Help--computer hacked by antivirus scanning software through popup on website

Norton Security | Norton Internet Security
21

@ floplot

that was my opinion ...as I posted earlier > My inclination would be to try to clean the malware.....but, what I know about malware would easily fit on the head of pin ...Sys Restore IDK..just never saw it as a fix for malware....Hope I'm wrong!


Thats why I was offering scan options to try and identify the nasty & try to remediate the nasty. Thats why I also posted the info about SysRestore limitations.  Pcmom4 did react quickly to the event...credit to Pcmom4...hope we hear back so we can offer Pcmom4 2010 Upgrade (reports running NIS09 Vista & XP)

 

Cheers

bjm_

22

Good morning,

 

Well, with a bit of sleep and a cup of coffee I'm ready to take on the malware.  Based on bjm's and others' advice, I'll try scanning with SUPERAntiSpyware after getting the computer into safe mode.  I have it copied to CD--if that doesn't work I'll try a usb drive.  I'll let you know what happens next--

 

Wish me luck,

 

pcmom4

23

Morning Pcmom4

If you get to Safe Mode..Try Norton Full Scan from Safe Mode (screen will look different)

Since NIS would not scan in Normal Mode ...need to see it scan in Safe Mode.

We're all wishing you luck..  I'm reciting Norton Secret Mantra as I post this ... the SAS defs are only as current as the last download....The scanner contains the latest definitions (at the time you downloaded) so you DO NOT need Internet Access on the infected system to scan.  How to use SAS Portable Scanner > http://www.howtogeek.com/howto/9283/superantispyware-portable-is-the-must-have-spyware-removal-tool-you-need/

Keep us posted

bjm_

24

Hey--I got in to safe mode!  AND, I got SuperAntiSpyware running!:smileyhappy:

 

Right now I am doing a complete system scan in SAS in the one account that has administrator's rights.  Hasn't found anything yet--just 5 tracking cookies.  (It's still early.)  I was not in this account when the attack occurred, however--I was in a limited account that we use for online-email stuff (thought the limited account would be safer, actually, and prevent these types of things from happening... oh well.)

 

Should I also run the scan from the limited account where the attack occurred?  (Now it looks like it is scanning that account anyhow--perhaps the admin accounts allows for scans of all user accounts?

 

So far so good--I'll try scanning with Norton after this SAS scan from within safe mode.  Do I need to have the DSL plugged in to run the Norton IS scan?  (It is unplugged right now as you noted it should be.)

 

Feeling hopeful,

 

pcmom4

25

Hey Hopeful
Safe Mode will not connect to Internet ...so, for NIS scan from Safe Mode...unplugged.  Safe Mode has an option Safe Mode with Networking...TMI

Did you see option to select Drives....C / D.  SAS as you realized is scanning your Drive..user accounts not an issue.  You opted for Complete Scan? 

 

bjm_

26

Yes, I saw the drives and  I opted for complete scan--it scanned all of c: drive (the only fixed drive) as well as memory and boot up.  It found 74 adware tracking cookies, but nothing more harmful.  It is now asking to reboot to "complete the removal of the harfmul software detected." and finish the removal of the cookies--should I reboot now or run the Norton IS scan first?

 

I could reboot and then get back into Safe Mode and try to run Norton IS--

 

Wondering why it didn't find anything--maybe I shut it down in time?  Or maybe we haven't found the malware yet?

 

Hmmmmm.....

 

pcmom4

27

Hi Pcmom4

let it do it's thing...Reboot

74 adware tracking cookies may not be so benign

What browser do you run IE8?

Just noticed you were in FF 3.5 ....FF current secure version 3.6.3   Why still 3.5?

Now I'm wondering if you received Microsoft Updates on the 13th before this adverse event.

 

so far so good

bjm_

 

28

Hi,

 

Yup, I should have updated FF--did see that there was initially no support for it with Norton so I let it go and forgot about it...  Guess that's how these things happen--some of us need to learn the hard way...

 

Here's where I'm at--rebooted and got back into safe mode.  C urrently running NIS 09 full system scan--it has only found a few tracking cookies.  If itdoesn't find more, should I scan with Malwarebytes from safe mode, or should I go into the regular Windows Vista and run it from there?

 

And, any ideas what happened?  I'm not sure what you meant about the Windows update on the 13th.  If this isn't being found, is it because it isn't there, or is it hiding and we can't get at it?

 

pcmom4

29

Hi again,

 

Well, I think we got it--I should say them.  Norton has found 3 Trojans that it says haved been "fully resolved."  It says under Risk Details:

 

[hieeyfc.class] inside of [c:\users\online and email\appdata\locallow\sun\java\deployment\cache\6.0\6\7943cc6-1a6e0e56

 

[hirwfee.class] inside of [c:\users\online and email\appdata\locallow\sun\java\deployment\cache\6.0\6\7943cc6-1a6e0e56

 

[hiydcxed.class] inside of [c:\users\online and email\appdata\locallow\sun\java\deployment\cache\6.0\6\7943cc6-1a6e0e56

 

This is likely it--online and email is the account I was on when it happened.  The Norton scan has finished--I'm assuming the trojans are in quarantine, and I have to tell it to delete the tracking cookies. Seems that these trojans are high risk, but Norton says they have been resolved--what does that mean?

 

Glad Norton found it.  So, now what should I do?

 

pcmom4

30

Pcmom4

Sorry for the delay...my dog took me for a walk

OK...you are still disconnected

Boot to Normal Mode

I need some info

NIS09 version#

FF version # Help > About

Windows Update History > last date > see multiple updates on 13th

Open FF (disconnected) blank page will open > need ver for Java and Shockwave Flash > Tools > Addons

Untick Accept third party cookies

Tick Block popups

more to follow

 

bjm_

31

OK, here's what I have so far:

 

 

NIS09 version#:  16.8.0.41

FF version # Help > About:  ver. 3.5.5

Windows Update History > last date > see multiple updates on 13th:  none on 13th--last one on 4/1/2010--Cumulative Security Update for Internet Explorer 7 for Windows Vista (KB980182)

Open FF (disconnected) blank page will open > need ver for Java and Shockwave Flash > Tools > Addons:

Java Platform SE 6 U13 6.0.130.3--Java Platform SE binary

Java Platform SE 6 U13  6.0.130.3--Java Plug In 1.6.0_13 for Netscape Navigator (DLL Helper)

Shockwave Flash 10.0.45.2

Untick Accept third party cookies:**Can't find this option in FF**

Tick Block popups:  I have checked "Block pop-up windows" in Options (it was checked when I opened it)

 

 

Anything else?

 

pcmom4

32

What email account uses java 

What emalil account was in use ...

33

Not sure--we have 3 accounts--don't know if I should post it here because I would like to keep them private.  Can I send them to you privately?

 

And how would I find out which one uses java?

 

pcmom4

34

Pcmom4

NIS current ver for 09 at some point u may want to Upgrade for free to 2010 ...your option

FF 3.5.5 has known patched security vulnerabilities fixed in current FF 3.6.3 ...your option

April 13th was Microsoft Download Tuesday...second Tues every month....when you are connected ..Please run Windows Update...multiple Vista Updates should be available

Shockwave Flash is current

Java is outdated version with known security issue...the current ver 6.0.190.4 also has a known security issue...for now disable Java...so few apps use it....I run with it disabled all the time

Cookies > Tools Options > Privacy > untick Accept third party cookies

Review Norton Security History > Resolved Risks / Unresolved / Quarantine ~ review all History ~ anything not look OK

Norton Icon has green check?

 

Are you ready to test drive this pc

35

Not your email addess...Your email server ie Yahoo  Hotmail  AOL ...do you use Windows Mail or web based mail

 

For now disable Java...it's not safe...just noticed Netscape...I thought Netscape discontinued Support in 2008.

You have an AOL or AIM email account...correct?

Do you have Netscape Navigator browser installed and do you use it?

Just noticed IE7 ...also your option to Upgrade to IE8

36

Bottom line IMO you have apps that should be patched / updated.

Your NIS09 can't stop some nasties with holes in your apps. 

Lets see if we can get you functional and just hope ....Disable Java

If your ready to connect and see what smokes...let me know

If no smoke then run NIS LIve Update and run Full Scan

then I can offer link for MBAM for yet another Full Scan if you want...

Sorry I may be overly cautious but, I have your best interest in mind.

bjm_ 

37

bjm_

 

I advised the OP to run MBAM and provided a link in message 16 of this thread.

38

 

Hi bjm,

 

Well, here goes--I'll try to answer what I can.

 

NIS current ver for 09 at some point u may want to Upgrade for free to 2010 ...I do have it and will do so when computer is running OK...


FF 3.5.5 has known patched security vulnerabilities fixed in current FF 3.6.3 ...Ditto--will update after test run.


April 13th was Microsoft Download Tuesday...second Tues every month....when you are connected ..Please run Windows Update...multiple Vista Updates should be available: .Ditto--will update after test run.


Shockwave Flash is current

Java is outdated version with known security issue...the current ver 6.0.190.4 also has a known security issue...for now disable Java...so few apps use it....I run with it disabled all the time:  How do I do this?


Cookies > Tools Options > Privacy > untick Accept third party cookies:  Is this supposed to be in FF?  Under Tools, Options, Privacy  there is only "Remember History/Never/Use Custom settings button, links to "clear your recent history" or "remove individual cookies" and a Location Bar setting.  Perhaps this is because I am working offline?

 

Review Norton Security History > Resolved Risks / Unresolved / Quarantine ~ review all History ~ anything not look OK

Norton Icon has green check?  Norton has the green tick--I looked in the history and around the time I got the trojans it didn't detect anything--I can't really  tell what does or doesn't look OK, but around that time it says,

 

IP address has diasppeared from adapter NVIDIA nForce 10/100 Mbps Ethenet #2 and is no longer being protected (IP address: fe80;;1163;ec6d:4429:4320

 

about 27 mins later it says

 

IP address has diasppeared from adapter NVIDIA nForce 10/100 Mbps Ethenet #2 and is no longer being protected (IP address: 192.168.0.7)

 

About an hour and half later itsays it is protecting the connection to a newly detected network at the same addresses.  Then, "an instance of "C:\Program Files\Java\jre6\bin\java.exe is preparing to access the internet" is detected.

 

Then, 2 entries with low severity: " pdfupd.exe made 3 modifications to yourSystem Configuration" is detected, followed by "xjrfledtssd.exe accessed your network resources" is detected.

 

Then, "An instanceof c:\Users\Online and Email\AppData\Local\ulsvrewgv\xjrfledtssd.exe is preparing to access the Internet" is detected.

 

Then, Norton Community Watch Feedback is processing.

 

Then, "Firewall rules were automatically created for xjrfledtssd" twice.

 

Then, under Medium Severity, "Unauthorized access logged" (Access Process Data) is Logged.  (The actor is c:\users\online and email\appdata\local\ulsvrewgvlxjrfledtssd.exe)

 

This looks odd to me--there are also a few entries that were detected as firewall activities "Rule Default Block mircorosoft Windows 2000 SMB" blocked communication, " but then only pretty regular entries until another 

Medium Severity, "Unauthorized access logged" (Access Process Data) is Logged.  (The actor is c:\users\online and email\appdata\local\ulsvrewgvlxjrfledtssd.exe)
Then, the 3 trojans are noted as detected by the virus scanner and quarantined.  The tracking cookies are detected and qurantened as well.  All entries after that seem fine (relate to programs already on system.)

 

I can export this and send it to someone at Norton if needed, once I am connected again.

 

Are you ready to test drive this pc--I don't know--do you think I am?  I never ran malwarebytes--should I do that first or do you think I don't need to?

 


 

Not your email addess...Your email server ie Yahoo  Hotmail  AOL ...do you use Windows Mail or web based mail

 

Our 2 email accounts are through tds.net -- but we have one gmail account for web based mail.  I can send the ac count names privately to you if you need them.  My email client is Windows Live Mail.

 

For now disable Java...it's not safe...just noticed Netscape...I thought Netscape discontinued Support in 2008.  No problem--just tell me how to do it--

 

I don't have Netscape Navigator on the machine.  I do have a Windows Live Messenger account that I never use and would be happy to get rid of.

 

Thanks for all your help--let me know what to do next,


pcmom4

39

Hello

 

Then, 2 entries with low severity: " pdfupd.exe made 3 modifications to yourSystem Configuration" is detected, followed by "xjrfledtssd.exe accessed your network resources" is detected.

 

Then, "An instanceof c:\Users\Online and Email\AppData\Local\ulsvrewgv\xjrfledtssd.exe is preparing to access the Internet" is detected.

 

Then, Norton Community Watch Feedback is processing.

 

Then, "Firewall rules were automatically created for xjrfledtssd" twice.

 

Then, under Medium Severity, "Unauthorized access logged" (Access Process Data) is Logged.  (The actor is c:\users\online and email\appdata\local\ulsvrewgvlxjrfledtssd.exe)

I'm not an expert, but this looks suspicious to me..... It may be nothing on the other hand.....

40

I see you guys are having fun without logs

 

"Antivirus Soft" Family of Rogue

 

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite

 

Quads