A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Performance and Maintainance of XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Stealth virus??



 
 
Thread Tools Display Modes
  #1  
Old May 31st 10, 02:05 AM posted to microsoft.public.windowsxp.perform_maintain
beto
external usenet poster
 
Posts: 16
Default Stealth virus??

Hi all,

A few days ago on May 27th, I was online and Norton Anti-virus 2010 removed
a few things it detected. It said "Download Insight detected launch of
ynhupl.exe" and it was quarantined, medium level risk at 12:06 AM. Next,
"Download Insight detected launch of fkvfto.exe", also quarantined, medium
level risk at 12:07 AM. At 12:08 AM "Suspicious.MLApp detected by
Auto-Protect" was quarantined, high level risk.

And now here is where things got more complicated. At 12:20 AM Norton
anti-virus began to block intrusion attempts by an attacking computer(s). The
first was "An intrusion attempt by 91.212.226.67 was blocked. The attacking
computer is: 91.212.226.67, 443 and it said the attack was resulted from
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.E XE

At 12:30 and 12:40 AM there was an intrusion attempt by 91.212.226.59, 443
that were also blocked. At 12:50 and 1:00 AM an intrusion attempt by
202.157.171.207, 443 were also blocked. I received a total of 19 blocked
intrusion attempts the last one at 3:54 AM. The next day on May 28 I went
online again and the intrusion notifications began at 1:39 AM. There were 12
intrusion attempts blocked until 3:52 AM which was the last. Also on May 28,
in between the intrusion attempts two viruses were quarantined at 2:47 AM,
ynhupl.exe (Trojan.FakeAV) and fkvfto.exe (Backdoor.Tidserv) and were
detected by Auto-Protect. When I shut down the PC around 4 AM on May 28, I
noticed it took a while longer than usual for it to shut off. It stayed at
the empty blue screen for about a minute and then finally turned off.

On May 29 the next day around 1:30 AM I turned on the PC to go online and it
took a while longer for the PC to start and the original Windows XP theme was
changed to Windows Classic. The theme I had, the original one with the blue
task bar and the green start button was now in classic mode. I disconnected
the router in case the intrusion attempts continued. Norton Anti-virus 2010
was still working, the icon for it was in the bottom right of the task bar
and I could launch it, but there was also a red Windows Security Center
shield that I could not get rid of. So I went to msconfig and restarted the
PC in safe mode. I did a full system scan and 32 threats were detected. About
31 of them were tracking cookies which were removed and 1 virus needed to be
manually removed which I did. I believe the file was tcpip6 and it was
located in C:\Windows\System32\Drivers. After I removed it I restarted the PC
in normal mode without doing a system restore. It started up taking a while
longer to boot up as it did earlier and now Norton Anti-virus no longer
worked. The red Windows Security Center shield was still there at bottom
right of task bar. I ran Norton Anti-virus from bottom right task bar, which
the icon now had a blinking red dot over it, and when it launched it said
there were 2 things needing attention. They were both something to do with
emailing out and in. I couldn't look at the recent history or do a full
system scan.

So I did a system restore to May 12 but it was unsuccessful, it could not be
restored. So I restarted in safe mode, and I was able to do a full system
scan. Nothing was detected, so I did a system restore to May 12, but it still
couldn't be restored. Today May 30 I turned on PC and Norton-Antivirus no
longer appeared in the bottom right taskbar. It was still under Start and
Programs but when I tried opening it nothing happens. Until about a minute
later when this tiny 1 inch window appears with no title just the Norton
anti-virus icon and a minimize _ and X. It's just like the top of a window,
the bar, with the icon and the minimize and close options. I restarted in
safe mode and tried a system restore to May 19, and it worked this time, but
the PC loading took a while longer than usual again and nothing seemed to
change. The red Windows Security Center shield is no longer on the bottom
right taskbar, but Norton Anti-virus also doesn't load, doesn't appear on
taskbar. The taskbar theme is still on Windows Classic, and when I right
click on the desktop and go to display properties, I could not find the
original theme. I did a search for themes and I found it but I couldn't set
it until I started the Windows Theme service in Control Panel under
Administrative Tools and Computer Management. So the PC still needs to be
repaired, but I don't know what else to do other than a full re-install.
Norton Anti-virus seems to still be installed, but doesn't work, I try
running ipconfig in run mode to see my IPs and a window pops up for a second
and disappears.

I am wondering if there is a way to run a full anti-virus scan with another
program that would detect whatever is causing this, but if having Norton
Anti-virus 2010 was compromised, who knows what could work. I have an HP
Media Center PC m370n, Windows XP Service Pack 2, 2.8 GHz, 512 MB. Thanks for
any help,


Beto




Ads
  #2  
Old May 31st 10, 10:04 AM posted to microsoft.public.windowsxp.perform_maintain
nass
external usenet poster
 
Posts: 7,474
Default Stealth virus??




"beto" wrote:

Hi all,

A few days ago on May 27th, I was online and Norton Anti-virus 2010 removed
a few things it detected. It said "Download Insight detected launch of
ynhupl.exe" and it was quarantined, medium level risk at 12:06 AM. Next,
"Download Insight detected launch of fkvfto.exe", also quarantined, medium
level risk at 12:07 AM. At 12:08 AM "Suspicious.MLApp detected by
Auto-Protect" was quarantined, high level risk.

And now here is where things got more complicated. At 12:20 AM Norton
anti-virus began to block intrusion attempts by an attacking computer(s). The
first was "An intrusion attempt by 91.212.226.67 was blocked. The attacking
computer is: 91.212.226.67, 443 and it said the attack was resulted from
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.E XE

At 12:30 and 12:40 AM there was an intrusion attempt by 91.212.226.59, 443
that were also blocked. At 12:50 and 1:00 AM an intrusion attempt by
202.157.171.207, 443 were also blocked. I received a total of 19 blocked
intrusion attempts the last one at 3:54 AM. The next day on May 28 I went
online again and the intrusion notifications began at 1:39 AM. There were 12
intrusion attempts blocked until 3:52 AM which was the last. Also on May 28,
in between the intrusion attempts two viruses were quarantined at 2:47 AM,
ynhupl.exe (Trojan.FakeAV) and fkvfto.exe (Backdoor.Tidserv) and were
detected by Auto-Protect. When I shut down the PC around 4 AM on May 28, I
noticed it took a while longer than usual for it to shut off. It stayed at
the empty blue screen for about a minute and then finally turned off.

On May 29 the next day around 1:30 AM I turned on the PC to go online and it
took a while longer for the PC to start and the original Windows XP theme was
changed to Windows Classic. The theme I had, the original one with the blue
task bar and the green start button was now in classic mode. I disconnected
the router in case the intrusion attempts continued. Norton Anti-virus 2010
was still working, the icon for it was in the bottom right of the task bar
and I could launch it, but there was also a red Windows Security Center
shield that I could not get rid of. So I went to msconfig and restarted the
PC in safe mode. I did a full system scan and 32 threats were detected. About
31 of them were tracking cookies which were removed and 1 virus needed to be
manually removed which I did. I believe the file was tcpip6 and it was
located in C:\Windows\System32\Drivers. After I removed it I restarted the PC
in normal mode without doing a system restore. It started up taking a while
longer to boot up as it did earlier and now Norton Anti-virus no longer
worked. The red Windows Security Center shield was still there at bottom
right of task bar. I ran Norton Anti-virus from bottom right task bar, which
the icon now had a blinking red dot over it, and when it launched it said
there were 2 things needing attention. They were both something to do with
emailing out and in. I couldn't look at the recent history or do a full
system scan.

So I did a system restore to May 12 but it was unsuccessful, it could not be
restored. So I restarted in safe mode, and I was able to do a full system
scan. Nothing was detected, so I did a system restore to May 12, but it still
couldn't be restored. Today May 30 I turned on PC and Norton-Antivirus no
longer appeared in the bottom right taskbar. It was still under Start and
Programs but when I tried opening it nothing happens. Until about a minute
later when this tiny 1 inch window appears with no title just the Norton
anti-virus icon and a minimize _ and X. It's just like the top of a window,
the bar, with the icon and the minimize and close options. I restarted in
safe mode and tried a system restore to May 19, and it worked this time, but
the PC loading took a while longer than usual again and nothing seemed to
change. The red Windows Security Center shield is no longer on the bottom
right taskbar, but Norton Anti-virus also doesn't load, doesn't appear on
taskbar. The taskbar theme is still on Windows Classic, and when I right
click on the desktop and go to display properties, I could not find the
original theme. I did a search for themes and I found it but I couldn't set
it until I started the Windows Theme service in Control Panel under
Administrative Tools and Computer Management. So the PC still needs to be
repaired, but I don't know what else to do other than a full re-install.
Norton Anti-virus seems to still be installed, but doesn't work, I try
running ipconfig in run mode to see my IPs and a window pops up for a second
and disappears.

I am wondering if there is a way to run a full anti-virus scan with another
program that would detect whatever is causing this, but if having Norton
Anti-virus 2010 was compromised, who knows what could work. I have an HP
Media Center PC m370n, Windows XP Service Pack 2, 2.8 GHz, 512 MB. Thanks for
any help,


Beto



Hi,
Download the Hijackthis and send the report to one of
many
forums for analysis and troubleshooting or you can send it to me on my email
provided at the bottom:
When all else fails, HijackThis v2.0.2
(http://www.trendsecure.com/portal/en...hijackthis.php)

Can you please send me a copy at ,
remove the obvious to email me.

HTH
nass
---
http://www.nasstec.co.uk



..
  #3  
Old June 1st 10, 06:01 AM posted to microsoft.public.windowsxp.perform_maintain
Ǝиçεl
external usenet poster
 
Posts: 151
Default Stealth virus??

Hello Beto,

Because you had one piece of malware, the chances are also high that you had
others.
It would be a good idea to scan.

I recommend downloading and installing MalwareBytes' Antimalware (MBAM) and
SUPERAntiSpywaяe (SAS).

Do a FULL scan with MalwaяeBytes' and SUPERAntiSpywaяe.

http://www.malwarebytes.org/mbam.php
Reboot
-=-
http://www.superantispyware.com/
Reboot

The programs are free. (There is a paid version but you don't need to buy it
to remove malware.)
-=-

Windows Live OneCare Safety Scan Windows XP
http://onecare.live.com/site/en-us/default.htm

expect your computer to be unavailable for some time. Don't work on your
computer whilst the scanners running though, it messes things up.


Please let us know if this helps

Ǝиçεl
-=-
"beto" wrote:

Hi all,

A few days ago on May 27th, I was online and Norton Anti-virus 2010 removed
a few things it detected. It said "Download Insight detected launch of
ynhupl.exe" and it was quarantined, medium level risk at 12:06 AM. Next,
"Download Insight detected launch of fkvfto.exe", also quarantined, medium
level risk at 12:07 AM. At 12:08 AM "Suspicious.MLApp detected by
Auto-Protect" was quarantined, high level risk.

And now here is where things got more complicated. At 12:20 AM Norton
anti-virus began to block intrusion attempts by an attacking computer(s). The
first was "An intrusion attempt by 91.212.226.67 was blocked. The attacking
computer is: 91.212.226.67, 443 and it said the attack was resulted from
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SVCHOST.E XE

At 12:30 and 12:40 AM there was an intrusion attempt by 91.212.226.59, 443
that were also blocked. At 12:50 and 1:00 AM an intrusion attempt by
202.157.171.207, 443 were also blocked. I received a total of 19 blocked
intrusion attempts the last one at 3:54 AM. The next day on May 28 I went
online again and the intrusion notifications began at 1:39 AM. There were 12
intrusion attempts blocked until 3:52 AM which was the last. Also on May 28,
in between the intrusion attempts two viruses were quarantined at 2:47 AM,
ynhupl.exe (Trojan.FakeAV) and fkvfto.exe (Backdoor.Tidserv) and were
detected by Auto-Protect. When I shut down the PC around 4 AM on May 28, I
noticed it took a while longer than usual for it to shut off. It stayed at
the empty blue screen for about a minute and then finally turned off.

On May 29 the next day around 1:30 AM I turned on the PC to go online and it
took a while longer for the PC to start and the original Windows XP theme was
changed to Windows Classic. The theme I had, the original one with the blue
task bar and the green start button was now in classic mode. I disconnected
the router in case the intrusion attempts continued. Norton Anti-virus 2010
was still working, the icon for it was in the bottom right of the task bar
and I could launch it, but there was also a red Windows Security Center
shield that I could not get rid of. So I went to msconfig and restarted the
PC in safe mode. I did a full system scan and 32 threats were detected. About
31 of them were tracking cookies which were removed and 1 virus needed to be
manually removed which I did. I believe the file was tcpip6 and it was
located in C:\Windows\System32\Drivers. After I removed it I restarted the PC
in normal mode without doing a system restore. It started up taking a while
longer to boot up as it did earlier and now Norton Anti-virus no longer
worked. The red Windows Security Center shield was still there at bottom
right of task bar. I ran Norton Anti-virus from bottom right task bar, which
the icon now had a blinking red dot over it, and when it launched it said
there were 2 things needing attention. They were both something to do with
emailing out and in. I couldn't look at the recent history or do a full
system scan.

So I did a system restore to May 12 but it was unsuccessful, it could not be
restored. So I restarted in safe mode, and I was able to do a full system
scan. Nothing was detected, so I did a system restore to May 12, but it still
couldn't be restored. Today May 30 I turned on PC and Norton-Antivirus no
longer appeared in the bottom right taskbar. It was still under Start and
Programs but when I tried opening it nothing happens. Until about a minute
later when this tiny 1 inch window appears with no title just the Norton
anti-virus icon and a minimize _ and X. It's just like the top of a window,
the bar, with the icon and the minimize and close options. I restarted in
safe mode and tried a system restore to May 19, and it worked this time, but
the PC loading took a while longer than usual again and nothing seemed to
change. The red Windows Security Center shield is no longer on the bottom
right taskbar, but Norton Anti-virus also doesn't load, doesn't appear on
taskbar. The taskbar theme is still on Windows Classic, and when I right
click on the desktop and go to display properties, I could not find the
original theme. I did a search for themes and I found it but I couldn't set
it until I started the Windows Theme service in Control Panel under
Administrative Tools and Computer Management. So the PC still needs to be
repaired, but I don't know what else to do other than a full re-install.
Norton Anti-virus seems to still be installed, but doesn't work, I try
running ipconfig in run mode to see my IPs and a window pops up for a second
and disappears.

I am wondering if there is a way to run a full anti-virus scan with another
program that would detect whatever is causing this, but if having Norton
Anti-virus 2010 was compromised, who knows what could work. I have an HP
Media Center PC m370n, Windows XP Service Pack 2, 2.8 GHz, 512 MB. Thanks for
any help,


Beto




 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 06:07 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright 2004-2024 PCbanter.
The comments are property of their posters.