Discussion:
Stealth virus??
(too old to reply)
beto
2010-05-31 01:05:01 UTC
Permalink
Hi all,

A few days ago on May 27th, I was online and Norton Anti-virus 2010 removed
a few things it detected. It said "Download Insight detected launch of
ynhupl.exe" and it was quarantined, medium level risk at 12:06 AM. Next,
"Download Insight detected launch of fkvfto.exe", also quarantined, medium
level risk at 12:07 AM. At 12:08 AM "Suspicious.MLApp detected by
Auto-Protect" was quarantined, high level risk.

And now here is where things got more complicated. At 12:20 AM Norton
anti-virus began to block intrusion attempts by an attacking computer(s). The
first was "An intrusion attempt by 91.212.226.67 was blocked. The attacking
computer is: 91.212.226.67, 443 and it said the attack was resulted from
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE

At 12:30 and 12:40 AM there was an intrusion attempt by 91.212.226.59, 443
that were also blocked. At 12:50 and 1:00 AM an intrusion attempt by
202.157.171.207, 443 were also blocked. I received a total of 19 blocked
intrusion attempts the last one at 3:54 AM. The next day on May 28 I went
online again and the intrusion notifications began at 1:39 AM. There were 12
intrusion attempts blocked until 3:52 AM which was the last. Also on May 28,
in between the intrusion attempts two viruses were quarantined at 2:47 AM,
ynhupl.exe (Trojan.FakeAV) and fkvfto.exe (Backdoor.Tidserv) and were
detected by Auto-Protect. When I shut down the PC around 4 AM on May 28, I
noticed it took a while longer than usual for it to shut off. It stayed at
the empty blue screen for about a minute and then finally turned off.

On May 29 the next day around 1:30 AM I turned on the PC to go online and it
took a while longer for the PC to start and the original Windows XP theme was
changed to Windows Classic. The theme I had, the original one with the blue
task bar and the green start button was now in classic mode. I disconnected
the router in case the intrusion attempts continued. Norton Anti-virus 2010
was still working, the icon for it was in the bottom right of the task bar
and I could launch it, but there was also a red Windows Security Center
shield that I could not get rid of. So I went to msconfig and restarted the
PC in safe mode. I did a full system scan and 32 threats were detected. About
31 of them were tracking cookies which were removed and 1 virus needed to be
manually removed which I did. I believe the file was tcpip6 and it was
located in C:\Windows\System32\Drivers. After I removed it I restarted the PC
in normal mode without doing a system restore. It started up taking a while
longer to boot up as it did earlier and now Norton Anti-virus no longer
worked. The red Windows Security Center shield was still there at bottom
right of task bar. I ran Norton Anti-virus from bottom right task bar, which
the icon now had a blinking red dot over it, and when it launched it said
there were 2 things needing attention. They were both something to do with
emailing out and in. I couldn't look at the recent history or do a full
system scan.

So I did a system restore to May 12 but it was unsuccessful, it could not be
restored. So I restarted in safe mode, and I was able to do a full system
scan. Nothing was detected, so I did a system restore to May 12, but it still
couldn't be restored. Today May 30 I turned on PC and Norton-Antivirus no
longer appeared in the bottom right taskbar. It was still under Start and
Programs but when I tried opening it nothing happens. Until about a minute
later when this tiny 1 inch window appears with no title just the Norton
anti-virus icon and a minimize _ and X. It's just like the top of a window,
the bar, with the icon and the minimize and close options. I restarted in
safe mode and tried a system restore to May 19, and it worked this time, but
the PC loading took a while longer than usual again and nothing seemed to
change. The red Windows Security Center shield is no longer on the bottom
right taskbar, but Norton Anti-virus also doesn't load, doesn't appear on
taskbar. The taskbar theme is still on Windows Classic, and when I right
click on the desktop and go to display properties, I could not find the
original theme. I did a search for themes and I found it but I couldn't set
it until I started the Windows Theme service in Control Panel under
Administrative Tools and Computer Management. So the PC still needs to be
repaired, but I don't know what else to do other than a full re-install.
Norton Anti-virus seems to still be installed, but doesn't work, I try
running ipconfig in run mode to see my IPs and a window pops up for a second
and disappears.

I am wondering if there is a way to run a full anti-virus scan with another
program that would detect whatever is causing this, but if having Norton
Anti-virus 2010 was compromised, who knows what could work. I have an HP
Media Center PC m370n, Windows XP Service Pack 2, 2.8 GHz, 512 MB. Thanks for
any help,


Beto
nass
2010-05-31 09:04:06 UTC
Permalink
Post by beto
Hi all,
A few days ago on May 27th, I was online and Norton Anti-virus 2010 removed
a few things it detected. It said "Download Insight detected launch of
ynhupl.exe" and it was quarantined, medium level risk at 12:06 AM. Next,
"Download Insight detected launch of fkvfto.exe", also quarantined, medium
level risk at 12:07 AM. At 12:08 AM "Suspicious.MLApp detected by
Auto-Protect" was quarantined, high level risk.
And now here is where things got more complicated. At 12:20 AM Norton
anti-virus began to block intrusion attempts by an attacking computer(s). The
first was "An intrusion attempt by 91.212.226.67 was blocked. The attacking
computer is: 91.212.226.67, 443 and it said the attack was resulted from
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE
At 12:30 and 12:40 AM there was an intrusion attempt by 91.212.226.59, 443
that were also blocked. At 12:50 and 1:00 AM an intrusion attempt by
202.157.171.207, 443 were also blocked. I received a total of 19 blocked
intrusion attempts the last one at 3:54 AM. The next day on May 28 I went
online again and the intrusion notifications began at 1:39 AM. There were 12
intrusion attempts blocked until 3:52 AM which was the last. Also on May 28,
in between the intrusion attempts two viruses were quarantined at 2:47 AM,
ynhupl.exe (Trojan.FakeAV) and fkvfto.exe (Backdoor.Tidserv) and were
detected by Auto-Protect. When I shut down the PC around 4 AM on May 28, I
noticed it took a while longer than usual for it to shut off. It stayed at
the empty blue screen for about a minute and then finally turned off.
On May 29 the next day around 1:30 AM I turned on the PC to go online and it
took a while longer for the PC to start and the original Windows XP theme was
changed to Windows Classic. The theme I had, the original one with the blue
task bar and the green start button was now in classic mode. I disconnected
the router in case the intrusion attempts continued. Norton Anti-virus 2010
was still working, the icon for it was in the bottom right of the task bar
and I could launch it, but there was also a red Windows Security Center
shield that I could not get rid of. So I went to msconfig and restarted the
PC in safe mode. I did a full system scan and 32 threats were detected. About
31 of them were tracking cookies which were removed and 1 virus needed to be
manually removed which I did. I believe the file was tcpip6 and it was
located in C:\Windows\System32\Drivers. After I removed it I restarted the PC
in normal mode without doing a system restore. It started up taking a while
longer to boot up as it did earlier and now Norton Anti-virus no longer
worked. The red Windows Security Center shield was still there at bottom
right of task bar. I ran Norton Anti-virus from bottom right task bar, which
the icon now had a blinking red dot over it, and when it launched it said
there were 2 things needing attention. They were both something to do with
emailing out and in. I couldn't look at the recent history or do a full
system scan.
So I did a system restore to May 12 but it was unsuccessful, it could not be
restored. So I restarted in safe mode, and I was able to do a full system
scan. Nothing was detected, so I did a system restore to May 12, but it still
couldn't be restored. Today May 30 I turned on PC and Norton-Antivirus no
longer appeared in the bottom right taskbar. It was still under Start and
Programs but when I tried opening it nothing happens. Until about a minute
later when this tiny 1 inch window appears with no title just the Norton
anti-virus icon and a minimize _ and X. It's just like the top of a window,
the bar, with the icon and the minimize and close options. I restarted in
safe mode and tried a system restore to May 19, and it worked this time, but
the PC loading took a while longer than usual again and nothing seemed to
change. The red Windows Security Center shield is no longer on the bottom
right taskbar, but Norton Anti-virus also doesn't load, doesn't appear on
taskbar. The taskbar theme is still on Windows Classic, and when I right
click on the desktop and go to display properties, I could not find the
original theme. I did a search for themes and I found it but I couldn't set
it until I started the Windows Theme service in Control Panel under
Administrative Tools and Computer Management. So the PC still needs to be
repaired, but I don't know what else to do other than a full re-install.
Norton Anti-virus seems to still be installed, but doesn't work, I try
running ipconfig in run mode to see my IPs and a window pops up for a second
and disappears.
I am wondering if there is a way to run a full anti-virus scan with another
program that would detect whatever is causing this, but if having Norton
Anti-virus 2010 was compromised, who knows what could work. I have an HP
Media Center PC m370n, Windows XP Service Pack 2, 2.8 GHz, 512 MB. Thanks for
any help,
Beto
Hi,
Download the Hijackthis and send the report to one of
many
forums for analysis and troubleshooting or you can send it to me on my email
provided at the bottom:
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)

Can you please send me a copy at ***@yahoo.co.uk ,
remove the obvious to email me.

HTH
nass
---
http://www.nasstec.co.uk



.
Ǝиçεl
2010-06-01 05:01:01 UTC
Permalink
Hello Beto,

Because you had one piece of malware, the chances are also high that you had
others.
It would be a good idea to scan.

I recommend downloading and installing MalwareBytes' Antimalware (MBAM) and
SUPERAntiSpywaяe (SAS).

Do a FULL scan with MalwaяeBytes' and SUPERAntiSpywaяe.

<http://www.malwarebytes.org/mbam.php>
Reboot
-=-
<http://www.superantispyware.com/>
Reboot

The programs are free. (There is a paid version but you don't need to buy it
to remove malware.)
-=-

Windows Live OneCare Safety Scan Windows XP
<http://onecare.live.com/site/en-us/default.htm>

expect your computer to be unavailable for some time. Don't work on your
computer whilst the scanners running though, it messes things up.


Please let us know if this helps

Ǝиçεl
-=-
Post by beto
Hi all,
A few days ago on May 27th, I was online and Norton Anti-virus 2010 removed
a few things it detected. It said "Download Insight detected launch of
ynhupl.exe" and it was quarantined, medium level risk at 12:06 AM. Next,
"Download Insight detected launch of fkvfto.exe", also quarantined, medium
level risk at 12:07 AM. At 12:08 AM "Suspicious.MLApp detected by
Auto-Protect" was quarantined, high level risk.
And now here is where things got more complicated. At 12:20 AM Norton
anti-virus began to block intrusion attempts by an attacking computer(s). The
first was "An intrusion attempt by 91.212.226.67 was blocked. The attacking
computer is: 91.212.226.67, 443 and it said the attack was resulted from
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.EXE
At 12:30 and 12:40 AM there was an intrusion attempt by 91.212.226.59, 443
that were also blocked. At 12:50 and 1:00 AM an intrusion attempt by
202.157.171.207, 443 were also blocked. I received a total of 19 blocked
intrusion attempts the last one at 3:54 AM. The next day on May 28 I went
online again and the intrusion notifications began at 1:39 AM. There were 12
intrusion attempts blocked until 3:52 AM which was the last. Also on May 28,
in between the intrusion attempts two viruses were quarantined at 2:47 AM,
ynhupl.exe (Trojan.FakeAV) and fkvfto.exe (Backdoor.Tidserv) and were
detected by Auto-Protect. When I shut down the PC around 4 AM on May 28, I
noticed it took a while longer than usual for it to shut off. It stayed at
the empty blue screen for about a minute and then finally turned off.
On May 29 the next day around 1:30 AM I turned on the PC to go online and it
took a while longer for the PC to start and the original Windows XP theme was
changed to Windows Classic. The theme I had, the original one with the blue
task bar and the green start button was now in classic mode. I disconnected
the router in case the intrusion attempts continued. Norton Anti-virus 2010
was still working, the icon for it was in the bottom right of the task bar
and I could launch it, but there was also a red Windows Security Center
shield that I could not get rid of. So I went to msconfig and restarted the
PC in safe mode. I did a full system scan and 32 threats were detected. About
31 of them were tracking cookies which were removed and 1 virus needed to be
manually removed which I did. I believe the file was tcpip6 and it was
located in C:\Windows\System32\Drivers. After I removed it I restarted the PC
in normal mode without doing a system restore. It started up taking a while
longer to boot up as it did earlier and now Norton Anti-virus no longer
worked. The red Windows Security Center shield was still there at bottom
right of task bar. I ran Norton Anti-virus from bottom right task bar, which
the icon now had a blinking red dot over it, and when it launched it said
there were 2 things needing attention. They were both something to do with
emailing out and in. I couldn't look at the recent history or do a full
system scan.
So I did a system restore to May 12 but it was unsuccessful, it could not be
restored. So I restarted in safe mode, and I was able to do a full system
scan. Nothing was detected, so I did a system restore to May 12, but it still
couldn't be restored. Today May 30 I turned on PC and Norton-Antivirus no
longer appeared in the bottom right taskbar. It was still under Start and
Programs but when I tried opening it nothing happens. Until about a minute
later when this tiny 1 inch window appears with no title just the Norton
anti-virus icon and a minimize _ and X. It's just like the top of a window,
the bar, with the icon and the minimize and close options. I restarted in
safe mode and tried a system restore to May 19, and it worked this time, but
the PC loading took a while longer than usual again and nothing seemed to
change. The red Windows Security Center shield is no longer on the bottom
right taskbar, but Norton Anti-virus also doesn't load, doesn't appear on
taskbar. The taskbar theme is still on Windows Classic, and when I right
click on the desktop and go to display properties, I could not find the
original theme. I did a search for themes and I found it but I couldn't set
it until I started the Windows Theme service in Control Panel under
Administrative Tools and Computer Management. So the PC still needs to be
repaired, but I don't know what else to do other than a full re-install.
Norton Anti-virus seems to still be installed, but doesn't work, I try
running ipconfig in run mode to see my IPs and a window pops up for a second
and disappears.
I am wondering if there is a way to run a full anti-virus scan with another
program that would detect whatever is causing this, but if having Norton
Anti-virus 2010 was compromised, who knows what could work. I have an HP
Media Center PC m370n, Windows XP Service Pack 2, 2.8 GHz, 512 MB. Thanks for
any help,
Beto
Loading...