Mal Ware that Defender can't remove???

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi All, first time on. A couple of days ago, I believe I got infected with
malicious ware. My first reaction was to run my Norton 2006, and Registry
Mechanic. THEN, I started up Ad-Aware. Bang it ran 4 seconds and started
finding items. Then, my taskbar turns white, the tray icons jumble, and my
computer reboots. I managed to "beat" the shutdown twice. Ad-Aware says it
found MalWare and describes it as geebb.dll. Not knowing much, I thought it
was a fake dll and tried to delete it, no dice. Upon the advice of a friend,
I loaded Defender. It found two items. One it could remove "Power Reg
Scheduler", and one, "TightVNC" it states it cannot remove, or an error
occured when trying to remove. Norton doesn't pick up anything, and Ad-Aware
start scan triggers a shutdown. help? How can I get rid of whatever is on
this box? Funny enough, it started with a "Your Computer May Be Infected"
false prompt which of course I closed. Seemed to infect me anyhow. thanks
for reading and any responses.

jim
 
You've got more going on than is being detected, so far. You might try
Ewido, as well, and see the URL I'm posting at the end of this message.

I am wondering about how you got infected--what browser? Are you current on
critical patches from Windows Update? Can you tell us the URL you got this
from? What about your Java version?

Aside from all that, I suspect we can help you get rid of TightVNC pretty
easily. Detected items--with complete patchs and filenames, are written as
log records to the System Event log--with source Windefend. Go through the
system event log records back to the time of the original detection, and
look for yellow triangle records for the detections.

I suspect you will find that the source is an archive file of some kind --
zip, arj, cab, exe (zip, or some other kind)

Microsoft is avoiding blowing these away because they don't know whether
this is the sole backup of Aunt Mary's old machine which may have the only
PDF copy of her last will and testament in it--or at any rate--they can't be
sure they won't ditch user data along with malware. You can grab the file
and decide what to do about it. Was this a quickscan or a fullscan?
TightVNC is a remote admin tool which is a perfectly valid and useful
tool--in fact, if this is an IBM laptop--it may be part of IBMs support
stuff. Feel free to ditch it though--if you don't use it, better to not
have it. It can be replaced.

That's pretty superficial, though--I suspect you've got more going on which
is being missed, so going through the routines here:

http://www.bleepingcomputer.com/forums/topic36868.html

may help--see whether you find stuff that matches what they say needs taking
care of.



--
 
Thanks for the tips... so far, I've run Ewido and have been through the
first 3 self help steps from the bleepingcomputer site.

When things started going awry, I clicked on an AP news story, I visit that
site every day... anyhow, this time a prompt came up "your computer may be
infected"... Figured this was bogus as usual, I attempted to close the box
and before I could do anything, it seemed to launch itself for lack of a
better term. Since that time I've twice seen that same prompt when i launch
my SBC / IE browser...appears in a flash and it's gone... That's when
AdAware started not to work as I desribed below... I also got a prompt that
looked valid which said windows detected the blackwork virus. Figured that
was fake also. Ran a detection app for that with no results.

Anyhow, couple of questions... not sure of where to find the System Event
Log, and, where to find what Java version I'm running... Thanks again for
the help.

Jim
 
If you are up to date on critical patches for Windows, you'll have the
lastest Microsoft Java VM. However, you may well be running Suns Java. If
that's the case, it will be listed in add or remove programs, and should
have a control panel Icon. You may need to click on "other control panel
option" in the lower left pane, to see that icon, however.

At a command prompt:

java -version
(and hit enter) will show the current Sun Java version--here's my result:

java version "1.5.0_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05)
Java HotSpot(TM) Client VM (build 1.5.0_06-b05, mixed mode)

The System Event log can be seen by right-clicking My Computer, and choosing
Manage, or by doing Start, run, eventvwr.msc <enter>

highlight the System log in the left column, then go to View, hit the Source
drop-down control, and set that to Windefend.

That will show you just events related to Windows Defender in the right
pane. Go back to the time of the scan and look for yellow-triangles that
will highlight the detection events. then double click those events in the
right pane to see the details of exactly what was detected and where. This
exercise is definitely not user friendly--these messages, and the way this
kind of object is handled, will change before Windows Defender is released.

It sounds to me as though you were infected through no specfiic action of
your own, except going to a possibly hacked/infected site. So--it'd be good
to try to pin down the vulnerability that got you--Java seems fairly likely
to me, if you are fully patched.

The other question I have is about antivirus protection. Typically, a
spyware infection such as you are seeing involves several pieces, at least
one of which is usually identified as a Trojan Downloader by an antivirus.
So--I'm curious about why that didn't get detected by your antivirus. You
might consider a comprehensive online scan--either at safety.live.com
(Microsoft) or perhaps antivirus.trendmicro.com (Trend Micro)--both of these
scans I believe target both viruses and spyware. The Microsoft one cleans
better, in some cases, if you restart Windows in Safe mode with networking.
You can choose the comprehensive scan from the first page, and then choose
the quick scan later--that will just scan for malware, and ignore issues
like defragging, etc, that the full scan also does.



--
 
I do in fact have Sun Java Runtime Environment Standard Edition 1.4.2
Default Virtual Machine Version 1.4.2-b28
Java Plug-In 1.4.2

Went to the site as Add/Remove program support info had the link.. should I
install something different? Don't see a specific update for this? I'll be
checking on the Defender issue next.
 
This may well be the vulnerability that led to the drive-by download.

Go here:

http://java.com/en/

and hit the big orange button, or the red download now link, and get the
latest version.

Once that is installed, go back to add or remove programs and remove any
older versions you see--the naming structure has changed a few times, so dig
through the list--they're named clearly, but they aren't all together in
alphabetic order.

The newer versions should autoupdate--with Sun's version of auto-update down
in the system tray. However, they still don't remove the previous
versions--so after each update, you need to go in and manually remove the
older version, which represents a small vulnerability if still left in
place.

--
 
Well, after posting on the OneCare forum I was told to post here.

I'm having a similiar problem and Defender is not catching any of it. It
looks like a VX2 trojan...

I uses hijackThis in safemode and removed a few files with killbot and
sufficated thier reg keys...

About:Blank inserts itself after about 5 minutes after rebooting in normal
mode and then i start getting arbitrary IE pop-ops of AntiVirus
removers...etc.

DEFENDER isn't even seeing the changes made to my system... WTF ? I was a
happy user of Microsoft Antispyware (beta 10 for nearly 2 years and NEVER
lost control of my system... even on "seedy" sights where MS (beta 1) was
ballooning messages that it blocking this threat and that...!

If DEFENDER really is Antispyware (beta 1) then why can it not catch these
pop-ups, browser hacks and false security threats...?

Sad thing is.. i have 4 porn ads up on my screen right now and when i run a
25 minute full scan under defender it cannot find ANYTHING, yet AdAware SE
find them in about 2 minutes.

Has the latest Defender definitions been comprimised ...??


I can give you my HijackThis log files..etc
 
just to summarize what I had to do, I went to bleeping computer upon Bill's
advice and started their self help steps.... AdAware still went crazy 3
seconds after startup.... then, I downloaded Ewido and it found two
instances of the Virtumundo malware... after that, I went back and could run
both Spybot and AdAware as the bleepingcomputer site suggested. My Java
version was also old and I loaded a new one from Java's site... seems all is
well at this point... thanks for the help, Bill... and good luck with the
trouble, Holgar..

Jim
 
Back
Top