Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Frethog


  • Please log in to reply
6 replies to this topic

#1 frethog

frethog

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 06 April 2008 - 11:51 AM

A week before I noticed something "fishy". I just couldn`t make the system folders visible in the windows explorer. Everything works fine at this moment in time. I have a Zone Alarm Firewall with antivirus set to run automatically so I ran a scan but this time watching what was happening. It found a trojan FretHog and seemed always to find just two files, c:\autorun.inf and c:\cl.bat which it quarantined, cause it could not fix it. Since I could not see these two files in the explorer I saw then with my Win Commander FTP.

After a reboot they again reappeared. I tried to edit the autorun.inf but could not since I could not change its "read-only" attributes even in Safe Mode.

Yesterday, the cl.com mutated into a n9f.com, while the autorun.inf is still there.

Today I added a new rule to the ZoneAlarm, KILL c:\autorun.inf! In the autorun.inf I found that the cf.bat changed to c9f.com so the way I think is if I kill the process it won`t be able to generate a new mutated file.

Now the problem is that I need to reset the ZoneAlarm not to do an automated virus scan and repair so it doesn`t erase the rule to kill the process c:\autorun.inf.

This is just a part solution, so I really need help.
I`m running a WinXP SP2 Corporate version and can`t afford to reinstall all programs which I have since it would take days to install everything plus I don`t know where some od the CDs are anymore.
:thumbsup:
----------------------------------------------------------------------
Experience: What you get when you don't get what you want.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:26 AM

Posted 06 April 2008 - 04:11 PM

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply.

Download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 frethog

frethog
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 07 April 2008 - 12:15 AM

:thumbsup:
Mission accomplished!!!

Definetely no traces left...Zone Alarm though found it in the backup file SDFix made (C:\SDFix\backups\backups.zip). Can I delete parts of this file or just leave it sitting there?
I need the "C:\Program Files\J. A. Associates\Virtual Drive Creator\himem32.dll" for creating a virtual drive.

Here is the LOG file SDFix made:

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\ADDPA32.DLL - Deleted
C:\autorun.inf - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 05:52:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile"=str(2):"c:\windows\system32\ESENT.dll"
"CategoryMessageFile"=str(2):"c:\windows\system32\ESENT.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Lsa]
"LsaPid"=dword:0000030c
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Session Manager\Memory Management\PrefetchParameters]
"VideoInitTime"=dword:0000059d
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Watchdog\Display]
"ShutdownCount"=dword:00000178
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Eventlog\Application\ESENT]
"EventMessageFile"=str(2):"c:\windows\system32\ESENT.dll"
"CategoryMessageFile"=str(2):"c:\windows\system32\ESENT.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MDM]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SharedAccess\Epoch]
"Epoch"=dword:000f8acc
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{054B1710-4798-42AE-9031-0782C478A972}]
"LeaseObtainedTime"=dword:47f8ea8e
"T1"=dword:47f93eee
"T2"=dword:47f97e36
"LeaseTerminatesTime"=dword:47f9934e
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wuauserv]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\{054B1710-4798-42AE-9031-0782C478A972}\Parameters\Tcpip]
"LeaseObtainedTime"=dword:47f8ea8e
"T1"=dword:47f93eee
"T2"=dword:47f97e36
"LeaseTerminatesTime"=dword:47f9934e

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]
"RefCount"=dword:00000002

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\ICQLite\\ICQLite.exe"="C:\\Program Files\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 6 Apr 2008 103,463 ..SHR --- "C:\m9j.com"
Sat 18 Aug 2007 56 ..SHR --- "C:\WINDOWS\system32\91DACBCD01.sys"
Sun 6 Apr 2008 70,656 ..SH. --- "C:\WINDOWS\system32\amvo0.dll"
Wed 19 Mar 2008 72,192 ..SH. --- "C:\WINDOWS\system32\amvo1.dll"
Thu 3 Apr 2008 4,234 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Mon 12 Aug 2002 2,620 ...H. --- "C:\Program Files\J. A. Associates\Virtual Drive Creator\himem32.dll"
Thu 21 Oct 2004 4,348 A.SH. --- "C:\zbad file\All Users\DRM\DRMv1.bak"
Tue 16 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 13 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"

Finished!


Files indicated in RED color are those that I was sure were malicious. Also amvo.exe I deleted just before I started reading your proposal for cleaning up and prior to SDFix run.

Thank you for helping me solve this nasty trojan. :flowers:
----------------------------------------------------------------------
Experience: What you get when you don't get what you want.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:26 AM

Posted 07 April 2008 - 08:35 AM

WinXP SP2 Corporate version


make sure that your computer has all the latest updates
Chewy

No. Try not. Do... or do not. There is no try.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:26 AM

Posted 07 April 2008 - 08:37 AM

Good job.

If there are no more problems or signs of infection, download OTMoveIt2 by OldTimer and save to your Desktop.
  • Connect to the Internet and double-click on OTMoveIt2.exe to launch the program
  • Click on the green CleanUp! button.
  • When you do this a text file named cleanup.txt will be downloaded from the Internet.
  • If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the Internet you should allow it to do so.
  • After the text file has been downloaded, you will be asked if you want to Begin cleanup process?
  • Select Yes.
  • Doing this will remove the specialized tools I had you download/run.
Then you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:26 AM

Posted 07 April 2008 - 08:54 AM

Forgot to mention that this Trojan was designed to steal passwords and send the information to a remote computer.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the infection was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 frethog

frethog
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 07 April 2008 - 08:31 PM

Forgot to mention that this Trojan was designed to steal passwords and send the information to a remote computer.

Although the infection was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?".


Yes, the computer is used for ebank transactions for the company I work for and for video editing.

I have been granted use of this excellent PC for video editing purposes and I suspect that it was compromised by a USB flash from a client while downloading files form it. This only could be the way that it got infected since it is used only for ebanking and for sending/receiving video files, and I am the only one that can use it (its kept under lock). I use a different PC for the web.

I`m grateful for your precise explanations and time you put into my problem. I hope you will also answer my previous question about the file I need that is now inside the zipped SDFix file, "C:\Program Files\J. A. Associates\Virtual Drive Creator\himem32.dll".

Thank you.
----------------------------------------------------------------------
Experience: What you get when you don't get what you want.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users