Possible malware imbedded here?
- Thread starter Daisy
- Start date
Silicon Surfer
Sage
- Joined
- Dec 15, 2005
- Messages
- 4,140
- Reaction score
- 9
- Points
- 58
Firefox
wobbly
Occasional Scribbler
- Joined
- Dec 6, 2002
- Messages
- 10,423
- Reaction score
- 679
- Points
- 103
If the original problem screwed up your browser and acrobat then that might remain even after clearing the cache and the virus itself. Try uninstalling/re-installing both Firefox and Acrobat to see if that helps.
Another option is to look at your start-up items and delete anything you know shouldn't be there.
Another option is to look at your start-up items and delete anything you know shouldn't be there.
Silicon Surfer
Sage
- Joined
- Dec 15, 2005
- Messages
- 4,140
- Reaction score
- 9
- Points
- 58
I don't have acrobat and my startup menu is fine. I checked that yesterday and again just now. The skin just changed again right after Drakon's last post. I may end up reinstalling Firefox but that would be a pain.
MessenjahMatt
Civilian
- Joined
- Sep 1, 2008
- Messages
- 803
- Reaction score
- 29
- Points
- 38
It's definitely not a problem on my end, I'm guessing the perpetrators heard how the forums were switched to the uninfected Classic skin and decided to hack that one now. Since I switched back to forum default that you guys fixed I haven't had any problems.
Silicon Surfer
Sage
- Joined
- Dec 15, 2005
- Messages
- 4,140
- Reaction score
- 9
- Points
- 58
I have run rootkitrevealer and found the following entries. I cannot interpret them so I am posting them here. The bottom eight entries I have never seen before when I have run this program.
HKLM\SECURITY\Policy\Secrets\SAC* 3/31/2007 6:46 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 3/31/2007 6:46 PM 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\Chuck\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\parent.lock 12/18/2008 10:07 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Chuck\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\sessionstore.js 12/18/2008 10:12 PM 4.88 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Chuck\Local Settings\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\Cache\5DED211Ad01 12/18/2008 10:12 PM 73.06 KB Hidden from Windows API.
C:\Documents and Settings\Chuck\Local Settings\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\Cache\7B409E0Ed01 12/18/2008 10:12 PM 30.80 KB Hidden from Windows API.
C:\Documents and Settings\Chuck\Local Settings\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\Cache\8B1B81E7d01 12/18/2008 10:12 PM 20.77 KB Hidden from Windows API.
C:\Documents and Settings\Chuck\Local Settings\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\Cache\8DD99651d01 12/18/2008 10:12 PM 33.01 KB Hidden from Windows API.
C:\Documents and Settings\Chuck\Local Settings\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\Cache\E61CC877d01 12/18/2008 10:12 PM 19.41 KB Hidden from Windows API.
C:\Documents and Settings\Chuck\Local Settings\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\Cache\FB9C0D4Dd01 12/18/2008 10:12 PM 25.62 KB Hidden from Windows API.
HKLM\SECURITY\Policy\Secrets\SAC* 3/31/2007 6:46 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 3/31/2007 6:46 PM 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\Chuck\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\parent.lock 12/18/2008 10:07 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Chuck\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\sessionstore.js 12/18/2008 10:12 PM 4.88 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Chuck\Local Settings\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\Cache\5DED211Ad01 12/18/2008 10:12 PM 73.06 KB Hidden from Windows API.
C:\Documents and Settings\Chuck\Local Settings\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\Cache\7B409E0Ed01 12/18/2008 10:12 PM 30.80 KB Hidden from Windows API.
C:\Documents and Settings\Chuck\Local Settings\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\Cache\8B1B81E7d01 12/18/2008 10:12 PM 20.77 KB Hidden from Windows API.
C:\Documents and Settings\Chuck\Local Settings\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\Cache\8DD99651d01 12/18/2008 10:12 PM 33.01 KB Hidden from Windows API.
C:\Documents and Settings\Chuck\Local Settings\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\Cache\E61CC877d01 12/18/2008 10:12 PM 19.41 KB Hidden from Windows API.
C:\Documents and Settings\Chuck\Local Settings\Application Data\Mozilla\Firefox\Profiles\er5eartr.default\Cache\FB9C0D4Dd01 12/18/2008 10:12 PM 25.62 KB Hidden from Windows API.
Silicon Surfer
Sage
- Joined
- Dec 15, 2005
- Messages
- 4,140
- Reaction score
- 9
- Points
- 58
They do delete when I empty the cache but they come back every time I come here. I came here with the Safari browser and ran the scan and got 34 suspicious hits. The first two on the list are ok. I don't recall what they are but I have checked them out in the past.
- Joined
- Oct 24, 2004
- Messages
- 159,456
- Reaction score
- 8,987
- Points
- 203
IVe cleaned the cache, ran crapcleaner and resinstalled Firefox and I still keep getting this page popping up.
wiegeabo
Omniposcient
- Joined
- Jul 13, 2002
- Messages
- 37,050
- Reaction score
- 6
- Points
- 33
Have you tried Spyboy Search and Destroy. That can run a scan on bootup before anything loads.
A big problem with nasty pieces of malware like this is, even though you clean the files, it hides in another active file that can't be cleaned because your operating system is still using it. So once your done cleaning, the hidden file just reinfects the system. The trick is to kill the infected files before they load.
A big problem with nasty pieces of malware like this is, even though you clean the files, it hides in another active file that can't be cleaned because your operating system is still using it. So once your done cleaning, the hidden file just reinfects the system. The trick is to kill the infected files before they load.
- Joined
- Oct 24, 2004
- Messages
- 159,456
- Reaction score
- 8,987
- Points
- 203
I have the program but how do I set it to do the sweep on start up ?
- Joined
- Oct 24, 2004
- Messages
- 159,456
- Reaction score
- 8,987
- Points
- 203
- Joined
- Oct 24, 2004
- Messages
- 159,456
- Reaction score
- 8,987
- Points
- 203
Got it! thanks guys. 
wobbly
Occasional Scribbler
- Joined
- Dec 6, 2002
- Messages
- 10,423
- Reaction score
- 679
- Points
- 103
Another thing to try for anyone having trouble removing the problem is to boot into 'safe mode', then run your cleaning software (to get into safe mode press F8 just after your first boot screen, then select that option from the menu that comes up).
You can also try 'system restore' from safe mode and go back to a time before the problem occurred.
You can also try 'system restore' from safe mode and go back to a time before the problem occurred.
- Joined
- Oct 24, 2004
- Messages
- 159,456
- Reaction score
- 8,987
- Points
- 203
Ok, everytime I boot up my anti virus program finds a trojan and removes it, but my mouse pointer permanently has the hourglass next to it as if something is loading, how do I fix that ?
- Joined
- Oct 24, 2004
- Messages
- 159,456
- Reaction score
- 8,987
- Points
- 203
Any help ?
wobbly
Occasional Scribbler
- Joined
- Dec 6, 2002
- Messages
- 10,423
- Reaction score
- 679
- Points
- 103
From the sounds of it your system has something nasty locked into the windows start-up routine that your AV software cannot shift (it's kicking in before the AV software is, and though you should be able to 'deny access', the program will always stay there)
Have you tried booting into safe mode and running your AV software then, or going for a system restore from safe mode (choose a date before the problem occurred)?
*Doing a system restore in safe mode should work better than from normal windows as some programs can prevent a restore from completing.
If not then that is usually the best way to sort out a problem like this. If you have done this and the problem is still there then you might be looking at having to do a full re-install. That being said I've never known the safe mode fix to not work in getting rid of persistent crap that AV software might struggle to remove.
Have you tried booting into safe mode and running your AV software then, or going for a system restore from safe mode (choose a date before the problem occurred)?
*Doing a system restore in safe mode should work better than from normal windows as some programs can prevent a restore from completing.
If not then that is usually the best way to sort out a problem like this. If you have done this and the problem is still there then you might be looking at having to do a full re-install. That being said I've never known the safe mode fix to not work in getting rid of persistent crap that AV software might struggle to remove.
- Joined
- Oct 24, 2004
- Messages
- 159,456
- Reaction score
- 8,987
- Points
- 203
I'm not actually sure how to initiate my AV software from safe mode, Ive never done it before.
wobbly
Occasional Scribbler
- Joined
- Dec 6, 2002
- Messages
- 10,423
- Reaction score
- 679
- Points
- 103
Well some AV software wont run in safe mode, so it can depend on what kind you have. Whatever the case there you can find out by going the av control center from the 'start menu>programs' in safe mode. If it can run then do a full scan on your primary (OS) hard drive (and scan within archives* if you can), and if it can't run then you should go for the 'system restore'.
*I mention this as it looks like the file creating the problem at start up is not the virus itself, but something that creates/unpacks the trojan every time you reboot: this is why it keeps coming back after deletion when you start up again.
Also look at your start up items and delete anything that looks suspicious (you can download a trial version of "Tune Up Utilities" that has a decent and easy to use start menu editor)
