PDA

View Full Version : Suspected Malware, please advise



NoobNeedsHelp
2014-01-05, 04:13
Hello. As the name shows I am a noob, so please bear with me.

After being offline for years I was given a PC, a laptop with windows 8. This PC came from a much noober noob than myself, which is extremely noob. This person had downloaded ads and everything and didn't know that not everything on the internet is safe to click on. Originally the computer kept crashing or hanging. I downloaded some free programs to fix any malware etc on it and the crashes and hangings stopped. Apparently their Windows had never been updated either so I updated that, almost a GB of updates, in a computer that was only a few months old at that point. This person was taken advantage of by the seller of the PC, as they traded in a far superior laptop for this one to get part of the price dropped and still paid almost twice what this PC is worth.

I soon found that it had remote access enabled, and was being accessed regularly by a company in California. Can't recall the name offhand, "Star" something or another, but I think I still have their IP somewhere, as I used an IP locating site to identify them. I only found out about them because after installing avast and Spybot and MAMB I found suddenly blocked access messages to a few IPs the computer kept trying to reach as soon as internet was available, on startup, and about every few minutes thereafter when it was blocked repeatedly by one of these free programs I mentioned, not sure which. MAMB I think it was. Anyway, their site claimed to be specializing in remote access options for people, those who pay anyway, but they did not respond to my queries and it's a very tight site, not open to the common public... Helpful, I know. Since then I have not seen a blocked notification regarding any IPs so I think that's all done and dusted.

Anyway, I had Babylon Toolbar and Ask Toolbar and a few others on this PC which I removed (to the best of my knowledge). Sometimes a little icon thing pops up in the top left hand corner of my desktop showing two arrows in a rectangle, one up and one down, but they don't do anything when clicked except vanish. Some sort of glitch? I suspect something more sinister, but perhaps not?

I cannot update Windows, which is what really concerns me. It says updates were never checked for and never installed (which is not true, I have done both since I got this PC) and at other times it shows the last update check and the installed updates. The updated is on automatic download and install but doesn't appear to be doing that. For months the same 80-odd important updates have been waiting. I have tried multiple times and it says it's downloading them, and says it's installing them, but it's not. Nothing is being downloaded or installed. The same updates remain waiting. I've checked with my Toolbox for my ISP to see if it's actually downloading and it's definitely not.

It did once try to tell me the Windows on this PC was installed in the 1970's, which is obviously untrue. It's a legit copy of windows as far as I know, this was bought from a shop with all these programs paid for. I am regularly being told I don't have admin rights to do a lot on this PC, I can't even look at many folder's contents, but in Control Panel I have enabled my admin rights so far as I know. I keep having to take extra steps to receive admin rights to view files and stuff.

I have had a couple of random pop up ads recently, despite having disallowed popups a long time ago. I will add that recently I received a mix of programs from someone I thought was technologically wiser than me, and among these programs (none of which I have opened/installed/ or anything) are cracked versions of software like Photoshop. I was thinking to delete these cracked things but have been reading your FAQ and it says to not make major changes or something before instructed to? I'm concerned about the possibilities of malware having come in with that collection or from somewhere else. In any case I would prefer to legitimately obtain such programs as I intend to use them for commercial purposes. I just scanned them with avast and there were about 20 files it could not scan. The person I got this from, a family friend, has the reputation for being a nerd but just left a trail of devastation with viral infection etc on a family member's computer, so I guess perhaps it's an undeserved reputation.

I installed Keyscrambler last night, as I am pretty concerned about Keylogging (I know it won't protect me from all keyloggers, but I do banking etc on this PC so wanted at least a little more protection) and I uninstalled and downloaded avast and MAMB because in one case I accidentally uninstalled one, and in the other case the trial version had expired. I also have an iTunes program which I don't know the use of... Do they work with Windows? I've also had a lot of Java updates, for a bit there it was almost spam, lol. But after googling that I see other users have had the same experience and apparently it's normal. (?)

I recently received a lot of error messages (from Spybot I assume, some didn't tell me the source) saying there was an access violation at Teatimer.exe. I contacted support from both avast and Spybot but only avast got back to me, telling me to disable Teatimer, so I did, and I see this is also something you guys on this forum have advised people to do in cases of malware infection. So hopefully that was the right thing to do. Here's the support info I sent to you guys, which I haven't yet received a reply for, regarding that incident:

"A day or two ago the avast shortcut reappeared on my desktop. I Recycle binned it. I also received a few messages from Spybot saying an important register entry had been changed or something like that. I tried to 'disallow' it but it just kept coming back until I allowed it; there have been many such notifications from Spybot that just keep repeating instantly if I disallow until I allow them. Tonight the avast shortcut reappeared, along with an error message from Spybot that appeared to concern Spybot's TeaTimer.exe.

Avast, when I opened it, said all was okay, but told me it needs to reboot my computer, and when I clicked on the reboot button, a screen came up (the restart screen) with a message that "this app is stopping your computer from restarting" and it showed two icons, one of which did not have a name, but the other was avast's. So, I clicked 'Cancel'. Then the rapid spam of about 8 error messages occurred, in about three variations on the same theme about an access violation at a few addresses.

Two of the messages had numbers and the words saying there was an access violation, but no other specifics. In one message there was a long string of alphanumerical symbols. This might have been the registry entry message, sorry, I'm quite noob. One error message said there was an access violation at address 00000000, read of address 00000000.

It said in another error message: "Access Violation at address 004709DD in module 'TeaTimer.exe'. Read of address 00000010." As soon as I clicked 'OK' more of the same messages reappeared."

By the way, this bit of info should be in bold and maybe even colored large letters for noobs such as me:


Note: During the running of a Spybot scan ("Check for problems") the status bar in the lower left hand corner of the screen displays the products Spybot - Search & Destroy is currently searching for. It does not mean that these items are on your PC...

How I wish I'd known that! lol. I only found it by accident, all tucked away in technotalk. Could have been noob friendlier IMO. For a bit there I was convinced I had every Trojan available.

Hopefully you guys can advise me on whether or not I should do something different. I'd bet I have some malware by the odd happenings but don't know where to go from here. Sorry for the scramble of info in this post. There's been other odd things happening but I haven't kept track of it like I think I should have.

tashi
2014-01-05, 18:59
Hello NoobNeedsHelp,

In case you missed it please see the FAQ which also includes guidelines for this forum and instructions in post #2 on how to provide the preliminary DDS and aswMBR logs used for analysis.
http://forums.spybot.info/showthread.php?t=288

Then start a new topic providing the DDS and aswMBR logs as shown in that sticky with a link back to this thread. :)

Best regards.