Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#356449 - 22/11/2012 17:40 Malware attack
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5549
Loc: Ajijic, Mexico
As mentioned in a previous post, I have been attacked by malware.

Originally Posted By: tanstaafl.
Edit4 -- More likely, it is my computer that is hacked, and not the bbs

I cleared my cache and deleted all my cookies, and I thought it might have fixed things, but it didn't.

I ran a full virus scan, AVG says my computer is clean. I have now seen the problem on other websites (Amazon, eBay).

To be more specific about the problem: web pages will have random words highlighted in yellow and underscored, and if my mouse cursor touches the highlight, I get what you see in the attached screenshot. In this case, it is the word "Total" (after File Manager) that triggered the popup. Sometimes the trigger is a word that I have typed, other times (as in the attached example) it is in the "boilerplate" of the page.

I really, really, don't want to nuke and repave to get rid of this thing. What should I do?

tanstaafl.


Attachments
Popup.jpg




Edited by tanstaafl. (22/11/2012 17:45)
_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#356451 - 22/11/2012 17:51 Re: Malware attack [Re: tanstaafl.]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
What browser are you using ?

Have you tried installed and running Malware Bytes ?

http://www.malwarebytes.org/
_________________________
Remind me to change my signature to something more interesting someday

Top
#356452 - 22/11/2012 17:59 Re: Malware attack [Re: andy]
andy
carpal tunnel

Registered: 10/06/1999
Posts: 5916
Loc: Wivenhoe, Essex, UK
I see from your other post that you have a selection of browsers installed.

Does the same problem occur in all browsers or just in one of them ?
_________________________
Remind me to change my signature to something more interesting someday

Top
#356453 - 22/11/2012 18:57 Re: Malware attack [Re: tanstaafl.]
Roger
carpal tunnel

Registered: 18/01/2000
Posts: 5683
Loc: London, UK
In Chrome, check that you don't have any extensions you don't expect (menu -> Tools -> Extensions).

In IE, check that you don't have any plugins that you don't expect (Cog -> Manage Add-ons).

I don't have Firefox installed on this PC.

Also, use SysInternals Autoruns, which will display a list of stuff loaded at startup. In particular, since this is affecting your browser (if it's IE), look in the Internet Explorer tab.

Note that most of this stuff is benign, so don't go disabling or uninstalling it without checking first.
_________________________
-- roger

Top
#356456 - 22/11/2012 21:33 Re: Malware attack [Re: Roger]
hybrid8
carpal tunnel

Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
Remember when Ad-Aware wasn't a huge bloated mess? Might still be worth a try (free edition) if nothing else turns up the solution.

Hopefully it's just a browser-level plugin. If it affects all browsers it could be something installed as a proxy and might even show up in Windows Internet prefs.

Doug, are you still running Windows XP? Windows 7 should in theory spot stuff like this with its malware "stuff" - I can't remember if it's Defender or the other thing I can't remember the name of right now. wink

You should try Ubuntu.
_________________________
Bruno
Twisted Melon : Fine Mac OS Software

Top
#356458 - 22/11/2012 21:45 Re: Malware attack [Re: hybrid8]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
+1 for Malwarebytes

Or get a log from HijackThis and post it here. I'm sure we can pick out the dodgy one.

Microsoft Security Essentials is what used to be Defender (although it's coming back in Windows 8 I think).
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#356469 - 23/11/2012 03:38 Re: Malware attack [Re: Shonky]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
+1 for Malwarebytes. It's always the first thing I run on any of my clients' machines.

+1 for MSE, which I've recommended several times but AVG keeps winning for Doug wink **

I'd boot into safe mode and run Malwarebytes. That takes care of most of these things. Also try running TDSSKiller to look for rootkits, and look at Hijack This as recommended above for any odd items (but don't remove things indiscrimenantly, it's a tough program to read).

IF all else fails, then I have one more suggestion. I hesitate to suggest it because it's a much bigger hammer and some bad things could happen if used improperly. But if we're talking about really hitting a virus hard, Combofix is the tool. Again, this one can eff your system up as easily as fixing it. Please try all the other solutions here before using it.


**Doug, I'm just giving you a hard time about your love of AVG (which, admittedly, I used to love before it started looking like Norton). The fact is, a perfect antivirus does not exist in any way shape or form, aside from pulling out the network jack and never plugging any hardware or media into your computer. User behavior is still the best protection.
_________________________
Matt

Top
#356470 - 23/11/2012 03:49 Re: Malware attack [Re: Shonky]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
Originally Posted By: hybrid8
Remember when Ad-Aware wasn't a huge bloated mess? Might still be worth a try (free edition) if nothing else turns up the solution.

Yep. I also remember when using a separate application for "adware" was actually necessary, and even the people writing viruses and adware/spyware still made a distinction between the two. Now most stuff finds both because the lines have been erased.

Quote:
Hopefully it's just a browser-level plugin. If it affects all browsers it could be something installed as a proxy and might even show up in Windows Internet prefs.

Could be. Also, the hosts file could have been changed. Some antivirus tools will check for that (like HiJack This if it has administrative permissions), or you could go edit it manually to make sure it hasn't been changed. [url=Here]Here[/url] are the locations.

Quote:
Doug, are you still running Windows XP? Windows 7 should in theory spot stuff like this with its malware "stuff" - I can't remember if it's Defender or the other thing I can't remember the name of right now. wink

Windows 7 started installing Microsoft Security Essentials with Windows Update a good long while after the OS was first released. At least, that's what I've seen anecdotally. But I'm pretty sure it'll only install if you don't already have an antivirus installed. It certainly won't enable it as a second antivirus, which would be bad.[/quote]

Originally Posted By: Shonky
Microsoft Security Essentials is what used to be Defender (although it's coming back in Windows 8 I think).

It's a little more amorphous. Defender has been built into Windows since XP, and is a separate program from MSE. When you install MSE, Defender is disabled. It is in fact an antivirus program, though, so I'm a little unclear what the differences between it and MSE are, aside from the addition of scheduled virus scans...

Also, in my research to confirm the above info, I was surprised to see I was wrong about something I keep telling my clients. I thought MSE was the former Giant Antispyware. Turns out that Defender is. I have no idea where MSE came from. Maybe they built it in-house? Maybe with the Giant team?
_________________________
Matt

Top
#356490 - 24/11/2012 12:45 Re: Malware attack [Re: andy]
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5549
Loc: Ajijic, Mexico
Originally Posted By: andy
What browser are you using ?
My primary browser is Firefox. I also have Chrome and Internet Explorer available. Firefox and Chrome both show the unwanted popups; Internet Explorer [apparently] does not.

Originally Posted By: andy
Have you tried installed and running Malware Bytes ?
On your recommendation I have now done so.

Now if my computer catches on fire and burns down my house, it'll be all your fault! smile

Attached is a screenshot of the Malware Bytes log taken (I think) before I clicked the Remove Malware button. After I did that, I re-ran the program and got the message that there was no malware found.

Incidentally, I found out why you recommend running Malware Bytes in safe mode... I ran it in "normal" mode the second time (when it found no malware) and on my next reboot Malware Bytes had enabled every single item in my Startup menu. I went through it and disabled all the things I want to keep but not have loaded on boot. Attached is a screenshot of my startup menu.

If anybody wants to look through those two screen shots (right-click and choose "View Image" to make them readable) and advise me of anything that doesn't look right, I'd appreciate it.

At this point I don't know if my unwanted popups are gone, but hope springs eternal. Meanwhile, what am I going to do with all those free iPads I have won?

tanstaafl.


Attachments
Malware Log.jpg

Startup Screen-W1200.jpg


_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#356501 - 24/11/2012 21:52 Re: Malware attack [Re: tanstaafl.]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
The TSearch thing is probably your problem.

Have a look in Add/Remove programs - it may be a simple case to remove it just there. Sometimes these uninstall nicely.

Also there's a number of Browser helper objects that look a bit dodgy.

Looks like about 3 or 4 different bits of malware (or just unwanted items) there. It's been a while since I've had to remove this sort of stuff, but AdAware was the tool I last used I think to automatically remove. I'm not sure what the best is these days. Just deleting the files and registry keys will probably be OK.

Let Malwarebytes do a clean up would be my recommendation. I'd remove basically most of the stuff. All of the registry keys I don't like. All but the first file look dodgy. The first looks like you're not running a genuine windows? That's a key server to bypass the windows authentication.

The "startup" screenshot looks OK.

PS: next time just copy/paste the log into the forum smile
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#356504 - 24/11/2012 23:38 Re: Malware attack [Re: Shonky]
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5549
Loc: Ajijic, Mexico
Originally Posted By: Shonky
Let Malwarebytes do a clean up would be my recommendation.
That's what I did, then I ran it again and it reported no malware found.

Since that time I haven't seen the unwanted popup, but the night is young, so to speak. If I go a couple of days without it, I'll believe that it is gone.

Originally Posted By: Shonky
PS: next time just copy/paste the log into the forum
Oh, sure, but where's the fun in that? smile The log was in plain text using a non-proportional spaced font (Courier New?) and was really ugly. I didn't want to subject you people to that!

BTW, be impressed with the startup screenshot. You can't actually make Windows display it like that... smile

tanstaafl.
_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#356505 - 25/11/2012 01:42 Re: Malware attack [Re: tanstaafl.]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
FWIW, I don't recall ever seeing Malwarebytes find a false-positive. I wouldn't worry about telling it to remove whatever it found.

Originally Posted By: tanstaafl.
The log was in plain text using a non-proportional spaced font (Courier New?) and was really ugly. I didn't want to subject you people to that!

I'm pretty sure Malwarebytes just launches Notepad to display its log. Don't worry, that won't retain any formatting if you copy/paste it here.

Quote:
BTW, be impressed with the startup screenshot. You can't actually make Windows display it like that... smile

Yeah, msconfig is obnoxious that way. I have no idea why that window isn't resizable. I like using CCleaner to look at startup items because it lets me delete (instead of just disable), but I can also maximize the window and see everything at once smile Anyway, sorry you had to go to all that trouble with the photoshopping smile
_________________________
Matt

Top
#356510 - 25/11/2012 11:17 Re: Malware attack [Re: Dignan]
tanstaafl.
carpal tunnel

Registered: 08/07/1999
Posts: 5549
Loc: Ajijic, Mexico
Originally Posted By: Dignan
Anyway, sorry you had to go to all that trouble with the photoshopping smile
You gotta be kidding me! That's the sort of thing I live for! smile

tanstaafl.
_________________________
"There Ain't No Such Thing As A Free Lunch"

Top
#356511 - 25/11/2012 11:51 Re: Malware attack [Re: tanstaafl.]
peter
carpal tunnel

Registered: 13/07/2000
Posts: 4180
Loc: Cambridge, England
I tried to get it made a rule at Rio that if there was a scrollbar anywhere inside a window, then the top-level window must be made resizeable so that people with big screens can eliminate the scrollbar. Roger groused about it, 'cos MFC dialogs don't work like that out of the box, but eventually implemented it. Later someone who didn't want the hassle of maintaining it quietly removed it frown

Peter

Top
#356518 - 25/11/2012 19:27 Re: Malware attack [Re: peter]
Dignan
carpal tunnel

Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
Originally Posted By: peter
I tried to get it made a rule at Rio that if there was a scrollbar anywhere inside a window, then the top-level window must be made resizeable so that people with big screens can eliminate the scrollbar. Roger groused about it, 'cos MFC dialogs don't work like that out of the box, but eventually implemented it. Later someone who didn't want the hassle of maintaining it quietly removed it frown

The problem with the msconfig window is due to the resizable columns, one of which (in Windows 7, at least) contains the registry key for each item. If you fully expand each column to fit the widest entry, usually you end up having to scroll at least three times the width of the window. It's just dumb.
_________________________
Matt

Top
#356519 - 25/11/2012 19:51 Re: Malware attack [Re: Dignan]
Taym
carpal tunnel

Registered: 18/06/2001
Posts: 2504
Loc: Roma, Italy
Non-resizable windows, in general, should be punished by law.

smile
_________________________
= Taym =
MK2a #040103216 * 100Gb *All/Colors* Radio * 3.0a11 * Hijack = taympeg

Top
#356530 - 26/11/2012 15:46 Re: Malware attack [Re: peter]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
Originally Posted By: peter
I tried to get it made a rule at Rio that if there was a scrollbar anywhere inside a window, then the top-level window must be made resizeable so that people with big screens can eliminate the scrollbar.


Agreed completely: A pet peeve of mine is any non-resizable window that requires scrolling to read its contents.
_________________________
Tony Fabris

Top