Spyware, Viruses, & Security forum

Question

"Web attack: Blackhole toolkit detected" -- Now what?

by BobMac51 / April 29, 2011 12:58 PM PDT

Symantec Endpoint Protection (SEP) popped up the above message on my XP Pro machine the other day. I quickly closed the browser, and shutdown the machine. After rebooting, I checked the SEP risk & threat logs, which showed nothing, then did full scans using SEP, then Malware Bytes, and as luck would have it, the MS malicious software removal tool for April. None of the scans turned up anything. But ever since then, the machine has been acting a little flaky. There's a weird 'screen flash' during the boot process before Windows loads, and certain webpages now seem to take forever to load. How can I detect if a Blackhole toolkit has been loaded on my PC? And how can I get rid of it if it has? Thanks.

Answer This Ask For Clarification
Discussion is locked
You are posting a reply to: "Web attack: Blackhole toolkit detected" -- Now what?
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: "Web attack: Blackhole toolkit detected" -- Now what?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

All Answers

Collapse -
Answer
A 'weird' screen flash? 'Certain' webpages? Not all?
by Carol~ Forum moderator / April 29, 2011 5:34 PM PDT

BobMac..

It would help to know more about the "weird screen flash". (Does it look similar to this?) You say "certain webpages" take forever to load. Perhaps you might share some details with us, about the types of sites/pages they are? Any other "flaky" symptoms?

With that said (or asked), have a look at what was posted at Symantec's Connect Forum. It references a SEP user, who received a BlackHole Exploit alert. However, there was no indication of it in their incident or risk logs. Sound familiar?

Technical support offered the following:

'Check the Security log on the SEP client.

The IPS should've blocked this. What the user probably saw was the notification from the SEP client that traffic from x.x.x.x was blocked (or something similar)

If that is the case and the traffic was inbound, than the IPS was doing it's job and no further action should be needed (you can do some forensics to see what sites were visited and which one may have caused the alert). As a precaution, run a full scan in safemode.
' When you ran the scan with SEP afterwards, did you run it in safe mode?

See this thread, regarding "BlackHole Activity" at Norton's community forum. It may (or may not) give you the information you're looking for.

If it's any consolation, when posting news at this forum, I've found Symantec has written "more than most" about it. One example being, "The BlackHole Theory".

Try scanning with [url=
http://www.eset.com/us/online-scanner ]ESET's Online Scanner. Their FAQ and Help sections should answer any questions you might have. In order to avoid a conflict, temporarily disable SEP just prior to running the scan.

It's the best I can tell you, at this point. Short of giving you a list of additional tools to scan with.

Carol

Collapse -
The weird screen flash occurs during bootup before Windows..
by BobMac51 / April 29, 2011 11:23 PM PDT

...loads and is visible for only a fraction of a second. From the glimpses I've caught, it looks like a DOS screen and includes random characters in different colors. I haven't ever noticed it before, and it is not the malware message screen shot you offered.

I haven't kept track of the webpages that are so excruciatingly slow to load, but it definitely isn't all webpages. These aren't just momentary response lags, but delays of 5 seconds or more before anything happens. This is on a wired network, not wireless. I haven't noticed an obvious pattern to them, but will try to track them the next day or so and report back if you think that info might be helpful.

Thanks for the Symantec links. I'll try running an SEP scan in Safe Mode as well using ESET, and see what is reported. I searched Symantec's site and,in addition to the Blackhole Theory article you noted, found only the following 'helpful' guidance (http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=24092)

Severity: High. This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
Description: This signature detect attempts to download exploits from a malicious toolkit which may compromise a computer through various vendor vulnerabilities.
Additional Information: This signature detect attempts to download exploits from a malicious toolkit which may compromise a computer through various vendor vulnerabilities.
Affected: Various.
Response NA.

Thanks, Carol.

Collapse -
Just a couple of thoughts..
by Carol~ Forum moderator / May 2, 2011 8:50 AM PDT

BobMac..

The message in the shot I included regarding Rkill, had no significance. I was only asking if the screen looked similar. Your description of the DOS screen, which contains random characters in different colors, has me wondering if it's related to "malware". Are you SURE it wasn't there before the intrusion attempt? I'm asking on the outside chance, SEP did block it.

You say some of the pages will load normally. Which browser are you using? And have you tried using another browser? Does it make a difference?

As previously suggested, scan with SEP in safe mode. And also see if ESET finds anything. Let us know how things go.

Carol

Collapse -
A little more info...
by BobMac51 / May 2, 2011 11:27 PM PDT

Apparently the screen flash problem during bootup was the graphics card itself b/c it failed. Started getting a "No DVI-D signal" message at bootup. Replaced the card and that particular problem went away. Hope you're not going to tell me that this -- causing a graphics adapter to fail -- could be an outcome of a Blackhole toolkit intrusion?

We have IE8 installed on this particular PC. Haven't tried any other browsers. I've noticed that the sluggishness is particularly severe on MSNBC's news site.

Last night, I booted into safe mode to run a full SEP scan. When I opened SEP, there was a message that "File system auto-protect is malfunctioning. File system auto-protect is not functioning correctly. Your protection definitions may be damaged or your product installation may be corrupt." This message was NOT there before or after booting into safe mode. The safe mode full scan by SEP found no risks. I also performed a full Malware Bytes scan in safe mode and found no risks.

Do I run the ESET scan in safe mode? Thanks.

Collapse -
'File System Auto-Protect is malfunctioning'
by Carol~ Forum moderator / May 3, 2011 5:05 AM PDT
In reply to: A little more info...

BobMac..

In regard to the "File System Auto-Protect is not function correctly. Your protection definitions may be damaged or your product installation may be corrupt"" warning, read the below document.

"File System Auto-Protect is malfunctioning"
http://www.symantec.com/business/support/index?page=content&id=TECH102962

Also read this thread titled, "File System Auto-Protect is malfunctioning", where the "Symantec Trusted Advisor" suggested to "Update virus definition files using the Intelligent Updater".

You wrote, "Hope you're not going to tell me that this -- causing a graphics adapter to fail -- could be an outcome of a Blackhole toolkit intrusion?"

No. I'm not going to tell you, your graphics adapter failed because of the intrusion. In fact, I'm still questioning whether your problems are related to a BlackHole intrusion. The intrusion SEP supposedly blocked. More so now, that you mention IE8 is particularly sluggish, when visiting MSNBC.

You mentioned you haven't tried using a different browser. Is it because you don't have another one installed? I'm going to presume that's the case. It might help to install Firefox to see if the problem persists.

There's no point in my "questioning and guessing". It's not going to help you. If you want to completely rule out the BlackHole exploit, or any other "unwanted visitors", I would suggest posting at a HijackThis forum. They utilize specialized diagnostic and removal tools, which we don't use here. It will allow them to better see, what's going on with your system.

If you decide to go that route, you can find a list of the forums, at the left-hand side of this page. It may take a few days for them to get back to you, but they will. It's worth the wait. And it's worth your peace of mind. (Or at least in my opinion it is)

Carol

Collapse -
site warning
by ovdtr / June 8, 2011 12:07 AM PDT

bobmac... how can you remove it from a website. My forum membesr are still seeing a warning with foxfire and not IE? I think I have the script contained, but I still see a funny looking addy in the the data transfer bar in the lower left. That could have always been there and I just noticed it. It flashs by so quick I can't copy it. Any help would be great. kiLLer-

Collapse -
No idea how to remove a black hole toolkit from a website
by BobMac51 / June 8, 2011 11:29 AM PDT
In reply to: site warning

I took Carol's good advice and went to Hijack This (http://hjt-data.trendmicro.com/hjt/analyzethis/index.php), picked one of the forums (DSL Reports, which I had some experience with), and posted a description of what happened. They directed me to some diagnostic tools, several runnings of which turned up no evidence of a rootkit or other infection. I haven't experienced any more warnings since. Give Hijack This a try. Good luck.

Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

Tech explained

Do you know what an OLED TV is?

CNET explains how OLED technology differs from regular TVs, and what you need to know to make the right shopping decision.