while browsing the internet (firefox on slackware)

[alphaomega]

suspected virus activity? what?

 

while browsing the internet yesterday in firefox (on slackware current)...

my browser was routed to a page from my isp informing me about

suspected virus activity from a machine connected to the cable modem.

 

the specific virus: bancos (also know as PWS information stealer).

 

I could not browse to any other sites until I clicked on a button

confirming that I was aware of the problem and would correct it.

 

contacted my isp to see if they could give me additional details

on the problem (when did the incident happen? what happened exactly?

ex. was my computer spiting out spam in the middle of the night?)

 

the tech person had no more info on the incident than I got in the notice.

they did provide me with the number to their abuse department.

I am waiting on a return call from them.

 

I had been in windows xp about 5 minutes before I got the notice.

 

I did a complete scan of the computers (2 w/xp) with:

Superantispyware

McAfee anti virus

Microsoft's Malicious Software Removal Tool

Avg rescue cd

Kaspersky rescue cd

 

McAfee did detect Artemis!CA4D4F9DFA5B in the temporary internet files.

in the temporary internet files 03DLNQ00\testbundle23w_1254(1).exe

 

none of them indicated an infection with bancos.

 

anyone have any thoughts on the matter?

 

Thanks in advance.

Edited April 10, 2012 by alphaomega

[Guest LilBambi]

Have you tried Malwarebytes Antimalware

 

Will also call attention to this to Corrine.

 

This happened in Windows XP, and should be moved to Security and Networking where Corrine will find it.

[alphaomega]

Have you tried Malwarebytes Antimalware

 

Will also call attention to this to Corrine.

 

This happened in Windows XP, and should be moved to Security and Networking where Corrine will find it.

 

No I have not tried malwarebytes in this particular case.

I did not want to mess with uninstalling the current virus program

in order to try another one which is why I tried the rescue cds first.

 

It took all night getting through the ones I did try.

 

I believe the incident occurred while I was in XP but I got the notice

while I was in Slackware and the tech support person said the

problem was with the machine I was on although I do not see

how he would know that information.

 

The notice indicated that it was a machine on my network so

I'm thinking it had to be one of the xp machines.

 

And without any info on what exactly happened and when

I can't say for sure that it was the one xp machine I was

on right before I got the notice while in slackware.

 

Over the weekend I installed mcafee (as my isp provider

switched from ca to mcafee) and updated flash and java

on both machines.

 

I rarely use XP and I do not use it to sign into anything online

so I am hopeful no passwords were stolen.

 

Cheers

 

[amenditman]

Boot XP in Safe Mode

Run Hitman Pro

Then run Malwarebytes Antimalware

Reboot

[Guest LilBambi]

Good thoughts amenditman.

 

Malwarebytes isn't another antivirus program. It's an antimalware program and be sure to choose skip trial and use it only as a manual update and manual run item...if you start the trial, it will try to run on boot which you will not want.

[alphaomega]

Boot XP in Safe Mode

Run Hitman Pro

Then run Malwarebytes Antimalware

Reboot

hitman pro from surfright.nl?

 

[Guest LilBambi]

Might I suggest waiting on Hitman Pro or other Rootkit finder programs until Corrine has had a chance to check in here?

 

It is possible that Rootkit finder programs can leave your Windows install unbootable depending on what's infected with the rootkit.

[alphaomega]

Good thoughts amenditman.

 

Malwarebytes isn't another antivirus program.

 

my bad for calling it an antivirus program I know the difference.

 

I just try to not have a bunch of programs installed on my machine

all actively trying to protect me while browsing.

 

I try to keep only one antivirus and one anti malware program installed

and actively running.

 

am going to try malwarebytes to see if it picks up anything.

 

cheers

 

 

Might I suggest waiting on Hitman Pro or other Rootkit finder programs until Corrine has had a chance to check in here?

 

It is possible that Rootkit finder programs can leave your Windows install unbootable depending on what's infected with the rootkit.

will do...thanks for the feedback.

cheers

 

okay...this is odd...

how did my two separate replies become one?

 

Edited April 10, 2012 by alphaomega

[Corrine]

To answer your last question first, the two replies became one due to a "feature" of the IPB software. If a second reply is made within a relatively short period of time by the same person, the two are merged. Rather silly but it is what it is.

 

As to whether you have a backdoor (bancos) on your computer, I'd really need to see a log. If you want to start with an MBAM scan, following are the instructions I recommend. The reason it indicates normal mode rather than safe mode is because MBAM works best that way.

 

Please download Malwarebytes' Anti-Malware to your desktop.

 

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, be sure Quick scan is selected, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:

  

• Click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Please post contents of that file in your next reply.

 

** Note **

 

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

 

In the event you would like logs reviewed, please do the following:

 

Please download DDS.scr by sUBs and save it to your desktop: Link

• Double-Click dds.scr and a command window will appear. This is normal.
• Shortly after two logs will appear, DDS.txt and Attach.txt.
• A window will open instructing you save & post the logs.
• Save the logs to a convenient place such as your desktop.
• Copy the contents of both DDS.txt and Attach.txt logs and post in your next reply.

[Guest LilBambi]

Thanks Corrine! To make it easier for you to help with this situation, I will, and hopefully others too will step back and let Corrine handle it from here as she is very adept at doing this. It becomes too difficult with several people suggesting fixes with these types of malware.

[alphaomega]

Mbam did not find anything.

 

Anybody know what "activity" indicates an infection with bancos?

So far nothing is finding this bancos infection.

 

Cheers

 

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

 

Database version: v2012.04.10.09

 

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Alpha :: EMACHINESW3503 [administrator]

 

4/10/2012 4:06:56 PM

mbam-log-2012-04-10 (16-06-56).txt

 

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 257688

Time elapsed: 52 minute(s), 56 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 2

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

[Corrine]

As long as the modifications MBAM detected were made by you, correct, it didn't find anything. What McAfee removed was in Temp Files and, although malicious testbundle23w_1254(1).exe isn't one of the back-door banco trojans. (Virus Total results for testbundle)

 

Anybody know what "activity" indicates an infection with bancos?

So far nothing is finding this bancos infection.

 

Most commonly, the banco trojans target South American countries although there are banco trojans that are generic password stealing trojans

 

Note: If there is a back-door on your computer, I strongly advise not doing any banking or making any internet purchases on the computer until we know what is going on. Change your critical passwords from a different computer.

 

I can see if I find something if you want to post the DDS logs referenced in my earlier reply.

[alphaomega]

As long as the modifications MBAM detected were made by you, correct, it didn't find anything. What McAfee removed was in Temp Files and, although malicious testbundle23w_1254(1).exe isn't one of the back-door banco trojans. (Virus Total results for testbundle)

 

 

 

Most commonly, the banco trojans target South American countries although there are banco trojans that are generic password stealing trojans

 

Note: If there is a back-door on your computer, I strongly advise not doing any banking or making any internet purchases on the computer until we know what is going on. Change your critical passwords from a different computer.

 

I can see if I find something if you want to post the DDS logs referenced in my earlier reply.

Yes, the modifications were done by me.

 

And I rarely sign into anything anymore from windows and I do all my online backing from within linux

so hopefully no passwords have been stolen.

 

Totally forgot to run DDS although I did download it.

Will get to that right now.

 

dds

attach

 

Cheers

Edited April 11, 2012 by alphaomega

[alphaomega]

dds

attach

 

I also ran the free version of hitman with the following results.

(I have not performed a clean.)

 

5 files to be uploaded to the scan cloud:

 

master boot record

sas_528c3484.com (an old portable version of superantispyware)

SBFile (file details indicate it is part of CA Internt Security Suite)

videoinspector_nork.exe

mp3diagswindows-unstable.exe

 

4 files as suspicious (google search indicates it is part of super media file converter.)

 

flacdx.ax

mpcdx.ax

rlapedex.ax

rlmpcdex.ax

 

all the rest were tracking cookies.

 

And I finally heard back from my isp and they indicated that the incident

occurred easter sunday @ 1:21pm. They said that one of my machines had

connected to a bot net.

 

Using a live linux cd I did a search on both machines w/xp for all

files created/modified on that date to see if it would refreah

my memory as to what I was doing.

 

On machine A there were files in:

 

temporary internet files (search for flv player)

system volume information/_restore

 

between the hours of 2am-3am

search did not find any files created/modified around the time of the incident.

 

On machine B search did not find any files created/modified on that date.

 

Should I go ahead and perform the clean?

[Corrine]

Your logs are also not showing any files created/modified on that date. I suspect that McAfee's finding in the temporary internet files was what your ISP saw.

 

However, let's do a more thorough cleaning of temp files. As you will note in the additional information provided, TFC does a thorough job. I suggest, however, that you go the additional step and clear browser cache and cookies.

 

Download TFC to your desktop

• Open the file and close any other windows.
  
• It will close all programs itself when run, make sure to let it run uninterrupted.
  
• Click the Start button to begin the process. The program should not take long to finish its job
  
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean
  

Before running, it will stop Explorer and all other running applications. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.

-- TFC only cleans temp folders.

-- TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail.

 

TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

 

More info:

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB).

 

Having reviewed your logs, I am not seeing any signs of malware. If your ISP is still not satisfied that all is well, feel free to point them to this thread.

[alphaomega]

Okay, I ran TFC and it cleaned out about 1.9gb of stuff.

 

Also, during the first scan with Hitman It did not send the 5 files to the scan cloud

(I had that option turned off as the lan connection was disconnected).

After Hitman gave me a message about not being online...

I connected the cable but forgot to reset that option.

 

So I scanned again with Hitman and let it upload the files to the scan cloud.

End result 5 suspicious files:

 

sas_528c3484.com

flacdx.ax

mpcdx.ax

rlapedex.ax

rlmpcdex.ax

 

Hitman did not flag any of the other files it uploaded:

 

master boot record

SBFile.exe

videoinspector_nork.exe

mp3diagswindows-unstable.exe

 

here is what McAfee has to say about virus detections named 'Artemis':

http://service.mcafe...spx?id=TS100414

 

I took the file that McAfee detected and quarantined and uploaded it to virustotal.

 

and here is the results from virustotal:

https://www.virustot...2f630/analysis/

 

Still no indication of a bancos infection.

 

The lady I spoke with at my isp security and abuse department told me that

they get a report every couple of days and if my machine exhibits virus activity

again and shows up on their report that I would probably get another notice.

 

Is there anything else I should do?

 

Cheers and Thank You so much for your assistance in this matter.

[Corrine]

I researched McAfee's finding of Artemis in the temporary internet files when you originally reported the issue. Since you've already cleaned temp files, scanned with

 

Superantispyware

McAfee anti virus

Microsoft's Malicious Software Removal Tool

Avg rescue cd

Kaspersky rescue cd

Malwarebytes

Hitman

 

have completed a thorough cleaning of temp files, and the Windows XP logs are clean, there isn't much more you can do with this machine.

 

That said, it wouldn't hurt to scan the Slackware install with an A/V, particularly if you have Adobe Flash Player installed on it.

[V.T. Eric Layton]

You MS Win security folks are the experts here. However, I would like to state that it is my understanding that the only malicious attacks possible on a Linux installation would be a root kit type attack. I do not believe that running an AV scan on a Linux installation would serve any purpose, as the scan would be searching for MS Windows-based malicious software. I would recommend running rkhunter or chkrootkit in Slackware, though. Can't hurt.

[Guest LilBambi]

Well, not all AVs are just for Windows computers anyway, but you are right about rkhunter and/or chkrootkit! Great ones for Linux and can be run right from the commandline too!

[V.T. Eric Layton]

Not all AVs are for MS Windows, but they all search for MS Windows-based viruses. There are no Linux viruses in the wild, supposedly. According to data that I have read (referred to by Bruno, actually), the only viruses created for Linux were created in laboratory settings and require elevated (root) privileges to run on the Linux systems they were tested on. Because of Linux's inherent administrative permissions levels, the normal "click and infect" MS Windows-type viruses cannot function.

 

As I said, though, you guys, particularly Corrine know a lot more about this stuff than I do.

[Guest LilBambi]

Yes, better to call it Linux malware (Wikipedia) I think:

Linux malware includes viruses, trojans, worms and other types of malware that affect the Linux operating system. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected, but not immune, from computer viruses.^[1][2]

There has not yet been a widespread Linux malware threat of the type that Microsoft Windows software faces; this is commonly attributed to the small number of users running Linux as a desktop operating system^[1], the malware's lack of root access and fast updates to most Linux vulnerabilities.^[2]

The number of malicious programs — including viruses, Trojans, and other threats — specifically written for Linux has been on the increase in recent years and more than doubled during 2005 from 422 to 863.^[3]

 

Most are in the lab, but not all. And any AV that runs on Linux will check for these as well.

[V.T. Eric Layton]

...the malware's lack of root access...

 

That's the key right there.

[alphaomega]

I do have Adobe Flash Player installed in Slackware so I attempted

to scan the /home folder with Kaspersky Rescue CD.

 

That did not go over too well. I tried to only scan the /home folder

but it would still try to scan the whole partition where Slackware

is installed, folders such as /proc and /sys, along with

the drive where Windows is installed.

 

And after a couple of hours it gets stuck in a loop

with messages similar to the following repeating in the log:

 

/sys/devices/pci0000:00/0000:00:14:1/ide0/0.0/unload_heads

/sys/devices/pci0000:00/0000:00:14:1/ide1/1.0/unload_heads

 

So instead of just unchecking the drive in Kaspersky Rescue CD

I also added exclusions for folders such as /proc /sys /mnt

and attempted to scan just /home again and it would still

attempt to scan the whole partition and eventually got stuck

with the same messages in the log file.

 

At this point I have to stop the scan or it will just sit

there repeating the same messages in the log.

 

I'm not sure why I could not get it to scan just the /home folder.

 

It did however come across the following adware on a data partition on machine A

which contains an old backup copy of the /home folder from machine B.

 

/sda3/temphold/compaqlnx/home/alpha/Documents/Downloads/timesinkpatch.exe/TSUNINSTALLER.EXE

 

I also ran aswMBR.exe and submitted the MBR.dat file to virustotal:

MBR.dat scan results

 

And speaking of log files, I had not looked at Windows' event logs.

I only scanned the drive for files created/modified on the date of the incident.

 

So I went in and looked at the Windows' event logs and on machine A

there are only entries in there between the hours of 2-3am (no entries

around the time of the incident). Machine B had no entries for the

date in question.

 

I even browsed through the logs in Slackware and the last entry in messages

with that date has a timestamp of 12:23pm. The last entry in syslog with that

date has a timestamp of 10:45am. The incident took place at 1:21pm.

 

In Slackware I have two files created around the time of the incident.

One created at 12:42pm and another created at 1:24pm.

So at least three minutes after the incident I was in Slackware.

 

I just don't get it.

They claim one of my machines is infected with bancos and connected

to a bot net @ 1:21pm on Easter Sunday (04/08/12).

 

I was force routed to the notice page (while in Firefox on Slackware) around

4pm (04/09/12) the next day.

 

None of the tools I've tried has been able to pick up a bancos infection.

There are no files created/modified around the time of the incident in Windows.

There are no entries in Windows' log files around the time of the incident.

 

It would seem as if my machine was not even in Windows around the time of the incident.

And I know I was in Slackware a few minutes after the incident.

 

2012-04-08 12:23:44 emachinesw3503 syslog -- MARK --

 

I would probably feel a little more comfortable had one of the tools actually detected bancos.

 

Anyway, thank you so much for your assistance in this matter.

If you have any other ideas on what else I could try please let me know.

 

Cheers and Thanks

 

P.S. will look into running rkhunter or chkrootkit on Slackware.

rkhunter log http://sprunge.us/SMAJ

chkrootkit log http://sprunge.us/KDMj

Edited April 15, 2012 by alphaomega