alphaomega Posted April 10, 2012 Share Posted April 10, 2012 (edited) suspected virus activity? what? while browsing the internet yesterday in firefox (on slackware current)... my browser was routed to a page from my isp informing me about suspected virus activity from a machine connected to the cable modem. the specific virus: bancos (also know as PWS information stealer). I could not browse to any other sites until I clicked on a button confirming that I was aware of the problem and would correct it. contacted my isp to see if they could give me additional details on the problem (when did the incident happen? what happened exactly? ex. was my computer spiting out spam in the middle of the night?) the tech person had no more info on the incident than I got in the notice. they did provide me with the number to their abuse department. I am waiting on a return call from them. I had been in windows xp about 5 minutes before I got the notice. I did a complete scan of the computers (2 w/xp) with: Superantispyware McAfee anti virus Microsoft's Malicious Software Removal Tool Avg rescue cd Kaspersky rescue cd McAfee did detect Artemis!CA4D4F9DFA5B in the temporary internet files. in the temporary internet files 03DLNQ00\testbundle23w_1254(1).exe none of them indicated an infection with bancos. anyone have any thoughts on the matter? Thanks in advance. Edited April 10, 2012 by alphaomega Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 10, 2012 Share Posted April 10, 2012 Have you tried Malwarebytes Antimalware Will also call attention to this to Corrine. This happened in Windows XP, and should be moved to Security and Networking where Corrine will find it. Quote Link to comment Share on other sites More sharing options...
alphaomega Posted April 10, 2012 Author Share Posted April 10, 2012 Have you tried Malwarebytes Antimalware Will also call attention to this to Corrine. This happened in Windows XP, and should be moved to Security and Networking where Corrine will find it. No I have not tried malwarebytes in this particular case. I did not want to mess with uninstalling the current virus program in order to try another one which is why I tried the rescue cds first. It took all night getting through the ones I did try. I believe the incident occurred while I was in XP but I got the notice while I was in Slackware and the tech support person said the problem was with the machine I was on although I do not see how he would know that information. The notice indicated that it was a machine on my network so I'm thinking it had to be one of the xp machines. And without any info on what exactly happened and when I can't say for sure that it was the one xp machine I was on right before I got the notice while in slackware. Over the weekend I installed mcafee (as my isp provider switched from ca to mcafee) and updated flash and java on both machines. I rarely use XP and I do not use it to sign into anything online so I am hopeful no passwords were stolen. Cheers Quote Link to comment Share on other sites More sharing options...
amenditman Posted April 10, 2012 Share Posted April 10, 2012 Boot XP in Safe Mode Run Hitman Pro Then run Malwarebytes Antimalware Reboot Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 10, 2012 Share Posted April 10, 2012 Good thoughts amenditman. Malwarebytes isn't another antivirus program. It's an antimalware program and be sure to choose skip trial and use it only as a manual update and manual run item...if you start the trial, it will try to run on boot which you will not want. Quote Link to comment Share on other sites More sharing options...
alphaomega Posted April 10, 2012 Author Share Posted April 10, 2012 Boot XP in Safe Mode Run Hitman Pro Then run Malwarebytes Antimalware Reboot hitman pro from surfright.nl? Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 10, 2012 Share Posted April 10, 2012 Might I suggest waiting on Hitman Pro or other Rootkit finder programs until Corrine has had a chance to check in here? It is possible that Rootkit finder programs can leave your Windows install unbootable depending on what's infected with the rootkit. Quote Link to comment Share on other sites More sharing options...
alphaomega Posted April 10, 2012 Author Share Posted April 10, 2012 (edited) Good thoughts amenditman. Malwarebytes isn't another antivirus program. my bad for calling it an antivirus program I know the difference. I just try to not have a bunch of programs installed on my machine all actively trying to protect me while browsing. I try to keep only one antivirus and one anti malware program installed and actively running. am going to try malwarebytes to see if it picks up anything. cheers Might I suggest waiting on Hitman Pro or other Rootkit finder programs until Corrine has had a chance to check in here? It is possible that Rootkit finder programs can leave your Windows install unbootable depending on what's infected with the rootkit. will do...thanks for the feedback. cheers okay...this is odd... how did my two separate replies become one? Edited April 10, 2012 by alphaomega Quote Link to comment Share on other sites More sharing options...
Corrine Posted April 10, 2012 Share Posted April 10, 2012 To answer your last question first, the two replies became one due to a "feature" of the IPB software. If a second reply is made within a relatively short period of time by the same person, the two are merged. Rather silly but it is what it is. As to whether you have a backdoor (bancos) on your computer, I'd really need to see a log. If you want to start with an MBAM scan, following are the instructions I recommend. The reason it indicates normal mode rather than safe mode is because MBAM works best that way. Please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, be sure Quick scan is selected, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample: Click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Please post contents of that file in your next reply. ** Note ** If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. In the event you would like logs reviewed, please do the following: Please download DDS.scr by sUBs and save it to your desktop: Link Double-Click dds.scr and a command window will appear. This is normal. Shortly after two logs will appear, DDS.txt and Attach.txt. A window will open instructing you save & post the logs. Save the logs to a convenient place such as your desktop. Copy the contents of both DDS.txt and Attach.txt logs and post in your next reply. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 10, 2012 Share Posted April 10, 2012 Thanks Corrine! To make it easier for you to help with this situation, I will, and hopefully others too will step back and let Corrine handle it from here as she is very adept at doing this. It becomes too difficult with several people suggesting fixes with these types of malware. Quote Link to comment Share on other sites More sharing options...
alphaomega Posted April 10, 2012 Author Share Posted April 10, 2012 Mbam did not find anything. Anybody know what "activity" indicates an infection with bancos? So far nothing is finding this bancos infection. Cheers Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.04.10.09 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Alpha :: EMACHINESW3503 [administrator] 4/10/2012 4:06:56 PM mbam-log-2012-04-10 (16-06-56).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 257688 Time elapsed: 52 minute(s), 56 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 2 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken. HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Quote Link to comment Share on other sites More sharing options...
Corrine Posted April 10, 2012 Share Posted April 10, 2012 As long as the modifications MBAM detected were made by you, correct, it didn't find anything. What McAfee removed was in Temp Files and, although malicious testbundle23w_1254(1).exe isn't one of the back-door banco trojans. (Virus Total results for testbundle) Anybody know what "activity" indicates an infection with bancos? So far nothing is finding this bancos infection. Most commonly, the banco trojans target South American countries although there are banco trojans that are generic password stealing trojans Note: If there is a back-door on your computer, I strongly advise not doing any banking or making any internet purchases on the computer until we know what is going on. Change your critical passwords from a different computer. I can see if I find something if you want to post the DDS logs referenced in my earlier reply. Quote Link to comment Share on other sites More sharing options...
alphaomega Posted April 11, 2012 Author Share Posted April 11, 2012 (edited) As long as the modifications MBAM detected were made by you, correct, it didn't find anything. What McAfee removed was in Temp Files and, although malicious testbundle23w_1254(1).exe isn't one of the back-door banco trojans. (Virus Total results for testbundle) Most commonly, the banco trojans target South American countries although there are banco trojans that are generic password stealing trojans Note: If there is a back-door on your computer, I strongly advise not doing any banking or making any internet purchases on the computer until we know what is going on. Change your critical passwords from a different computer. I can see if I find something if you want to post the DDS logs referenced in my earlier reply. Yes, the modifications were done by me. And I rarely sign into anything anymore from windows and I do all my online backing from within linux so hopefully no passwords have been stolen. Totally forgot to run DDS although I did download it. Will get to that right now. dds attach Cheers Edited April 11, 2012 by alphaomega Quote Link to comment Share on other sites More sharing options...
alphaomega Posted April 14, 2012 Author Share Posted April 14, 2012 dds attach I also ran the free version of hitman with the following results. (I have not performed a clean.) 5 files to be uploaded to the scan cloud: master boot record sas_528c3484.com (an old portable version of superantispyware) SBFile (file details indicate it is part of CA Internt Security Suite) videoinspector_nork.exe mp3diagswindows-unstable.exe 4 files as suspicious (google search indicates it is part of super media file converter.) flacdx.ax mpcdx.ax rlapedex.ax rlmpcdex.ax all the rest were tracking cookies. And I finally heard back from my isp and they indicated that the incident occurred easter sunday @ 1:21pm. They said that one of my machines had connected to a bot net. Using a live linux cd I did a search on both machines w/xp for all files created/modified on that date to see if it would refreah my memory as to what I was doing. On machine A there were files in: temporary internet files (search for flv player) system volume information/_restore between the hours of 2am-3am search did not find any files created/modified around the time of the incident. On machine B search did not find any files created/modified on that date. Should I go ahead and perform the clean? Quote Link to comment Share on other sites More sharing options...
Corrine Posted April 14, 2012 Share Posted April 14, 2012 Your logs are also not showing any files created/modified on that date. I suspect that McAfee's finding in the temporary internet files was what your ISP saw. However, let's do a more thorough cleaning of temp files. As you will note in the additional information provided, TFC does a thorough job. I suggest, however, that you go the additional step and clear browser cache and cookies. Download TFC to your desktop Open the file and close any other windows. It will close all programs itself when run, make sure to let it run uninterrupted. Click the Start button to begin the process. The program should not take long to finish its job Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean Before running, it will stop Explorer and all other running applications. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files. -- TFC only cleans temp folders. -- TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC. More info: TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Having reviewed your logs, I am not seeing any signs of malware. If your ISP is still not satisfied that all is well, feel free to point them to this thread. Quote Link to comment Share on other sites More sharing options...
alphaomega Posted April 14, 2012 Author Share Posted April 14, 2012 Okay, I ran TFC and it cleaned out about 1.9gb of stuff. Also, during the first scan with Hitman It did not send the 5 files to the scan cloud (I had that option turned off as the lan connection was disconnected). After Hitman gave me a message about not being online... I connected the cable but forgot to reset that option. So I scanned again with Hitman and let it upload the files to the scan cloud. End result 5 suspicious files: sas_528c3484.com flacdx.ax mpcdx.ax rlapedex.ax rlmpcdex.ax Hitman did not flag any of the other files it uploaded: master boot record SBFile.exe videoinspector_nork.exe mp3diagswindows-unstable.exe here is what McAfee has to say about virus detections named 'Artemis': http://service.mcafe...spx?id=TS100414 I took the file that McAfee detected and quarantined and uploaded it to virustotal. and here is the results from virustotal: https://www.virustot...2f630/analysis/ Still no indication of a bancos infection. The lady I spoke with at my isp security and abuse department told me that they get a report every couple of days and if my machine exhibits virus activity again and shows up on their report that I would probably get another notice. Is there anything else I should do? Cheers and Thank You so much for your assistance in this matter. Quote Link to comment Share on other sites More sharing options...
Corrine Posted April 15, 2012 Share Posted April 15, 2012 I researched McAfee's finding of Artemis in the temporary internet files when you originally reported the issue. Since you've already cleaned temp files, scanned with Superantispyware McAfee anti virus Microsoft's Malicious Software Removal Tool Avg rescue cd Kaspersky rescue cd Malwarebytes Hitman have completed a thorough cleaning of temp files, and the Windows XP logs are clean, there isn't much more you can do with this machine. That said, it wouldn't hurt to scan the Slackware install with an A/V, particularly if you have Adobe Flash Player installed on it. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 15, 2012 Share Posted April 15, 2012 You MS Win security folks are the experts here. However, I would like to state that it is my understanding that the only malicious attacks possible on a Linux installation would be a root kit type attack. I do not believe that running an AV scan on a Linux installation would serve any purpose, as the scan would be searching for MS Windows-based malicious software. I would recommend running rkhunter or chkrootkit in Slackware, though. Can't hurt. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 15, 2012 Share Posted April 15, 2012 Well, not all AVs are just for Windows computers anyway, but you are right about rkhunter and/or chkrootkit! Great ones for Linux and can be run right from the commandline too! Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 15, 2012 Share Posted April 15, 2012 Not all AVs are for MS Windows, but they all search for MS Windows-based viruses. There are no Linux viruses in the wild, supposedly. According to data that I have read (referred to by Bruno, actually), the only viruses created for Linux were created in laboratory settings and require elevated (root) privileges to run on the Linux systems they were tested on. Because of Linux's inherent administrative permissions levels, the normal "click and infect" MS Windows-type viruses cannot function. As I said, though, you guys, particularly Corrine know a lot more about this stuff than I do. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted April 15, 2012 Share Posted April 15, 2012 Yes, better to call it Linux malware (Wikipedia) I think: Linux malware includes viruses, trojans, worms and other types of malware that affect the Linux operating system. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected, but not immune, from computer viruses.[1][2] There has not yet been a widespread Linux malware threat of the type that Microsoft Windows software faces; this is commonly attributed to the small number of users running Linux as a desktop operating system[1], the malware's lack of root access and fast updates to most Linux vulnerabilities.[2] The number of malicious programs — including viruses, Trojans, and other threats — specifically written for Linux has been on the increase in recent years and more than doubled during 2005 from 422 to 863.[3] Most are in the lab, but not all. And any AV that runs on Linux will check for these as well. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted April 15, 2012 Share Posted April 15, 2012 ...the malware's lack of root access... That's the key right there. Quote Link to comment Share on other sites More sharing options...
alphaomega Posted April 15, 2012 Author Share Posted April 15, 2012 (edited) I do have Adobe Flash Player installed in Slackware so I attempted to scan the /home folder with Kaspersky Rescue CD. That did not go over too well. I tried to only scan the /home folder but it would still try to scan the whole partition where Slackware is installed, folders such as /proc and /sys, along with the drive where Windows is installed. And after a couple of hours it gets stuck in a loop with messages similar to the following repeating in the log: /sys/devices/pci0000:00/0000:00:14:1/ide0/0.0/unload_heads /sys/devices/pci0000:00/0000:00:14:1/ide1/1.0/unload_heads So instead of just unchecking the drive in Kaspersky Rescue CD I also added exclusions for folders such as /proc /sys /mnt and attempted to scan just /home again and it would still attempt to scan the whole partition and eventually got stuck with the same messages in the log file. At this point I have to stop the scan or it will just sit there repeating the same messages in the log. I'm not sure why I could not get it to scan just the /home folder. It did however come across the following adware on a data partition on machine A which contains an old backup copy of the /home folder from machine B. /sda3/temphold/compaqlnx/home/alpha/Documents/Downloads/timesinkpatch.exe/TSUNINSTALLER.EXE I also ran aswMBR.exe and submitted the MBR.dat file to virustotal: MBR.dat scan results And speaking of log files, I had not looked at Windows' event logs. I only scanned the drive for files created/modified on the date of the incident. So I went in and looked at the Windows' event logs and on machine A there are only entries in there between the hours of 2-3am (no entries around the time of the incident). Machine B had no entries for the date in question. I even browsed through the logs in Slackware and the last entry in messages with that date has a timestamp of 12:23pm. The last entry in syslog with that date has a timestamp of 10:45am. The incident took place at 1:21pm. In Slackware I have two files created around the time of the incident. One created at 12:42pm and another created at 1:24pm. So at least three minutes after the incident I was in Slackware. I just don't get it. They claim one of my machines is infected with bancos and connected to a bot net @ 1:21pm on Easter Sunday (04/08/12). I was force routed to the notice page (while in Firefox on Slackware) around 4pm (04/09/12) the next day. None of the tools I've tried has been able to pick up a bancos infection. There are no files created/modified around the time of the incident in Windows. There are no entries in Windows' log files around the time of the incident. It would seem as if my machine was not even in Windows around the time of the incident. And I know I was in Slackware a few minutes after the incident. 2012-04-08 12:23:44 emachinesw3503 syslog -- MARK -- I would probably feel a little more comfortable had one of the tools actually detected bancos. Anyway, thank you so much for your assistance in this matter. If you have any other ideas on what else I could try please let me know. Cheers and Thanks P.S. will look into running rkhunter or chkrootkit on Slackware. rkhunter log http://sprunge.us/SMAJ chkrootkit log http://sprunge.us/KDMj Edited April 15, 2012 by alphaomega Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.