Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Win32/iroffer Trojan


  • Please log in to reply
9 replies to this topic

#1 Jack Frost

Jack Frost

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 24 April 2008 - 02:07 PM

So I'm really not sure how this occurred, but I have these two trojans that ESET doesn't seem inclined to delete or quarantine:

Win32/iroffer trojan
FakeAlert.BP trojan

Apparently, according to Time-Warner (my ISP) I am sending out 'porn spam', but I can't seem to get them to tell me anything more (they are extremely unhelpful). They keep quarantining my modem and have told me that I will have to reformat my computer if the problem persists. The best fun was when I've tried to fix it, the morning guy will un-quarantine my modem, and then when the afternoon guy comes in he locks it back up again before I get home so I have had little chance to actually take care of the problem.

I am currently quarantined (and I don't know if TW will release it again), so I'll have to be able to download any applications suggested on another computer and then move them onto mine.

I can't give any actual info about what's going on with either of these trojans as ESET is the only thing that even sees them, but as I said, it won't do anything about them.

Can anyone help me, please?

Thanks in advance...

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:53 AM

Posted 24 April 2008 - 02:48 PM

What OS (Win 2K, XPsp1, XPsp2, Vista) are you using? Have you tried doing your scans in "Safe Mode"?

If not, try that first. Then if you're using Windows 2000/XP, please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Jack Frost

Jack Frost
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 24 April 2008 - 06:10 PM

Whoops!

Yeah, I guess I should've mentioned I wa using XP instead of taking that for granted.. sorry 'bout that.

thanks for the info, I will definitely follow the guide and let you know what happened...

Cheers!

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:53 AM

Posted 25 April 2008 - 06:30 AM

Ok. Don't forget to include the Report.txt results.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Jack Frost

Jack Frost
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 26 April 2008 - 01:25 AM

Okay, so I ran ESET in safe mode, but I still wasn't satisfied with the results, so I ran SDFix as well.

SDFix apparently found a numer of things - hopefully, the trojan that keeps making TW quarantine me has been removed, but I'm not sure...

As requested, here is the SDFix report file:


SDFix: Version 1.174
Run by Jack on Fri 04/25/2008 at 10:27 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
Microsoft Loading Service
msupdate

Path :
"C:\WINDOWS\msdates.exe"
c:\windows\system32\msvcrtd.exe

Microsoft Loading Service - Deleted
msupdate - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected - Deleted
C:\Documents and Settings\Jefe\Start Menu\Programs\Startup\.protected - Deleted
C:\WINDOWS\.protected - Deleted
C:\WINDOWS\system32\drivers\etc\.protected - Deleted
C:\Program Files\CPV\CPV7.dll - Deleted
C:\Program Files\nvcoi\mst.stt - Deleted
C:\Program Files\nvcoi\nvcoi.exe - Deleted
C:\Program Files\nvcoi\nvcoi.exe.lzma - Deleted
C:\Program Files\.autoreg - Deleted
C:\Documents and Settings\Jefe\Application Data\addon.dat - Deleted
C:\WINDOWS\764.exe - Deleted
C:\WINDOWS\absolute key logger.lnk - Deleted
C:\WINDOWS\aconti.exe - Deleted
C:\WINDOWS\aconti.ini - Deleted
C:\WINDOWS\aconti.log - Deleted
C:\WINDOWS\aconti.sdb - Deleted
C:\WINDOWS\acontidialer.txt - Deleted
C:\WINDOWS\adbar.dll - Deleted
C:\WINDOWS\cbinst$.exe - Deleted
C:\WINDOWS\daxtime.dll - Deleted
C:\WINDOWS\dp0.dll - Deleted
C:\WINDOWS\eventlowg.dll - Deleted
C:\WINDOWS\flt.dll - Deleted
C:\WINDOWS\hotporn.exe - Deleted
C:\WINDOWS\ie_32.exe - Deleted
C:\WINDOWS\iexplorr23.dll - Deleted
C:\WINDOWS\jd2002.dll - Deleted
C:\WINDOWS\kkcomp$.exe - Deleted
C:\WINDOWS\kvnab$.exe - Deleted
C:\WINDOWS\liqad$.exe - Deleted
C:\WINDOWS\ngd.dll - Deleted
C:\WINDOWS\pbar.dll - Deleted
C:\WINDOWS\svchost.exe - Deleted
C:\WINDOWS\system32\comsa32.sys - Deleted
C:\WINDOWS\vxddsk.exe - Deleted
C:\WINDOWS\wbeInst$.exe - Deleted
C:\WINDOWS\wml.exe - Deleted
C:\WINDOWS\xxxvideo.exe - Deleted



Folder C:\Program Files\3721 - Removed
Folder C:\Program Files\Accoona - Removed
Folder C:\Program Files\akl - Removed
Folder C:\Program Files\amsys - Removed
Folder C:\Program Files\CPV - Removed
Folder C:\Program Files\e-zshopper - Removed
Folder C:\Program Files\nvcoi - Removed
Folder C:\Program Files\p2pnetworks - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\WINDOWS\system32\acespy - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,

http://www.gmer.net
Rootkit scan 2008-04-25 22:46:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000155

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallp

olicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.

dll,-22019"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program

Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program

Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallp

olicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.

dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 29 Feb 2008 1,111,368 ...H. --- "C:\Program Files\Ancient Wonderland\Ancient

Wonderland.exe"
Fri 14 Mar 2008 3,237,192 ...H. --- "C:\Program Files\DragonStone\DragonStone.exe"
Fri 28 Mar 2008 30,504 ..SH. --- "C:\WINDOWS\system32\ljtdhmda.dllbox"
Mon 11 Feb 2008 1,220,942 ..SH. --- "C:\WINDOWS\system32\ubbhgbun.tmp"
Sat 17 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All

Users\DRM\Cache\Indiv01.tmp"
Mon 3 Oct 2005 2,668 A..H. --- "C:\Program Files\Adobe\Adobe Photoshop

CS2\Plug-Ins\KPT Gel\MetaImage.dll"
Mon 3 Oct 2005 2,668 A..H. --- "C:\Program Files\Adobe\Adobe Photoshop

CS2\Plug-Ins\KPT6\MetaImage.dll"

Finished!

Again, thanks in advance for all of your help. :thumbsup:

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:53 AM

Posted 26 April 2008 - 07:04 AM

Please download AVG Anti-Rootkit and save to your desktop
  • Double click avgarkt-setup-1.1.0.42.exe to begin installation.
  • Click Next to select the Normal interface.
  • Accept the license and follow the prompts to install. (By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit)
  • You will be asked to reboot to finish the installation so click "Finish".
  • After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
  • You will see a window with three buttons at the bottom.
  • Click "Search For Rootkits" and the scan will begin.
  • You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  • When the scan has finished, if anything was found, click "Remove selected items"
  • If nothing is found, a message will appear "Congratulations! There were no installed rootkits found on your computer."
  • Click close, then select "Perform in-depth Search".
  • When the scan has finished, if anything is found, click "Remove selected items"
  • Again, if nothing was found, you will see the message "Congratulations! There were no installed rootkits found on your computer."
  • Exit AVG ARK.
Note: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection. (Re-enable when done)
  • After starting the scan, DO NOT not use the computer until the scan has completed.
When done also let me know how your computer is running and if there are any more reports/signs of infection?

IMPORTANT NOTE: One or more of the identified infections was a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the backdoor Trojan was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?"
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Jack Frost

Jack Frost
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 27 April 2008 - 01:27 PM

Well, I anti the anti-rootkit software and it didn't find anything, so that's good. The computer seems fine so far, and hopefully I eliminated whatever was making TW quarantine my modem.

Thanks for the advice about reformatting, which I will probably have to do. :flowers:

And again, thanks for your help. :thumbsup:

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:53 AM

Posted 27 April 2008 - 04:35 PM

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Jack Frost

Jack Frost
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 28 April 2008 - 03:11 AM

Already ahead of you on the restore points... :thumbsup:

Thanks for the additional info, too.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:53 AM

Posted 28 April 2008 - 06:36 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users