22 replies to this topic

[alphaomega]

suspected virus activity? what?

while browsing the internet yesterday in firefox (on slackware current)...
my browser was routed to a page from my isp informing me about
suspected virus activity from a machine connected to the cable modem.

the specific virus: bancos (also know as PWS information stealer).

I could not browse to any other sites until I clicked on a button
confirming that I was aware of the problem and would correct it.

contacted my isp to see if they could give me additional details
on the problem (when did the incident happen? what happened exactly?
ex. was my computer spiting out spam in the middle of the night?)

the tech person had no more info on the incident than I got in the notice.
they did provide me with the number to their abuse department.
I am waiting on a return call from them.

I had been in windows xp about 5 minutes before I got the notice.

I did a complete scan of the computers (2 w/xp) with:
Superantispyware
McAfee anti virus
Microsoft's Malicious Software Removal Tool
Avg rescue cd
Kaspersky rescue cd

McAfee did detect Artemis!CA4D4F9DFA5B in the temporary internet files.
in the temporary internet files 03DLNQ00\testbundle23w_1254(1).exe

none of them indicated an infection with bancos.

anyone have any thoughts on the matter?

Thanks in advance.

Edited by alphaomega, 10 April 2012 - 03:07 PM.

[LilBambi]

Have you tried Malwarebytes Antimalware

Will also call attention to this to Corrine.

This happened in Windows XP, and should be moved to Security and Networking where Corrine will find it.

[alphaomega]

Have you tried Malwarebytes Antimalware

Will also call attention to this to Corrine.

This happened in Windows XP, and should be moved to Security and Networking where Corrine will find it.

No I have not tried malwarebytes in this particular case.
I did not want to mess with uninstalling the current virus program
in order to try another one which is why I tried the rescue cds first.

It took all night getting through the ones I did try.

I believe the incident occurred while I was in XP but I got the notice
while I was in Slackware and the tech support person said the
problem was with the machine I was on although I do not see
how he would know that information.

The notice indicated that it was a machine on my network so
I'm thinking it had to be one of the xp machines.

And without any info on what exactly happened and when
I can't say for sure that it was the one xp machine I was
on right before I got the notice while in slackware.

Over the weekend I installed mcafee (as my isp provider
switched from ca to mcafee) and updated flash and java
on both machines.

I rarely use XP and I do not use it to sign into anything online
so I am hopeful no passwords were stolen.

Cheers

[amenditman]

Boot XP in Safe Mode
Run Hitman Pro
Then run Malwarebytes Antimalware
Reboot

[LilBambi]

Good thoughts amenditman.

Malwarebytes isn't another antivirus program. It's an antimalware program and be sure to choose skip trial and use it only as a manual update and manual run item...if you start the trial, it will try to run on boot which you will not want.

[alphaomega]

Boot XP in Safe Mode
Run Hitman Pro
Then run Malwarebytes Antimalware
Reboot

hitman pro from surfright.nl?

[LilBambi]

Might I suggest waiting on Hitman Pro or other Rootkit finder programs until Corrine has had a chance to check in here?

It is possible that Rootkit finder programs can leave your Windows install unbootable depending on what's infected with the rootkit.

[alphaomega]

Good thoughts amenditman.

Malwarebytes isn't another antivirus program.

my bad for calling it an antivirus program I know the difference.

I just try to not have a bunch of programs installed on my machine
all actively trying to protect me while browsing.

I try to keep only one antivirus and one anti malware program installed
and actively running.

am going to try malwarebytes to see if it picks up anything.

cheers

Might I suggest waiting on Hitman Pro or other Rootkit finder programs until Corrine has had a chance to check in here?

It is possible that Rootkit finder programs can leave your Windows install unbootable depending on what's infected with the rootkit.

will do...thanks for the feedback.
cheers

okay...this is odd...
how did my two separate replies become one?

Edited by alphaomega, 10 April 2012 - 03:38 PM.

[Corrine]

To answer your last question first, the two replies became one due to a "feature" of the IPB software.  If a second reply is made within a relatively short period of time by the same person, the two are merged.  Rather silly but it is what it is.

As to whether you have a backdoor (bancos) on your computer, I'd really need to see a log.  If you want to start with an MBAM scan, following are the instructions I recommend.  The reason it indicates normal mode rather than safe mode is because MBAM works best that way.

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, be sure Quick scan is selected, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:  
  
• Click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Please post contents of that file in your next reply.

** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

In the event you would like logs reviewed, please do the following:

Please download DDS.scr by sUBs and save it to your desktop:  Link

• Double-Click dds.scr and a command window will appear. This is normal.
• Shortly after two logs will appear, DDS.txt and Attach.txt.
• A window will open instructing you save & post the logs.
• Save the logs to a convenient place such as your desktop.
• Copy the contents of both DDS.txt and Attach.txt logs and post in your next reply.

[LilBambi]

Thanks Corrine! To make it easier for you to help with this situation, I will, and hopefully others too will step back and let Corrine handle it from here as she is very adept at doing this. It becomes too difficult with several people suggesting fixes with these types of malware.

[alphaomega]

Mbam did not find anything.

Anybody know what "activity" indicates an infection with bancos?
So far nothing is finding this bancos infection.

Cheers

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.10.09

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Alpha :: EMACHINESW3503 [administrator]

4/10/2012 4:06:56 PM
mbam-log-2012-04-10 (16-06-56).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 257688
Time elapsed: 52 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[Corrine]

As long as the modifications MBAM detected were made by you, correct, it didn't find anything.  What McAfee removed was in Temp Files and, although malicious testbundle23w_1254(1).exe isn't one of the back-door banco trojans.  (Virus Total results for testbundle)

Anybody know what "activity" indicates an infection with bancos?
So far nothing is finding this bancos infection.

Most commonly, the banco trojans target South American countries although there are banco trojans that are generic password stealing trojans

Note:  If there is a back-door on your computer, I strongly advise not doing any banking or making any internet purchases on the computer until we know what is going on.  Change your critical passwords from a different computer.

I can see if I find something if you want to post the DDS logs referenced in my earlier reply.

[alphaomega]

As long as the modifications MBAM detected were made by you, correct, it didn't find anything.  What McAfee removed was in Temp Files and, although malicious testbundle23w_1254(1).exe isn't one of the back-door banco trojans.  (Virus Total results for testbundle)



Most commonly, the banco trojans target South American countries although there are banco trojans that are generic password stealing trojans

Note:  If there is a back-door on your computer, I strongly advise not doing any banking or making any internet purchases on the computer until we know what is going on.  Change your critical passwords from a different computer.

I can see if I find something if you want to post the DDS logs referenced in my earlier reply.

Yes, the modifications were done by me.

And I rarely sign into anything anymore from windows and I do all my online backing from within linux
so hopefully no passwords have been stolen.

Totally forgot to run DDS although I did download it.
Will get to that right now.

dds
attach

Cheers

Edited by alphaomega, 10 April 2012 - 08:38 PM.

[alphaomega]

alphaomega, on 10 April 2012 - 08:08 PM, said:

dds
attach

I also ran the free version of hitman with the following results.
(I have not performed a clean.)

5 files to be uploaded to the scan cloud:

master boot record
sas_528c3484.com (an old portable version of superantispyware)
SBFile (file details indicate it is part of CA Internt Security Suite)
videoinspector_nork.exe
mp3diagswindows-unstable.exe

4 files as suspicious (google search indicates it is part of super media file converter.)

flacdx.ax
mpcdx.ax
rlapedex.ax
rlmpcdex.ax

all the rest were tracking cookies.

And I finally heard back from my isp and they indicated that the incident
occurred easter sunday @ 1:21pm. They said that one of my machines had
connected to a bot net.

Using a live linux cd I did a search on both machines w/xp for all
files created/modified on that date to see if it would refreah
my memory as to what I was doing.

On machine A there were files in:

temporary internet files (search for flv player)
system volume information/_restore

between the hours of 2am-3am
search did not find any files created/modified around the time of the incident.

On machine B search did not find any files created/modified on that date.

Should I go ahead and perform the clean?

[Corrine]

Your logs are also not showing any files created/modified on that date.  I suspect that McAfee's finding in the temporary internet files was what your ISP saw.

However, let's do a more thorough cleaning of temp files.  As you will note in the additional information provided, TFC does a thorough job.  I suggest, however, that you go the additional step and clear browser cache and cookies.

Download TFC to your desktop

• Open the file and close any other windows.
  
• It will close all programs itself when run, make sure to let it run uninterrupted.
  
• Click the Start button to begin the process. The program should not take long to finish its job
  
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Before running, it will stop Explorer and all other running applications. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.
-- TFC only cleans temp folders.
-- TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail.

TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

More info:
TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB).

Having reviewed your logs, I am not seeing any signs of malware.  If your ISP is still not satisfied that all is well, feel free to point them to this thread.

[alphaomega]

Okay, I ran TFC and it cleaned out about 1.9gb of stuff.

Also, during the first scan with Hitman It did not send the 5 files to the scan cloud
(I had that option turned off as the lan connection was disconnected).
After Hitman gave me a message about not being online...
I connected the cable but forgot to reset that option.

So I scanned again with Hitman and let it upload the files to the scan cloud.
End result 5 suspicious files:

sas_528c3484.com
flacdx.ax
mpcdx.ax
rlapedex.ax
rlmpcdex.ax

Hitman did not flag any of the other files it uploaded:

master boot record
SBFile.exe
videoinspector_nork.exe
mp3diagswindows-unstable.exe

here is what McAfee has to say about virus detections named 'Artemis':
http://service.mcafe...spx?id=TS100414

I took the file that McAfee detected and quarantined and uploaded it to virustotal.

and here is the results from virustotal:
https://www.virustot...2f630/analysis/

Still no indication of a bancos infection.

The lady I spoke with at my isp security and abuse department told me that
they get a report every couple of days and if my machine exhibits virus activity
again and shows up on their report that I would probably get another notice.

Is there anything else I should do?

Cheers and Thank You so much for your assistance in this matter.

[Corrine]

I researched McAfee's finding of Artemis in the temporary internet files when you originally reported the issue.  Since you've already cleaned temp files, scanned with

Superantispyware
McAfee anti virus
Microsoft's Malicious Software Removal Tool
Avg rescue cd
Kaspersky rescue cd
Malwarebytes
Hitman

have completed a thorough cleaning of temp files, and the Windows XP logs are clean, there isn't much more you can do with this machine.

That said, it wouldn't hurt to scan the Slackware install with an A/V, particularly if you have Adobe Flash Player installed on it.

[V.T. Eric Layton]

You MS Win security folks are the experts here. However, I would like to state that it is my understanding that the only malicious attacks possible on a Linux installation would be a root kit type attack. I do not believe that running an AV scan on a Linux installation would serve any purpose, as the scan would be searching for MS Windows-based malicious software. I would recommend running rkhunter or chkrootkit in Slackware, though. Can't hurt.

[LilBambi]

Well, not all AVs are just for Windows computers anyway, but you are right about rkhunter and/or chkrootkit! Great ones for Linux and can be run right from the commandline too!

[V.T. Eric Layton]

Not all AVs are for MS Windows, but they all search for MS Windows-based viruses. There are no Linux viruses in the wild, supposedly. According to data that I have read (referred to by Bruno, actually), the only viruses created for Linux were created in laboratory settings and require elevated (root) privileges to run on the Linux systems they were tested on. Because of Linux's inherent administrative permissions levels, the normal "click and infect" MS Windows-type viruses cannot function.

As I said, though, you guys, particularly Corrine know a lot more about this stuff than I do.

[LilBambi]

Yes, better to call it Linux malware (Wikipedia) I think:

Quote

Linux malware includes viruses, trojans, worms and other types of malware that affect the Linux operating system. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected, but not immune, from computer viruses.^[1][2]
There has not yet been a widespread Linux malware threat of the type that Microsoft Windows software faces; this is commonly attributed to the small number of users running Linux as a desktop operating system^[1], the malware's lack of root access and fast updates to most Linux vulnerabilities.^[2]
The number of malicious programs — including viruses, Trojans, and other threats — specifically written for Linux has been on the increase in recent years and more than doubled during 2005 from 422 to 863.^[3]

Most are in the lab, but not all. And any AV that runs on Linux will check for these as well.

[V.T. Eric Layton]

Quote

...the malware's lack of root access...

That's the key right there.

[alphaomega]

I do have Adobe Flash Player installed in Slackware so I attempted
to scan the /home folder with Kaspersky Rescue CD.

That did not go over too well. I tried to only scan the /home folder
but it would still try to scan the whole partition where Slackware
is installed, folders such as /proc and /sys, along with
the drive where Windows is installed.

And after a couple of hours it gets stuck in a loop
with messages similar to the following repeating in the log:

/sys/devices/pci0000:00/0000:00:14:1/ide0/0.0/unload_heads
/sys/devices/pci0000:00/0000:00:14:1/ide1/1.0/unload_heads

So instead of just unchecking the drive in Kaspersky Rescue CD
I also added exclusions for folders such as /proc /sys /mnt
and attempted to scan just /home again and it would still
attempt to scan the whole partition and eventually got stuck
with the same messages in the log file.

At this point I have to stop the scan or it will just sit
there repeating the same messages in the log.

I'm not sure why I could not get it to scan just the /home folder.

It did however come across the following adware on a data partition on machine A
which contains an old backup copy of the /home folder from machine B.

/sda3/temphold/compaqlnx/home/alpha/Documents/Downloads/timesinkpatch.exe/TSUNINSTALLER.EXE

I also ran aswMBR.exe and submitted the MBR.dat file to virustotal:
MBR.dat scan results

And speaking of log files, I had not looked at Windows' event logs.
I only scanned the drive for files created/modified on the date of the incident.

So I went in and looked at the Windows' event logs and on machine A
there are only entries in there between the hours of 2-3am (no entries
around the time of the incident). Machine B had no entries for the
date in question.

I even browsed through the logs in Slackware and the last entry in messages
with that date has a timestamp of 12:23pm. The last entry in syslog with that
date has a timestamp of 10:45am. The incident took place at 1:21pm.

In Slackware I have two files created around the time of the incident.
One created at 12:42pm and another created at 1:24pm.
So at least three minutes after the incident I was in Slackware.

I just don't get it.
They claim one of my machines is infected with bancos and connected
to a bot net @ 1:21pm on Easter Sunday (04/08/12).

I was force routed to the notice page (while in Firefox on Slackware) around
4pm (04/09/12) the next day.

None of the tools I've tried has been able to pick up a bancos infection.
There are no files created/modified around the time of the incident in Windows.
There are no entries in Windows' log files around the time of the incident.

It would seem as if my machine was not even in Windows around the time of the incident.
And I know I was in Slackware a few minutes after the incident.

2012-04-08 12:23:44 emachinesw3503 syslog -- MARK --

I would probably feel a little more comfortable had one of the tools actually detected bancos.

Anyway, thank you so much for your assistance in this matter.
If you have any other ideas on what else I could try please let me know.

Cheers and Thanks

P.S. will look into running rkhunter or chkrootkit on Slackware.
rkhunter log http://sprunge.us/SMAJ
chkrootkit log http://sprunge.us/KDMj

Edited by alphaomega, 15 April 2012 - 03:02 PM.