Repeated Instrusion attempt

Norton Security | Norton Internet Security
1

Hello,

 

Hoping someone out here could help ! Over the last week or so Norton has been repeatedely blocking intrusion attempts - I've pasted a copy of my History below.

 

An intrusion attempt by m01n83kjf7.com was blocked. Application path \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE.

 

Any idea how to get rid of this virus / trojan / malware ? Any help will be much appreciated.

 

Thank you.

 

 

2

Hi! London2010,

 

Welcome to the Norton Community! :)

 

I have done some research and I must recommend that you sit tight, do nothing with the system and wait for Quads to provide you with some assisstance.  :)

3

Hi, I am having the same problem.  This problem started after Norton blocked a trojan called rurj.exe.  Since that time I get blocked attacks from different websites including this one.  The website seems to change daily and the attack comes through both explorer and firefox.  Sometimes it also shows up as a Tidserv request to SVCHOST.EXE.

 

Hopefully I'm not hijacking this thread, but I thought the similarities of the attacks and the extra info might help resolve it for both of us.

4

yep I get in Firefox too. Have you noticed thats its pretty much every time you're on Google as well ? Get it less frequently when on other websites.

 

Admins / Mods - Help !!

5

Mine just hits randomly, sometimes when I'm not even actively surfing, although I do see it quite a bit when on google.

6

Hi! All,

 

Please provide your installed OS and installed Service Pack Level (i.e., Windows XP SP3, Vista SP2, Windows 7 no SP).

 

Also provide your  installed Norton product and its version (i.e., NIS 17.6.0.32).  You can find this information by opening your Norton product and selecting Help & Support>About (In some Norton products it is Help then About).

 

This information will be useful in assisting you with your issue.

 

Tech83 :)

7

Windows XP SP3 here

8

Hi! Luu777,

 

Please download and install MalwareBytes Anti-Malware (if you do not already have it installed) from here.  Your browser may present a message stating that "To protect you security your browser has blocked the download" (Wording will vary) click this message and select to download the file.  Once the file is downloaded select to open the file.  This will start the installation process; during this process you are presented with the option to update the program and open it select the options to do so.  Select the option to Perform Full Scan click on Scan twice (by default your OS drive is selected usually Drive C).  Wait for the scan to complete and select the option to fix any problems found by the program; MBAM should automatically open a log file save this file to an easy to access location.  And post it here using the Add Attachment link to the bottom left of the Attachments box.

 

It will be reviewed by all who see your post and assisstance will be provided.

 

Tech83  :)

9

Hi! All,

 

I sent the information to a PC Specialist who identified the problem as Rootkit.Win32.TDSS.d and was told that this malware item is a fairly  recent modification.  The specialist was unsure about how recent and is doing further research.

 

Tech83 :)

10

Thanks.  I'm running the scan right now and will post when I have the log.

11

Hi!Luu777,

 

Excellant.  I will be sure and have the specialist I am consulting with view the log.

 

Tech83 :)

12

 

Tech83 wrote:

Hi! All,

 

I sent the information to a PC Specialist who identified the problem as Rootkit.Win32.TDSS.d and was told that this malware item is a fairly  recent modification.  The specialist was unsure about how recent and is doing further research.

 

Tech83 :)

 

Tech83

 

I just googled the problem presented by the OP in this thread, the second result returned was a thread at bleeping computer in which the OP appears to have the same problem as the OP in this thread. The BC thread had a happy outcome since the OP stated in the last post that Kaspersky had identified and removed a nasty rootkit. The odd thing is that the name of the rootkit is identical to the one supplied by your PC Specialist, right down to the small d after TDSS, interesting. Just something I thought you would want to know about. Here is a link to the thread.  BleepingPC

13

Malwarebytes will not detect or remove TDL3 / TDL4 it's not meant to detect them.

 

Quads

14

Hi! Turbo,

 

Thanks, for the information.  I visited with a Kaspersky support technician and was told that they are still working on a similar case with same malware item identified but thus far they have not been able to get the Kaspersky OP's computer cleaned.  They believe it to be a new variant using the same name as a previous generation of the rootkit.

 

It was so late last night, I did not get the chance to respond in a timely manner; sorry about that.  :(

 

Tech83

15

Hi! All,

 

I have just received an article from Microsoft which can be read here.  I have also received information about a removal procedure which can be found here.

 

This information contained on the second site has had the highest rate of success provided so far and is to be run after a full scan from MBAM to disable/removal any additional malware that may have successfully loaded to the infected PC.

 

The resident malware Guru Quads is correct MBAM is not able handle TDL3 or 4 malware.  A scan with MBAM is only the first step.  The second and third steps are to follow the instructions provided in the second link I included in this post.

 

The fourth step will be provided after the OP has completed the first three steps.

 

*Quads;  if you have a better method please let us know.  :)

 

Tech83  :)

16

thanks for the info
at first i think my KIS 2009 has bugs ,because after neutralize this spyware my PC restart over and over again

____________________________________________________________________________________

 

This may be a problem to consider.  The above was taken from feedback on the site provided by Tech83.  The program has removed the infected files, but as in the case of TDL3/TDL4 it has deleted the infected files rather than swapping them for uninfected files.  Since these rootkits use crucial Windows system files, it has caused a boot-reboot loop.

 

I recommend that you attend www.bleepingcomputer.com where they can identify the infected files and swap them instead of trying to do it yourself.

17

I ran the scan twice as advised.  The first time it caught a trojen, the second time came back clean, but I am still getting the intrusion attempt.  Please see the attached logs.

18

Luu777:

 

Please read the prior two or three posts.  That will be the best course for you to take.  MBAM will not solve this.

 

19

Bleeping Computer will help you, sometimes they are busy so could take a little while.

 

They with use programs like I can use in a safer environment in either maybe swapping the file(s) over by script or like Combofix, If it is TDL4, I happened to find a small problem that happens with the program and TDL4, I am not sure of the percentage that it occurs, with the corruption.

 

But they will guide you though, just follow them and their Malware Response Team.

 

Quads

20

Hi, sorry I didn't read the rest of the thread until after I had posted my logs.  I tried running xdel but it keeps hanging up during the online analysis.  It doesn't stop responding and task manager still shows it as working, it just doesn't do anything and the progress bar stops moving after about 30 seconds.  Even though the link said to wait for less than 5 minutes, I let it go for 15 with no further movement.  I had Norton, spybot, and adaware all turned off and had all of my browser windows closed.

 

The intrusion attempt is still here.