Possible Infection?

[GuyWithAProblem]

Hi,

I believe that my computer may be infected with a virus of some sort as it has been acting strange. A virus scan with McAfee showed no results but I think it may be missing something.

I was infected a few weeks ago by a file called MSUDF.exe. Which was a trojan downloader. McAfee did not identify it but alerted me it was attempting to access the internet. So after googling it and finding that it was a trojan, it was deleted.

But ever since I deleted that file my computer occasionally runs CHKDSK after restarting. Which removes a few...strangely named files. I remember one file being called "PICKLE~1.py." and another called "5, 7 BURST.ogg".

I also noticed that explorer.exe randomly jumps up to 99% of CPU usage. During that time the process iexplore.exe opens up under SYSTEM. No window comes up but the process stays there. It uses about 25,000kb of memory.

What do you guys think?

 

[guest_9323wk]

Hi,


Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

Let us know how it goes.

Thanks,

Wiz

 

[Madxgraphics]

As Wiz says run Kaspersky online scanner..Also download and install Superantivirus and Spybot search and destroy...If you can, get rid of McAfee and use Kaspesrsky rather...It is a million times better...

 

[GuyWithAProblem]

Ok, it seems I was right. I am infected.

This is the scanner report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 9, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 09, 2008 23:02:10
Records in database: 1076457
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 122593
Threat name: 3
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:37:46


File name / Threat name / Threats count
C:\Documents and Settings\D Alexander\Application Data\Mozilla\Profiles\default\v91vqb8z.slt\Mail\mail.urisp-1.net\Inbox Infected: Trojan-Spy.HTML.Usbankfraud.p 1

C:\Documents and Settings\D Alexander\Application Data\Thunderbird\Profiles\18rngsht.default\Mail\mail.urisp-1.net\Inbox Infected: Trojan-Spy.HTML.Usbankfraud.p 1

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP261\A0051967.exe Infected: Trojan-Downloader.Win32.Delf.lhu 1 <-----This was the one I was infected with before.

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP261\A0052006.exe Infected: Trojan-Downloader.Win32.Delf.lhu 1

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\msdcb[1].jpg Infected: Trojan.Win32.Slefdel.avg 1

I have removed the downloader and the Slefdel trojan...but I'm not sure what to do with the spy trojan. Judging from the location of the infected file it looks like I would be deleting my inbox. Am I right? And other virus scanners do not recognize the file as a trojan. Only Kaspersky.

EDIT: As I said in my first post, iexplore.exe sometimes runs under the username SYSTEM. However, I never use Internet Explorer and no window appears. After about a minute it disappears. If I open Internet Explorer during that time, I have TWO instances of iexplore.exe running.

I CAN terminate the process without it returning immediately afterwards but it DOES return randomly. Once it returned after 5 minutes and another time it took 30 mintues.

This worries me...I think the scanners missed something.

 

[guest_9323wk]

Hi,



Did the Kaspersky Online Scanner remove these? If not then go here and download the free trail of the AV and run it. (Make sure you remove any other AV programs before installing this one) When asked during the install click on activate trail version. After the scan has ended and you have rmeoved everything it finds. Run Super Anti Spyware and also remove anything it finds.



Hope this helps.


Let us know how it goes.



Regards,


Wiz

 

[GuyWithAProblem]

No, I removed them manually. After scanning again only the bankfraud trojan was found. So I am convinced they are removed.

I'm not going to uninstall McAfee to run Kaspersky. I had too much trouble the first time I installed it. But I will scan with Spybot and Super Anti Spyware.

 

[guest_9323wk]

Hi,

Also downlaod Trojan Hunter here. Just to make sure and after this do the other scans and your pc should be nice and clean again.


Regards,

Wiz

 

[GuyWithAProblem]

Okay, Spybot discovered the remnants of several nasties lurking on my system, SuperAntiSpyware detected about 30 tracking cookies, and Trojan Hunter discovered that the Slefdel trojan had recreated itself.

Everything was successfully removed. Now I'm waiting to see if iexplore.exe opens under SYSTEM again.

 

[guest_9323wk]

Okay, Spybot discovered the remnants of several nasties lurking on my system, SuperAntiSpyware detected about 30 tracking cookies, and Trojan Hunter discovered that the Slefdel trojan had recreated itself.

Everything was successfully removed. Now I'm waiting to see if iexplore.exe opens under SYSTEM again.

Cool, let me know if iexplore.exe opens ok.

Regards,

Wiz

 

[GuyWithAProblem]

Yup, there it is.

Took a screenshot of it...Dunno why. I guess I wanted some proof.

 

[guest_9323wk]

Cool so everything is fine now then.

Regards,

Wiz

 

[GuyWithAProblem]

iexplore.exe suddenly opening without a window and without permission is fine then?

 

[guest_9323wk]

iexplore.exe suddenly opening without a window and without permission is fine then?

ok this is not normal. Please try reinstalling Internet explore and see if that corrects it. Also I would boot into safe mode and just double check that all the viruses have now gone by running all scans again just to make sure. I am sure they have but you never know.



Let me know how it goes.



Regards,

Wiz

 

[GuyWithAProblem]

Done. It hasn't come up yet. If it does I'll repost.

 

[guest_9323wk]

Done. It hasn't come up yet. If it does I'll repost.

Hopefully that has sorted it. If not then let me know.

Regards,

Wiz

 

[GuyWithAProblem]

It just reappeared...

 

[guest_9323wk]

It just reappeared...

Did run the scans in safe mode? go to run and type in msconfig and if Internet explore is in the start up list then remove it.


Thanks,

Wiz

 

[GuyWithAProblem]

Nope, Internet Explorer isn't in there.

I did not scan in safe mode yet. I'll do that now.

 

[GuyWithAProblem]

Okay in safe mode I scanned with: McAfee STINGER, McAfee Internet Security Suite, SUPERAntiSpyware, Spybot S&D, and Trojan Hunter. All suggest that my PC is clean.

The next time iexplore.exe appears I'll use Trojan Hunter's process viewer to see exactly which one it is, if that'll help.

Or maybe I'm being paranoid...

 

[GuyWithAProblem]

*UPDATE*
​

I'm almost positive iexplore.exe has been hijacked...lots of suspicious activity found. I did a little experiment to find out where iexplore was running from. Using Trojan Hunter's process viewer, I found that the process was running from C:\Program Files\Internet Explorer. Sounded pretty normal to me...until I deleted the iexplore.exe in that folder. Within 5 seconds it came back! Same result if I rename it! Now tell me is THAT normal?!

I have forbid McAfee from allowing iexplore to access the internet. While doing that, I found a log showing recent inbound events. One of the IP Addresses stuck out. By event information it had ICMP Ping beside it. In details, McAfee said "A computer at 222.100.243.74 has sent an invalid packet to your computer." I have no clue what that is...but McAfee traced the IP to Seoul, Korea. So I banned it...now I'm waiting to see if iexplore comes back yet again...