Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infostealer.lineage


  • Please log in to reply
3 replies to this topic

#1 calibas

calibas

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 14 June 2008 - 12:39 AM

Hi im new to this forum,
anyways i get a trojan called infostealer.lineage that keeps coming back after i reboot my comp
when the trojan is found, its called back.exe, can someone please help me stop this thing from coming back?

i have done full system scans with Norton and Adaware but found nothing

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:48 PM

Posted 14 June 2008 - 09:09 AM

Where is it located (full file path) at on your system?

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 calibas

calibas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 14 June 2008 - 12:28 PM

well the trojan was found in C:\Documents and Settings\All Users\Application Data
back.exe was deleted by norton, but I had another suspicious file called setup.exe in the same location
I used virustotal on setup.exe and had these results

Antivirus Version Last Update Result
AhnLab-V3 2008.6.13.1 2008.06.13 -
AntiVir 7.8.0.55 2008.06.14 TR/ATRAPS.Gen
Authentium 5.1.0.4 2008.06.14 -
Avast 4.8.1195.0 2008.06.14 Win32:OnLineGames-BTI
AVG 7.5.0.516 2008.06.13 Generic10.AIME
BitDefender 7.2 2008.06.14 -
CAT-QuickHeal 9.50 2008.06.14 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.06.14 -
DrWeb 4.44.0.09170 2008.06.14 -
eSafe 7.0.15.0 2008.06.12 Suspicious File
eTrust-Vet 31.6.5873 2008.06.14 -
Ewido 4.0 2008.06.14 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.13 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.06.14 -
GData 2.0.7306.1023 2008.06.14 Win32:OnLineGames-BTI
Ikarus T3.1.1.26.0 2008.06.14 Trojan-Downloader.Win32.Delf.zd
Kaspersky 7.0.0.125 2008.06.14 Trojan-PSW.Win32.OnLineGames.amqa
McAfee 5317 2008.06.13 PWS-Lineage.dll
Microsoft 1.3604 2008.06.14 PWS:Win32/Kotwir.A.dll
NOD32v2 3186 2008.06.13 a variant of Win32/PSW.OnLineGames.NWL
Norman 5.80.02 2008.06.13 -
Panda 9.0.0.4 2008.06.14 Suspicious file
Prevx1 V2 2008.06.14 Fraudulent Security Program
Rising 20.48.52.00 2008.06.14 -
Sophos 4.30.0 2008.06.14 Mal/GamePSW-C
Sunbelt 3.0.1145.1 2008.06.05 -
Symantec 10 2008.06.14 -
TheHacker 6.2.92.350 2008.06.14 -
VBA32 3.12.6.7 2008.06.14 suspected of Embedded.Trojan-PSW.Win32.OnLineGames.amqa
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.14 Trojan.ATRAPS.Gen
Additional information
File size: 33280 bytes
MD5...: 350da0b6a77efba16bc5c458d6a1c372
SHA1..: a31e39c1c615e6bd3ac2b5d5f80b11f582efaa57
SHA256: f7f5097b3ce3bd001afa0d938eb011a8e0d555adf62d890464437616448d0c55
SHA512: dd639248fa1ddcf00a7d0e19a367713cf920dabfaf4aa1df348620b1c5ec25f3
58da303689337002eecdf7f79e2bfd0fae6ed0defa552bf1ee3cfdd2b947a103
PEiD..: PECompact 2.xx --> BitSum Technologies
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x404090
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x17000 0x6e00 7.99 d5c6e9869ee2ee03fc92d48a427d37d2
.rsrc 0x18000 0x1000 0x1000 7.03 62f820c3818942ac2a2a2a28118881d1

( 1 imports )
> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp...E6684008F09012B
packers (Kaspersky): PE_Patch.PECompact, PecBundle, PECompact
packers (F-Prot): PecBundle, PECompact
packers (Avast): PECompact

Edited by calibas, 14 June 2008 - 12:29 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,140 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:48 PM

Posted 14 June 2008 - 03:00 PM

If you're using Windows 2000/XP, please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users