Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Downloader.agent.iug + Backdoor.ircbot + More Please Help !


  • Please log in to reply
22 replies to this topic

#1 Demi666

Demi666

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 13 April 2008 - 06:28 AM

ok hi im new here (:

anyways yesterday when i was playin DotA ppl complained about my LC host, they said they had spikes(which ppl get if ur downloading while hosting)
and i uselly got perfect hosting so i didnt know what to do except close all other programs. The spikes were still there.

So i knew somthing bad was upp, so i closed host and went to do a virus scan.

Found this:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 23:02:00 2008-04-12

+ Scan result:



C:\System Volume Information\_restore{DED0C2EA-BE56-4F04-A722-6330635A4634}\RP11\A0005372.dll -> Adware.Minibug : Cleaned.
C:\System Volume Information\_restore{DED0C2EA-BE56-4F04-A722-6330635A4634}\RP44\A0020045.exe -> Backdoor.IRCBot : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DED0C2EA-BE56-4F04-A722-6330635A4634}\RP44\A0020046.exe -> Backdoor.IRCBot : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{DED0C2EA-BE56-4F04-A722-6330635A4634}\RP3\A0002586.exe -> Downloader.Agent.a : Cleaned with backup (quarantined).
C:\WINDOWS\17PHolmes572.exe -> Downloader.Agent.iug : Cleaned with backup (quarantined).
C:\WINDOWS\mrofinu1000106.exe -> Downloader.Agent.iug : Cleaned with backup (quarantined).
C:\Program\Internet Explorer\gaqyv89104.dll -> Not-A-Virus.Adware.TTC : Cleaned.
C:\Documents and Settings\HP_Ägaren\Cookies\hp_ägaren@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\HP_Ägaren\Cookies\hp_ägaren@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\HP_Ägaren\Cookies\hp_ägaren@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{DED0C2EA-BE56-4F04-A722-6330635A4634}\RP3\A0002582.exe -> Trojan.Lmir.ayr : Cleaned with backup (quarantined).


::Report end

I Just finished my third virus scan now.
And it found Not-A-Virus.Adware.TTC and Downloader.Agent.iug again
I Looked Not-A-Virus.Adware.TTC upp and it said that it could be related to somthing called Virtumonde?
i Also looked Backdoor.IRCBot upp and by the descriptions i read it seems to be a pretty dangerous virus
i think it got 8/10 on some scale.


At the moment i have this in my quarantine, all from yesterday's scan, and some from todays.
Posted Image

It seems to be urgent, but i havent noticed anything from this, not any weird runs & pop ups or anything.
Just that ppl complained about spikes

And as i told you i did the virus scan then.

My first idea was ofc to remove them, my second thought was that im not experianced enough to know if the files that are infected are Vital for the computer or not, since they are in System Volume they seem to be vital.

Could anyone please assist me on this? i would appriciate it Greatly!

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:35 PM

Posted 13 April 2008 - 07:34 AM

The infected RP***\A00*****.exe file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that allows you to set points in time to roll back your computer to a clean working state. The SIV folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, they may detect and place these files in quarantine.

When an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it.

IMPORTANT NOTE: One or more of the identified infections was a backdoor Trojan which previously was installed on your machine. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the backdoor Trojan was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, please continue as follows.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Acan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demi666

Demi666
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 14 April 2008 - 01:34 PM

well u were right, it found LOTZ of stuff check this out.

Posted Image

i removed them, here is the log

BTW i quarantined it, does it fix the problem?


Malwarebytes' Anti-Malware 1.11
Databasversion: 625

Skanningstyp: Fullständig skanning (C:\|D:\|F:\|G:\|H:\|I:\|)
Antal skannade objekt: 216001
Förfluten tid: 1 hour(s), 1 minute(s), 40 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 5
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 3
Infekterade filer: 6

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekted Register keys
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infected Registerdata:
(Inga illasinnade poster hittades)

Infected Folders:
C:\Program\Network Monitor (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

Infected files:
C:\System Volume Information\_restore{DED0C2EA-BE56-4F04-A722-6330635A4634}\RP8\A0003851.dll (Worm.Voterai) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DED0C2EA-BE56-4F04-A722-6330635A4634}\RP8\A0003854.dll (Worm.Voterai) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.

Edited by Demi666, 14 April 2008 - 01:35 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:35 PM

Posted 14 April 2008 - 02:28 PM

As I previously said, when an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it.

How is you computer running now? Any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Demi666

Demi666
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 14 April 2008 - 04:55 PM

As I previously said, when an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it.

How is you computer running now? Any more reports/signs of infection?


i dont think so but i gotta go to bed, ill make another scan tomorrow and get back to you ! (:<3

#6 Demi666

Demi666
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 15 April 2008 - 04:42 AM

My comp is running good now, Mozilla works, and my perfect host is back. But IE is still randomly dying sometimes :S!
And then i sent the error report to Microsoft, and clicked details. This showed what COULD be the "error"

http://wer.microsoft.com/Responses/Respons...75-e4a8f7cc56e3
i also read this
http://www.windowsecurity.com/articles/Hid...nvironment.html

anyways i just wanna tell you how grateful i am that you helped me fix this and its soo good that people like you help out voluntarly(might miss spelled that)

nothing found, i know you said just couse i fixed this doesent mean i can trust the computer again, but i dont use this computer for anything thats of " value " except photoshop works etc.

But also many people told me to flush my "restore points" could you please tell me how i do that just so i can be on the safe side?

OFFTOPIC:
i just read this tutorial: http://www.bleepingcomputer.com/tutorials/tracing-a-hacker/
pretty dumb question but im a bit jumpy after this

if i write netstat -a and -b and -c in MDOS when im NOT being hacked, it doesent do anything bad does it:P?
couse the black window just opened then close in like 1sec :S


EDIT2:
>How can I tell if I have been hacked?

Almost every remote hack involves leaving a program behind that will allow them to get back into your computer regardless of whether or not you fix the security problem that let them into your computer in the first place. The only time a hacker does not leave something behind, is if they are hacking your computer for specific information or an item. Almost 99% of the time this is not the case.

The programs that they leave behind are IRC clients that they can control from a channel on an IRC Server or a Backdoor/Trojan.

Since these clients or Trojans must listen and wait for connections from the hacker, they must listen on a TCP or UDP port. With that in mind, the tools that I list above come into play. Using Fport or TCPView will allow you to see what TCP/UDP ports are open and listening on your computer and what program is using those ports.

To see what programs are running and are listening on TCP/UDP ports you would use Fport or TCPView.

For example, lets say a hacker uses the RPC/DCOM exploit that came out recently to get a command shell to your computer. They download and install SubSeven on your computer. As many installations of SubSeven use the default TCP Port 27374 it makes it very easy to spot this Trojan running on your computer.

By running Fport you would see the following (Formatting is a little messed up here):

I had an IRC bot, and i fixed it. and it say the hacker can come into my comp even if i fix it or not :S?
could you explain that bit more?

Malwarebytes' Anti-Malware 1.11
Databasversion: 625

Skanningstyp: Fullständig skanning (C:\|D:\|F:\|G:\|H:\|I:\|)
Antal skannade objekt: 217002
Förfluten tid: 59 minute(s), 6 second(s)

Infekterade minnesprocesser: 0
Infekterade minnesmoduler: 0
Infekterade registernycklar: 0
Infekterade registervärden: 0
Infekterade registerdataposter: 0
Infekterade mappar: 0
Infekterade filer: 0

Infekterade minnesprocesser:
(Inga illasinnade poster hittades)

Infekterade minnesmoduler:
(Inga illasinnade poster hittades)

Infekterade registernycklar:
(Inga illasinnade poster hittades)

Infekterade registervärden:
(Inga illasinnade poster hittades)

Infekterade registerdataposter:
(Inga illasinnade poster hittades)

Infekterade mappar:
(Inga illasinnade poster hittades)

Infekterade filer:
(Inga illasinnade poster hittades)

Edited by Demi666, 15 April 2008 - 05:32 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:35 PM

Posted 15 April 2008 - 08:12 AM

Almost every remote hack involves leaving a program behind that will allow them to get back into your computer regardless of whether or not you fix the security problem that let them into your computer in the first place.

That is correct. However, your confusing the "program" (malicious files) which allows the hacker to open a backdoor with the "security problem" (vulnerability) that permitted the download of the malicious program used by the hacker.

Trojans FAQs
Trojan Programs
What is a backdoor trojan?

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Demi666

Demi666
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 15 April 2008 - 08:59 AM

Almost every remote hack involves leaving a program behind that will allow them to get back into your computer regardless of whether or not you fix the security problem that let them into your computer in the first place.

That is correct. However, your confusing the "program" (malicious files) which allows the hacker to open a backdoor with the "security problem" (vulnerability) that permitted the download of the malicious program used by the hacker.

Trojans FAQs
Trojan Programs
What is a backdoor trojan?

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


the Diseclean, will it remove everything or..? could u tell me how it works?
i created a new restore point also now, but idk how to remove all the old ones.

And do i need to shut down games like warcraft 3 TFT or etc when doing disc clean,

Becouse what iu understood now, which is almost 100% wrong i guess

is that

I Remove all old restore points
Create a new one
DiscClean(remove everything?)
Go Back to restorepoint
Write Cleanmgr

?

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:35 PM

Posted 15 April 2008 - 09:06 AM

"Disk Cleanup Explained: What it Does"

Just follow the instructions in the order I gave you above.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Demi666

Demi666
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 15 April 2008 - 09:12 AM

"Disk Cleanup Explained: What it Does"

Just follow the instructions in the order I gave you above.



im going to now, but english isnt my first language so...

also my IE shuts down randomly still:S
but Disc cleanupp is loading now, but how do i remove all restore points before this one? or was i supposed to do that?


Also should i clean EVERYTHING avaible?

Edited by Demi666, 15 April 2008 - 09:13 AM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:35 PM

Posted 15 April 2008 - 09:21 AM

how do i remove all restore points before this one

Just follow the instructions in this link.
http://bertk.mvps.org/html/diskclean.html
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Demi666

Demi666
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 15 April 2008 - 09:33 AM

how do i remove all restore points before this one

Just follow the instructions in this link.
http://bertk.mvps.org/html/diskclean.html



ok done it (: what now <3 ?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:35 PM

Posted 15 April 2008 - 09:39 AM

anyways i just wanna tell you how grateful i am that you helped me fix this

I thought you were good to go. What other issues are you having? Please be specific.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Demi666

Demi666
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 15 April 2008 - 03:49 PM

anyways i just wanna tell you how grateful i am that you helped me fix this

I thought you were good to go. What other issues are you having? Please be specific.



IE Randomly dying
Cant install flash player on Mozilla :S
Hosting sucks now again everyone laggs

Internet for me isnt slower but it just dies sometimes randomly.
All complain aboout lag now :S

Can you give me any tips how to fix this?.

i think it kinda got worse since i removed virus, i THINK thats when IE started randomly dying & all complain about lag.

#15 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 15 April 2008 - 04:35 PM

of interest, do you use this computer for any emailing or for any work that requires you to 'communicate ' ( exchange information )with another computer? MSN or anything else?

one wonders if you really appreciate what quietman 7 has told you about the seriousness of the infection and that it may never ever be considered as 'clean' and safe again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users