stuck in the /system volume information/ folder, (I left it for 6 hours, had not moved - not frozen, still scanning) – stopped it, found nothing
TrendMicro House Call: Scans in under 20min and lists 2 keyloggers and 2 trojans. (I’m currently at work, I can post the names later.) This scanner does not tell you what file is infected, where it is on the drive or any other information. I question how accurate this scanner actually is.

This leaves me with a compromised, un-trustable system that acts odd, has funny files on it and a whole bunch of security software bullshit that could not help me the first time I needed it. This might be the first and last strike for Nod32. I can re-format and restore the system, it will take an hour,not a big deal. This just proves that the best security tool is your backup.

BTW, I’ve never had this happen to me when using Linux.

-nate

 

Glad you posted. Not many here come across malware, and I think the reality of things can get by people at times. Rather than address your specific situation, I hope you don't mind if I just add my thoughts and observations to your message.

Fact is that the best of the best of all software can fail with an innovative new piece of malware, especially if you happen to do something to help it on. I can honestly say that I've helped folks with that were armed to the gills with rediculous amounts of software that still got infected, and at the same time I also know people that use literally nothing and never have a problem. For my part NOD32 has shown great results, but 100% security is simply not acheivable.

Personally I am now more in favor of alternative approaches that include getting more information before allowing anything on my computer. Getting informed and learning how to avoid bad situations will do more than any software you can install, although there are some great tools that you can install to help the process. Ultimately it's important to understand what each program can actually do for you, and how it does it. Obviously someone that installs something thinking it does something else will leave holes wide open. Ultimately security is about the choices you make and how aware and cautious you are of the threats that are out there; security cannot be downloaded and installed! IMO/IME, simply knowing the threats and how they work will do more for someone than any combination of software. There's an unlimited amount of ways that your system can be compromised, but how many know how relevant their software really is to what's actually out there?

Again, I'm not saying any of this applies to you, Cactus.Ed, just speaking generally. I think that ultimately your post accentuates the need to not rely entirely on software, that any amount of software can, and does, fail at some point. It takes more than just installing something to stay safe. I hope that doesn't sound like I'm saying that one needs to be a security expert to stay safe, as I don't belive it is or should be, but I do think that one does need to take security seriously, pay attention to the news and others' experience, learn to take reasonable measures, and explore your options, then hope they don't have to learn about things the hard way. Most people don't have the time to get into everything, but security deserves the kind of consideration that any important decisions require.

 

Sorry, this was more a venting of frustration. I understand that 100% security is not attainable. I was just disappointed that, 1. Nod32 did not prevent the install of the trojan/malware and 2. Nod32 still will not pickup any form of trojan/malware on my system. Everyday it seems as if there is more gray area in what is safe and what is not safe. Wow, next week it might not be safe to view text files online. I think Microsoft has really dropped the ball and needs to get their products secure BEFORE adding features. I can understand downloading a virus/malware that has been packaged with some shareware that you have to install, but to have a “wmv” video file open Windows Media Player, open connections through Media Player, download an executable file and run it with no user intervention is a different.
-nate

 

Hope my comments didn't seem directed at you, I was more trying to add to your message than speak to you personally. My take may have been coming from another direction, but I see what you are saying and what I'm saying as ultimately synergistic

I'm not so sure that it would be that easy for Microsoft. They can make it secure as possible, but there will always be vulnerabilities, and as long as the majority is using Windows there will be lots and lots of [financially motivated] bad guys to find and exploit them. What complicates things is MS's need to satisfy the needs of literally billions of different users, each with a unique system. Even Mac can be worm'ed (as has been shown), but there's just not good reason for the bad guys to do so extensively at this point, although I'm sure it will happen sooner or later.

 

Hi,folks: Hi nate, I fully understand what you have been thru. I was there, loaded w/ multi-layered defence system, and hoping this would give a peace of mind. Not so, just a slip of care, my plan bubblized, vaporized. I guess those malware script writers are often smarter than app analysts. Now I am taking a completely different approach; utilizing sandbox/virtul concept, and able to contain malwares in that virtul box. Upon reboot, it is gone w/o any trace. I only need few and fewer security apps and enjoy safe net surffing day after day. Try it.

 

Sorry what happened. You can post a HJT log here if I can help.

 

No, hijackthis is clean. I can't figure this one out. It works by injecting its process in to every other process that the logged in user has access to. It controls other processes by modifying them using svchost and explorer - bypassing most AV rules, since explorer and svchost are OK by most filters.

I can't find where the source is though, must have modified the actual system files. I restored the registry to a clean one, along with all the ini, sys, and other loader files - all clean.

I’ve restored the OS already on a different drive; I’m saving this one until I find out WTF it is.

I downloaded Kaspersky, it’s been the only AV that has been able to see the process in action. (Kaspersky calls it, “New Injector”, all other AVs say the system is clean) Kaspersky can not identify the virus/Trojan yet because the virus/Trojan blocks updates (only blocks Kaspersky updates, all other AV’s update fine) and KAV 6.0 Trials definitions are old (7/06). Any attempt to terminate the virus/Trojan and it shuts down the computer.

I’ll let you know what I find out,

-nate

 

RKUnhooker
Create a report from Normal Mode and save it.

eScan
Then, run this from Safe Mode and save the log after the scan.

 

Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

Hello,
Cactus have you considered the possibility that you are not infected?
Mrk

 

Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

If you have KAV build the bart pe recovery disk this might be useful?


I'd be interested to see what Prevx makes of this - should at least be able to indent clean parts from DB.

 

Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infection

running email attachments=Infection

 

Not an attachment, it was a text link.

 

Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

Considered... but svchost and explorer act odd and open connections to IP's all over the world. Some unknown service was opened and run right after media player went crazy. Also, infected XP install just quit responding - will not open log in screen. Please note this was a new install less than three weeks old. It had not been completely built yet. It olny had the security above on it, firefox, thunderbird and office 2003.

Sounds infected to me....

-nate

 

Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

Yes, I use and like BartPE. It has help me a great deal.

nate

 

Have you been able to run RkU and generate a report?

 

No, I did not run that tool as I did not have time to troubleshoot this morning. I ran Sysinternals "Root Kit Revealer" and it came up a couple entries that just said "...". I'll let you know how it works out.

nate

 

Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

Hello,
Question 2: Did you boot off CD and did some frozen-state inspections?
Mrk

 

Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

@Cactus.Ed
All that sounds ominous and a TOTAL PITA
You are obviously experienced user...I not expert..this may help..

**rku may not fully work on NTFS

Clean all the tempfiles:
CCleaner: http://www.ccleaner.com/download/builds.aspx The SLIM version
ATF: http://www.atribune.org/content/section/4/30/
--run the latest vundofix for fun

Get gmer: http://www.gmer.net/
DarkSpy: http://www.fyyre.net/~cardmagic/index_en.html
See if you can find hidden services.
Unfortunately these tools are regularly being bypassed with annoying ease

PrevX: http://www.prevx.com/default.asp free trial for detection and removal
--get the grom removal tool and run it

Maybe dl and install BOClean: http://www.nsclean.com/boclean.html
Can sometimes even pick up trojans after install when they try and run

Drop a thread here: http://forum.sysinternals.com/forum_topics.asp?FID=18

Go to the malware removal forums as noted and get help; please let us know what happens or where you have gone for help.

 

Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

Could also try

IceSword XFocus Win Free / 5 Star 1.20

or

http://antirootkit.com/software/index.htm

Archon Scanner X-Solve Win Trial / New 1.0b
AVG AntiRootkit Grisoft Win Beta 1.0.0.13
Avira Rootkit Detection Avira Win Beta 1.0.0.11
chkrootkit Murilo & Jessen Linux, BSD. Free 0.47
DarkSpy CardMagic & wowocock 2K / XP / 03 Free 1.05
F-Secure Blacklight Beta F-Secure Win Free 2.2.1046
Gmer Gmer NT/ 2K / XP Free / 5 Star 1.0.11
Helios MIEL e-Security Win Free / New 1.1a
HookExplorer iDefense Win Free 1.0
ootKit Hook Analyzer Resplendence Win Free 1.01
Rootkit Hunter Boelen Linux, BSD. Free 1.2.8
RootkitRevealer Sysinternals Win Free / 5 Star 1.7
RootKitShark Advances.com Win Trial
RootKit Uncover BitDefender Win Free / New 1.0b2
RootKit Unhooker UG North 2K / XP / 03 Free / New 3.01b
SEEM AI, nunki Win Free 4.0
Sophos Antirootkit Sophos Win Free 1.1
System Virginity Verifier Joanna Rutkowska Win Free 2.3

 

Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

Simple format/write image from last weeks backup sounds a whole lot easier than running all that stuff....and usually only takes half hour or so.

-nate

 

Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

LOL
Yes it does.
Is your image secure?

I was just interested in having a stickybeak as to what there might be lurking.

 

Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

Of course the image is secure, what's the point of having an insecure image?
-nate

 

Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

Indeed - I would revert to backups rather than try to fix ....


but always intereting to find out what happened!

 

Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

LOL again

None whatsoever!
No insecurities here. All insecure images to be taken out the back, thrashed, and disposed of at once.
Wrong word choice: is image clean?

Yes