Jump to content

undetected infection - 0.19833966783643586.exe


Recommended Posts

Googling I went to a page with an auto-redirect to the following page:

http://deansurvey.vv.cc/showthread.php?t=60050011 (DO NOT GO TO OBVIOUSLY)

This caused the following exes to start:

0.19833966783643586.exe

0.3486769720286922.exe

I could not stop or delete them.

Looking in my temp folder I also found the following file created with it:

~DF1CF1.tmp (Viewing in Notepad, started with Root Entry and then gobbledygook code.)

I couldn't find anything on those exes, but looked up the page and found this:

http://safeweb.norton.com/report/show?url=http%3A%2F%2Fdeansurvey.vv.cc%2Fshowthread.php%3Ft%3D60050011

http://safeweb.norton.com/report/show?url=http%3A%2F%2Fkagamand.cx.cc%2Fbujuin.jar

http://www.siteadvisor.com/sites/http%3A//deansurvey.vv.cc/showthread.php%3Ft%3D60050011

I could not run Malwarebytes, because I was having trouble with the 1.51 update. I ran RootkitBuster.exe and it said it found 17 hidden ports opened.

[HIDDEN_PORT]:

Address Family : IPv4

Type : TCP (TIME-WAIT)

LocalAddress : MyIP:4627

Remote Address : 96.17.151.88:80

Process : (0)

Image Path :

The 16 other ports were:

4628

4629

4630

4631

4632

4635

4636

4637

4638

4639

4640

4641

4642

4643

4644

4651

Rootkit wanted to reboot to close those ports. When rebooting it took a LONG time to close and restart and I'm afraid the trojan/virus was rooting/installing/whatever.

I could not get 1.51 to work, so I uninstalled it and reloaded my previous version 1.46, but then downloaded the most recent DB version 6790 and ran scan.

So here is my problem, running Malwarebytes and McAfee, they can't detect anything, but I'm fairly certain I must be infected with hidden malware/virus/trojan listed on those pages above.

Why doesn't Malwarebytes detect anything? Suggestions?

Malwarebytes' Anti-Malware 1.46

Database version: 6790

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/6/2011 8:59:18 PM

Scan type: Full scan (C:\|)

Objects scanned: 289640

Time elapsed: 2 hour(s), 7 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

I'm not sure whether this subforum or Security Alerts is the right forum to ask this in, because I'm not just inquiring about the possibility of my specific infection, but undetected infections in general. (I'll keep writing in this forum though.)

Specifically - I KNOW that SoftForYou Keylogger is installed on my computer by someone. I know because they never changed the password, so the default passowrd opens the interface. And yet, this has never been detected or removed by any of the following programs:

Microsoft essentials

McAfee suite

Malwarebytes

GMER Rootkit Scanner

DDS.scr

OTL.exe

RootkitBuster

HijackThis

I've run all of the above again and they don't seem to show any infection. And yet I just accessed SoftForYou Keylogger and it's still there and even logged running and keys in GMER and OTL!

I actually don't care about SoftForYou Keylogger, in a way I'm actually using it myself now and it doesn't send the files anywhere and I'm the only user of this machine now, so it's not a threat. But the fact that nothing detects or removes it concerns me greatly. What else is running on my machine that is not detected. Perhaps there is a keylogger or some trojan I don't know about that's uploading it's logs off the machine.

For instance, it would seem I should be infected from the attack from visiting the site in my initial post. RootkitBuster detected it opening all those ports. Yet everything I've run says there is no further infection. That just seems unlikely. So my question isn't only whether I'm really infected from this one instance, it's how reliable is any of this detection/protection software? Again because I KNOW it's not detecting SoftForYou Keylogger, so how do I trust there's not other stuff it's not detecting?

Btw, does anyone know what the last two entries on the GMER screenshot below are?

post-83719-0-42663000-1307464224.jpg

Link to post
Share on other sites

:welcome:

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

Larry, thank you for your response. I have been out of town on business the second half of this week and away from this computer, so just getting to following up now. I want to run a back up of C drive, before running TDSSKiller. I will do that first and then follow your instructions and post back this afternoon.

Link to post
Share on other sites

Hi Larry,

Thank you for keeping me in mind. I do still need to diagnose and resolve this, but I can't on this computer right now. I will do so as soon as I can. I have bookmarked this topic and check it. Is it ok to leave it open and slide down the list and I'll post and message you when I can run these? If not, should I start a new post and message you then?

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.