Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infection

Discussion in 'malware problems & news' started by Cactus.Ed, Oct 25, 2006.

Thread Status:
Not open for further replies.
  1. Cactus.Ed

    Cactus.Ed Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    14
    First a little background on my system. I have been using Symantec for 5 years since licenses are only $5 from my employer. Never really liked it, but it worked and I’ve never had any spy/malware or viruses (confirmed by multiple online scans). ~3 weeks ago I changed to Nod32, Comodo and Proxomitron - Seemed to work well. Then on recommendations (from other users of this forum) in a post I made Sunday, I also installed the trial of Ewido Anti-Spyware (Now AVG), SpywareBlaster and SafeXP on Monday evening.

    Summary:
    Nod32 AV– Blackspear’s setup, auto-update (I just bought a 2 year license)
    Comodo Firewall – Auto-Update, very conservative custom ruleset.
    Proxomitron – Set to block ads and most scripts.
    AVG anti-spyware 7.5 – All shield elements on
    SpywareBlaster – updated and set to the recommended
    SafeXP – used the recommend setup
    WinXP Pro SP2 – New install, all updated just installed the week prior.
    All this behind NAT+SPI hardware firewall

    Yesterday (Tuesday) afternoon I was browsing the internet when I got an e-mail from a friend. It had a link to one of those funny movie sites (user submitted videos-I can’t recall which one at the moment)… Anyways, Windows Media player 10 opens the WMV file and the whole computer slows down to a stop, SH*T! I pull up TCPMon and there must have been 30 active connections of mplayer and another 30 of proxomitron – all the connections for each program pointing to different outside IP’s. I quickly drop all of the connections and assess the damage.

    Sure enough, XP event viewer lists:
    -Max number of network connections reached.
    -Some random service, edfghchpdq.exe, as starting, now running and stopping.
    -Error: Application failed to impersonate /UserID (now on every boot since)

    There was also a prefetch item for the edfghchpdq.exe file in the windows prefetch folder.
    NONE of the security scanners did anything. No alarms and nothing in the logs. Firewall blocked a few of the connections from mplayer on weird ports. NAT blocked any incoming.

    So I guess this looks like some Windows Media Player 10 vulnerability, the ability to download and execute a file from instructions within a WMV file, all from within the Media Player. I remember Microsoft patching a WMP 10 vulnerability like this last year.

    Scanned with Nod32 and AVG Spy-ware: nothing found
    Installed and scanned with A-Squared: nothing found
    Installed, updated and scanned with Bitdefender 8, found nothing.
    Hijackthis: everything is normal, nothing odd.
    StartupList: everything is normal, nothing odd.

    Did some online scans:
    CA: found nothing
    Symantec: found nothing
    Kaspersky: Gets stuck in the /system volume information/ folder, (I left it for 6 hours, had not moved - not frozen, still scanning) – stopped it, found nothing
    TrendMicro House Call: Scans in under 20min and lists 2 keyloggers and 2 trojans. (I’m currently at work, I can post the names later.) This scanner does not tell you what file is infected, where it is on the drive or any other information. I question how accurate this scanner actually is.

    This leaves me with a compromised, un-trustable system that acts odd, has funny files on it and a whole bunch of security software bullshit that could not help me the first time I needed it. This might be the first and last strike for Nod32. I can re-format and restore the system, it will take an hour,not a big deal. This just proves that the best security tool is your backup.

    BTW, I’ve never had this happen to me when using Linux.

    -nate
     
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Glad you posted. Not many here come across malware, and I think the reality of things can get by people at times. Rather than address your specific situation, I hope you don't mind if I just add my thoughts and observations to your message.

    Fact is that the best of the best of all software can fail with an innovative new piece of malware, especially if you happen to do something to help it on. I can honestly say that I've helped folks with that were armed to the gills with rediculous amounts of software that still got infected, and at the same time I also know people that use literally nothing and never have a problem. For my part NOD32 has shown great results, but 100% security is simply not acheivable.

    Personally I am now more in favor of alternative approaches that include getting more information before allowing anything on my computer. Getting informed and learning how to avoid bad situations will do more than any software you can install, although there are some great tools that you can install to help the process. Ultimately it's important to understand what each program can actually do for you, and how it does it. Obviously someone that installs something thinking it does something else will leave holes wide open. Ultimately security is about the choices you make and how aware and cautious you are of the threats that are out there; security cannot be downloaded and installed! IMO/IME, simply knowing the threats and how they work will do more for someone than any combination of software. There's an unlimited amount of ways that your system can be compromised, but how many know how relevant their software really is to what's actually out there?

    Again, I'm not saying any of this applies to you, Cactus.Ed, just speaking generally. I think that ultimately your post accentuates the need to not rely entirely on software, that any amount of software can, and does, fail at some point. It takes more than just installing something to stay safe. I hope that doesn't sound like I'm saying that one needs to be a security expert to stay safe, as I don't belive it is or should be, but I do think that one does need to take security seriously, pay attention to the news and others' experience, learn to take reasonable measures, and explore your options, then hope they don't have to learn about things the hard way. Most people don't have the time to get into everything, but security deserves the kind of consideration that any important decisions require.
     
  3. Cactus.Ed

    Cactus.Ed Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    14
    Sorry, this was more a venting of frustration. I understand that 100% security is not attainable. I was just disappointed that, 1. Nod32 did not prevent the install of the trojan/malware and 2. Nod32 still will not pickup any form of trojan/malware on my system. Everyday it seems as if there is more gray area in what is safe and what is not safe. Wow, next week it might not be safe to view text files online. I think Microsoft has really dropped the ball and needs to get their products secure BEFORE adding features. I can understand downloading a virus/malware that has been packaged with some shareware that you have to install, but to have a “wmv” video file open Windows Media Player, open connections through Media Player, download an executable file and run it with no user intervention is a different.
    -nate
     
  4. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Hope my comments didn't seem directed at you, I was more trying to add to your message than speak to you personally. My take may have been coming from another direction, but I see what you are saying and what I'm saying as ultimately synergistic :)

    I'm not so sure that it would be that easy for Microsoft. They can make it secure as possible, but there will always be vulnerabilities, and as long as the majority is using Windows there will be lots and lots of [financially motivated] bad guys to find and exploit them. What complicates things is MS's need to satisfy the needs of literally billions of different users, each with a unique system. Even Mac can be worm'ed (as has been shown), but there's just not good reason for the bad guys to do so extensively at this point, although I'm sure it will happen sooner or later.
     
  5. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,folks: Hi nate, I fully understand what you have been thru. I was there, loaded w/ multi-layered defence system, and hoping this would give a peace of mind. Not so, just a slip of care, my plan bubblized, vaporized. I guess those malware script writers are often smarter than app analysts. Now I am taking a completely different approach; utilizing sandbox/virtul concept, and able to contain malwares in that virtul box. Upon reboot, it is gone w/o any trace. I only need few and fewer security apps and enjoy safe net surffing day after day. Try it.:thumb:
     
  6. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    Sorry what happened. You can post a HJT log here if I can help.
     
  7. Cactus.Ed

    Cactus.Ed Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    14
    No, hijackthis is clean. I can't figure this one out. It works by injecting its process in to every other process that the logged in user has access to. It controls other processes by modifying them using svchost and explorer - bypassing most AV rules, since explorer and svchost are OK by most filters.

    I can't find where the source is though, must have modified the actual system files. I restored the registry to a clean one, along with all the ini, sys, and other loader files - all clean.

    I’ve restored the OS already on a different drive; I’m saving this one until I find out WTF it is.

    I downloaded Kaspersky, it’s been the only AV that has been able to see the process in action. (Kaspersky calls it, “New Injector”, all other AVs say the system is clean) Kaspersky can not identify the virus/Trojan yet because the virus/Trojan blocks updates (only blocks Kaspersky updates, all other AV’s update fine) and KAV 6.0 Trials definitions are old (7/06). Any attempt to terminate the virus/Trojan and it shuts down the computer.

    I’ll let you know what I find out,

    -nate
     
  8. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    RKUnhooker
    Create a report from Normal Mode and save it.

    eScan
    Then, run this from Safe Mode and save the log after the scan.
     
    Last edited: Oct 27, 2006
  9. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

    Hello,
    Cactus have you considered the possibility that you are not infected?
    Mrk
     
  10. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec


    If you have KAV build the bart pe recovery disk this might be useful?


    I'd be interested to see what Prevx makes of this - should at least be able to indent clean parts from DB.
     
  11. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infection

    running email attachments=Infection
     
  12. Cactus.Ed

    Cactus.Ed Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    14
    Not an attachment, it was a text link.
     
  13. Cactus.Ed

    Cactus.Ed Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    14
    Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

    Considered... but svchost and explorer act odd and open connections to IP's all over the world. Some unknown service was opened and run right after media player went crazy. Also, infected XP install just quit responding - will not open log in screen. Please note this was a new install less than three weeks old. It had not been completely built yet. It olny had the security above on it, firefox, thunderbird and office 2003.

    Sounds infected to me....

    -nate
     
  14. Cactus.Ed

    Cactus.Ed Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    14
    Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

    Yes, I use and like BartPE. It has help me a great deal.

    nate
     
  15. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    Have you been able to run RkU and generate a report?
     
  16. Cactus.Ed

    Cactus.Ed Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    14
    No, I did not run that tool as I did not have time to troubleshoot this morning. I ran Sysinternals "Root Kit Revealer" and it came up a couple entries that just said "...". I'll let you know how it works out.

    nate
     
  17. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

    Hello,
    Question 2: Did you boot off CD and did some frozen-state inspections?
    Mrk
     
  18. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

    @Cactus.Ed
    All that sounds ominous and a TOTAL PITA :(
    You are obviously experienced user...I not expert..this may help..

    **rku may not fully work on NTFS

    Clean all the tempfiles:
    CCleaner: http://www.ccleaner.com/download/builds.aspx The SLIM version
    ATF: http://www.atribune.org/content/section/4/30/
    --run the latest vundofix for fun

    Get gmer: http://www.gmer.net/
    DarkSpy: http://www.fyyre.net/~cardmagic/index_en.html
    See if you can find hidden services.
    Unfortunately these tools are regularly being bypassed with annoying ease

    PrevX: http://www.prevx.com/default.asp free trial for detection and removal
    --get the grom removal tool and run it

    Maybe dl and install BOClean: http://www.nsclean.com/boclean.html
    Can sometimes even pick up trojans after install when they try and run

    Drop a thread here: http://forum.sysinternals.com/forum_topics.asp?FID=18

    Go to the malware removal forums as noted and get help; please let us know what happens or where you have gone for help.

    :blink:
     
    Last edited: Oct 28, 2006
  19. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

    Could also try

    IceSword XFocus Win Free / 5 Star 1.20

    or

    http://antirootkit.com/software/index.htm

    Archon Scanner X-Solve Win Trial / New 1.0b
    AVG AntiRootkit Grisoft Win Beta 1.0.0.13
    Avira Rootkit Detection Avira Win Beta 1.0.0.11
    chkrootkit Murilo & Jessen Linux, BSD. Free 0.47
    DarkSpy CardMagic & wowocock 2K / XP / 03 Free 1.05
    F-Secure Blacklight Beta F-Secure Win Free 2.2.1046
    Gmer Gmer NT/ 2K / XP Free / 5 Star 1.0.11
    Helios MIEL e-Security Win Free / New 1.1a
    HookExplorer iDefense Win Free 1.0
    ootKit Hook Analyzer Resplendence Win Free 1.01
    Rootkit Hunter Boelen Linux, BSD. Free 1.2.8
    RootkitRevealer Sysinternals Win Free / 5 Star 1.7
    RootKitShark Advances.com Win Trial
    RootKit Uncover BitDefender Win Free / New 1.0b2
    RootKit Unhooker UG North 2K / XP / 03 Free / New 3.01b
    SEEM AI, nunki Win Free 4.0
    Sophos Antirootkit Sophos Win Free 1.1
    System Virginity Verifier Joanna Rutkowska Win Free 2.3
     
  20. Cactus.Ed

    Cactus.Ed Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    14
    Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

    Simple format/write image from last weeks backup sounds a whole lot easier than running all that stuff....and usually only takes half hour or so.

    -nate
     
  21. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

    LOL
    Yes it does.
    Is your image secure?

    I was just interested in having a stickybeak as to what there might be lurking.
    ;)
     
  22. Cactus.Ed

    Cactus.Ed Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    14
    Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

    Of course the image is secure, what's the point of having an insecure image? :)
    -nate
     
  23. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec


    Indeed - I would revert to backups rather than try to fix ....


    but always intereting to find out what happened!
     
  24. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Re: Nod32+Comodo+Proxomitron+SpywareBlaster+AVG antispyware+SafeXP+Media Player=Infec

    LOL again
    None whatsoever!
    No insecurities here. All insecure images to be taken out the back, thrashed, and disposed of at once.
    Wrong word choice: is image clean?

    Yes
     
    Last edited: Nov 1, 2006
Loading...
Thread Status:
Not open for further replies.