Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

88.80.7.66 Invading, Unsure Which Trojan/variant


  • Please log in to reply
9 replies to this topic

#1 Geblah187

Geblah187

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 07 February 2008 - 11:54 PM

Long time reader, first time poster here. I have NVidia activearmor (a hardware level firewall), and various different programs (first java, then MS Antispyware, now my Logitech keyboard software) have all been attempting access to 88.80.7.66 on port 80.

I've done some snooping around the internet, and there are many different names for whatever backdoor/trojan this is ... and nothing i've done has fixed it. I've been blocking it from accessing that IP each time it comes up, but it is interfering with the normal operation of several different programs. Here's my pertinent info:

OS: Microsoft Windows XP Pro with Service Pack 2

Hard Drives:
C: - System
D: - Media (Music, video, text, etc)
E: - Games and Programs
One physical drive, D and E are partitions (logical drives)

FindAWF Scan result:

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Thu 02/07/2008
The current time is: 23:47:49.28


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM\BAK

08/01/2006 03:35 PM 67,112 aim.exe
1 File(s) 67,112 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

01/10/2008 03:27 PM 385,024 qttask.exe
1 File(s) 385,024 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

11/03/2006 06:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

02/28/2006 07:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

01/19/2007 12:49 PM 4,670,968 YahooMessenger.exe
1 File(s) 4,670,968 bytes

Directory of C:\PROGRA~1\COMMON~1\LOGITECH\G-SERI~1\BAK

11/09/2006 01:10 PM 1,126,400 LGDCore.exe
1 File(s) 1,126,400 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of E:\STEAM\BAK

02/05/2008 10:23 PM 1,266,936 Steam.exe
1 File(s) 1,266,936 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14860 Feb 6 2008 "C:\Program Files\AIM\aim.exe"
67112 Aug 1 2006 "C:\Program Files\AIM\bak\aim.exe"
14860 Feb 6 2008 "C:\Program Files\QuickTime\qttask.exe"
385024 Jan 10 2008 "C:\Program Files\QuickTime\bak\qttask.exe"
14860 Feb 6 2008 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Feb 28 2006 "C:\WINDOWS\system32\ctfmon.exe"
15360 Feb 28 2006 "C:\WINDOWS\system32\bak\ctfmon.exe"
4670968 Jan 19 2007 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
14860 Feb 6 2008 "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe"
1126400 Nov 9 2006 "C:\Program Files\Common Files\Logitech\G-series Software\bak\LGDCore.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
14860 Feb 6 2008 "E:\Steam\Steam.exe"
1266936 Feb 5 2008 "E:\Steam\bak\Steam.exe"


end of report


Any help is greatly appreciated! Thanks a million!

BC AdBot (Login to Remove)

 


#2 Geblah187

Geblah187
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 08 February 2008 - 11:58 AM

One bit I had forgotten to mention: nothing i've run so far has been able to confirm the name of the malware infecting my system. I've run so far:

Mcafee (in normal mode)
Mcafee (from DOS in Safe Mode - Command prompt)
Superantispyware (in both normal and Safe mode)
Trend Micro's Housecall (in normal mode)
Trend Micro's Sysclean (in safe mode)

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:32 PM

Posted 08 February 2008 - 12:27 PM

Hello Geblah187 and welcome to BC :flowers:

Can you post the SUPERAntiSpyware log for us please?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Geblah187

Geblah187
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 08 February 2008 - 02:07 PM

I sure can, once I get back home (at work at the moment) but it didn't turn up a result at all ... I didn't modify any options, just did a full system scan under default options.

Any preferences as to how/where it should be run? Safe mode/regular, different options, etc?

None of the programs i've run so far have detected the virus, but as the FindAWF log shows: there's definitely something there :thumbsup:

Thanks for your help, Orange!

Edited by Geblah187, 08 February 2008 - 02:09 PM.


#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:32 PM

Posted 08 February 2008 - 02:15 PM

Just post the 2 SUPERAntiSpyware logs you already have for now. :thumbsup:

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 Geblah187

Geblah187
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 08 February 2008 - 07:10 PM

Both SUPERantispyware scans (normal and safe mode) come up with nothing detected ... i'd be glad to post this ... where does it save the log? :thumbsup:

Strangely enough, my firewall hasn't detected any more outgoing attempts to that IP address, and all my programs that were being affected before are now working properly !

So it looks like all is clear at this point (although how that happened, i'm not entirely sure) ... but from what i've read this particular baddie (doginhispen I guess?) comes back after you think it's gone.

Is there anything i can do to double check for traces of it that might be remaining? I've purged all my cookies/temporary internet files/user temp and windows temp files.

Thanks if you did some kind of magic for me, Orange Blossom! :flowers:

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:32 PM

Posted 08 February 2008 - 10:11 PM

No, no magic Geblah187, I haven't actually have you do anything other than request a couple logs. (It is possible that the baddies switched to a different IP address). I was referring to the scans you mentioned in the second post. Here is how you can retrieve the logs:

To retrieve the logs for me please do the following:
o Double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click on the logs with the appropriate dates.
o They will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Indicate which one is from Safe Mode and which from Normal Mode.

Also, a malware expert should look at your AWF log and coach you from there. Please be patient for one to get to you.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:32 PM

Posted 08 February 2008 - 10:14 PM

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the steps below:

Double-click the FindAWF icon once again.
If a "Security Alert" shows, allow the program to run.
A command prompt will open and ask you to "Press any key to continue...".
You will be presented with a Menu.
Press 2 then 'Enter' to restore files from bak folders
A text file named files.txt will then open.
Click below the line and copy/paste the following list of files in the quote box into the text file:

"C:\Program Files\AIM\aim.exe"
"C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\Windows Defender\MSASCui.exe"
"C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe"
"E:\Steam\Steam.exe"
"C:\WINDOWS\system32\ctfmon.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"


Close the text file and click Yes to save the changes. Once files.txt is saved, FindAWF does the following:
It attempts to terminate the process represented by each filename on the list (if running).
Deletes the rogue file from the parent folder (if present).
Copies the original file to the parent folder.
When done, it automatically runs a new scan and opens a new log.
Please copy/paste the contents of the new awf.txt log in your reply.

Edited by boopme, 08 February 2008 - 10:16 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Geblah187

Geblah187
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:32 PM

Posted 08 February 2008 - 11:45 PM

Boop, done that, and also step 3 (removing the bak folders) and then also step 4. That could have been what cleaned it out? I also made sure to clean out the C:\windows\temp and the %temp% folders for each login on the infected computer, scanned several times with superantispyware, and spybot S&D.

Running Find AWF now shows no bak directories:

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Fri 02/08/2008
The current time is: 23:41:20.36


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

Should I be concerned that it's anywhere else?

Thanks for your help!

EDIT: looking back through my firewall log, no attempts were made to that IP address at all from any program. I can post that too as well, if it will help, but it's rather long.

Edited by Geblah187, 08 February 2008 - 11:59 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:32 PM

Posted 11 February 2008 - 08:55 PM

Sorry for taking so long had a few issues to deal with.
How is it working now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users