Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is This A Trojan?


  • Please log in to reply
13 replies to this topic

#1 iceash

iceash

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 19 April 2008 - 06:36 PM

My local lan cable provider has installed this tool on my system (created by them) they say it's to protect their own server and at the same time i can't uninstall because if i do so.. Internet will stop working. I am just kinda doubtful. Can anyone check and confirm if it contains any malicious code? I uploaded the file at jotti most of them are cleared (avg,avast) only few find keylogger. Here is the link to download the setup. http://www.zshare.net/download/10816298427a4f8e/

HELP IS HIGHLY APPRECIATED! :thumbsup:

BC AdBot (Login to Remove)

 


#2 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:03:18 AM

Posted 19 April 2008 - 06:59 PM

Post deleted.

Edited by Queen-Evie, 20 April 2008 - 06:48 PM.


#3 iceash

iceash
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 20 April 2008 - 02:24 PM

eh? zshare is just a hosting site. I uploaded the file there so people can download and check. I am talking about the program not the site. And yes net does stop working after uninstalling. It's created by them program title is AntiPoisoner and it has their credits. :/

#4 skyfuser

skyfuser

  • Members
  • 470 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:01:18 AM

Posted 20 April 2008 - 02:56 PM

PrevX database has this:
What we know about ANTIPOISONER.EXE:
The filename ANTIPOISONER.EXE was first seen on Apr 7 2008 in PAKISTAN.
The filename ANTIPOISONER.EXE refers to many versions of an executable program.
The most common file size is 202,678 bytes. But the following file sizes have also been seen:

* 210,437 bytes
* 204,707 bytes

The unsafe files using this name are associated with the malware group TROJAN.AGENT.GEN.
These files have no vendor, product or version information specified in the file header.
ANTIPOISONER.EXE has been seen to perform the following behavior(s):

* The Process is packed and/or encrypted using a software packing process
* Executes a Process
* Registers a Dynamic Link Library File

ANTIPOISONER.EXE has been the subject of the following behavior(s):

* Created as a process on disk
* Executed as a Process

Full page here.

There's something about Pakistan origins. Where the heck do you live :thumbsup:
And according to the Pakistanian forum here something about denial of service and a virus hitting their DNS clients. Something to think about... :flowers:
"If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way." - Bertrand Russell

#5 iceash

iceash
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 20 April 2008 - 03:24 PM

Wow thanks for the valuble information. I live in pakistan too.

I checked AntiPoisoner.exe but mine is only of 198KB. If i remove that program internet doesn't work properly.. Means either slow or won't work at all. Could any of you check the resource like what it contains? :flowers: i have uploaded the file. That will really relax me! :thumbsup:

#6 skyfuser

skyfuser

  • Members
  • 470 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:01:18 AM

Posted 20 April 2008 - 03:29 PM

Ah good, I was thinking "OMG WTF" if you had this Pakistan file and you were on the other side of the world ;D
I'll have a look at the thing in a sandbox and Returnil.
You might also consider contacting your cable provider and ask why they gave it to you. From that Pakistan forum it sounds like something to prevent denial of service, but then again it might really be dangerous.
I'll let you know the results later :thumbsup:

Edited by skyfuser, 20 April 2008 - 03:29 PM.

"If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way." - Bertrand Russell

#7 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:18 AM

Posted 20 April 2008 - 04:51 PM

I'm going to go ahead and move this to Am I Infected?
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:03:18 AM

Posted 20 April 2008 - 06:48 PM

I based my reply on what information you provided and what the program is according to the link.
Since you have included additional info, I will delete my reply to avoid confusion.

#9 iceash

iceash
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 21 April 2008 - 05:44 AM

kyfuser, They say it's to protect their server :/ Waiting for your response thanks! :thumbsup:

#10 iceash

iceash
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 22 April 2008 - 07:03 PM

Awaiting your response, kyfuser! :]

#11 skyfuser

skyfuser

  • Members
  • 470 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:01:18 AM

Posted 22 April 2008 - 10:33 PM

Sorry for being a bit slow, I had to finish homework ;D
Well I just finished it in Returnil and Sandboxie. Although the whole install prograam seemed really suspicious, I couldn't see anything wrong with it.
So unless your ISP providers suddenly turned rogue, the little program won't be doing anything bad to your computer anytime soon :thumbsup:
"If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way." - Bertrand Russell

#12 iceash

iceash
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 23 April 2008 - 05:36 AM

What is Returnil and Sandboxie? They check the file? Did you check the antipoisoner.exe after installing? If not trojan, What it does actually? So small in size and it cant be that it protects from viruses.

#13 skyfuser

skyfuser

  • Members
  • 470 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:01:18 AM

Posted 23 April 2008 - 05:35 PM

No, they don't check the file. They're a virtual drive for virtual reality XD In other words, it's an isolated environment where you can do anything and not have it affect the rest of the computer, even if something goes wrong. That makes available a huge variety of interesting uses, most of which I immediately realized possibilities of and strongly disapprove of. I'd give you the links but I need to rush through my essay, I'll post them later :thumbsup:
There's nothing wrong with the antipoisoner.exe itself, it's just an installation file. And don't think that small files are insignificant, most of the most critical system files (regedit, cmd.exe, etc) are actually pretty small. I don't know exactly how the whole thing screws up your internet if it's installed, so you'll have to delve into that on your own, sorry :\
Hw O.O Will edit later.
"If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way." - Bertrand Russell

#14 Titus Pullo

Titus Pullo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 05 May 2008 - 03:25 PM

iceash.....are you located in Karachi? If yes, which part? Check your C Drive and see if there is a folder named CAP.

Laterz.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users