Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan trying to dl new IE from fileave.com


  • Please log in to reply
9 replies to this topic

#1 christr

christr

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 24 May 2009 - 11:48 AM

Hi all.

I've got the same darned problem as this thread: http://www.bleepingcomputer.com/forums/t/227790/trojan-horse-agent-rnj/
It's driving me nuts. AVG detects that an SVCHOST.EXE process is trying to contact: binuser.fileave.com/IC/zhvntnlgecngmdn.exe and it's blocking it from downloading the file. The problem is trying to find out what is actually causing the d/l. AVG does nothing to let you know how to fix the actual cause of the problem, but does prevent my machine from becoming further infected.

I took the drive out and scanned on another box with Malwarebytes, CureIT, SuperAntiSpyware and AVG (my normal running antivirus) and they find nothing.

When the drive is running on it's own however every few minutes AVG pops up because one of the svchost.exe processes is trying to download that same link listed in the first message which is an IE replacement. AVG picks out the proper process ID and I can kill it but it still re-appears.

The process will always run, but one way to prevent it from actually being able to download is to turn off BITS (background Intelligent Transfer Service) which is normally used by Windows Update. But, that only stops the malware from downloading the crap IE... it still is running. If you kill it using task manager, it'll pop back in a few minutes later.

What's driving me absolutely bonkers is trying to find out what's loading it. Something in startup or in the registry has to be calling this thing, and it doesn't look like malware since none of the regular malware detection products seem to find it.

Any ideas where I can look? I"ve gone thru the startup folders, used msconfig to look thru any registry based startup items, but can't find it. I'd hate to have to rebuild the OS for something like this... but it's hidden pretty well.

Thanks,
--Chris

Edited by christr, 24 May 2009 - 11:50 AM.


BC AdBot (Login to Remove)

 


m

#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:56 AM

Posted 24 May 2009 - 12:15 PM

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.


#3 christr

christr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 24 May 2009 - 12:20 PM

Running bitdefender now.

Some more info I've been able to dig up on this thing. When I kill off the process that AVG complains about, I lose my audio mixer control. (ie, volume control doesn't work). Event viewer also states that the WMI service, Themes and Time service were restarted at the time I killed off the offending PID. The Windows audio service also seems to crash and not come back. If I manually restart that I can get the volume control back.

So whatever svchost command is firing off to run all that stuff is the same one that's infested.... the trick of course if finding the damned thing. :thumbsup:

--Chris

#4 christr

christr
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 24 May 2009 - 02:48 PM

And Bitdefender finds nothing. *sigh*.

I think I'll rebuild the machine at this point... then I'll build a VM and try to re-infect the VM and see what gets changed. At least that way I should be able to find out wtf it is and submit a report to the various malware folks...

--chris

#5 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:56 AM

Posted 24 May 2009 - 02:50 PM

If you need help reformatting, some helpful info is here
These links include step-by-step instructions with screenshots:Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, personal data files and photos. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or .html files because they may be infected by malwareware appending itself to the executable. Some types of malware may even disguise itself by adding and hiding its extension to the existing extension of files so be sure you look closely at the full file name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.
Also see How to keep your Windows XP activation after clean install.

Note: If your using an IBM, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media

If you need additional assistance with reformatting, you can start a new topic in the Windows XP Home and Professional forum. If you don't get a reply, please send me a PM and I will get someone to take a look.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:If using Windows Vista, please refer to:

#6 tilleydog

tilleydog

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 26 May 2009 - 11:22 PM

I had the same thing happen to me. Couldn't figure out how the popup kept coming up. Turns out it created a couple of Background Intelligent Transfer (BITS) jobs. I noticed in the event logs that it kept trying to use BITS for a job called jman. To get rid of it you need to run from a command window started as administrator bitsadmin /list /allusers /verbose

This will list all the jobs in verbose mode and you will see the one that is attempting to got to binuser.fileave.com/IC etc

to delete you type in bitsadmin /cancel {A3A123B0-3859-4C74-90C5-B74DAD820BC5} (whatever is in the brackets before jman. Using jman is supposed to work but did not for me)

It will then say job cancelled.

Haven't had an issue since.

Hope more people find this before they reformat their hard drive

#7 raptor_uk1

raptor_uk1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 27 May 2009 - 05:48 PM

I had the same thing happen to me. Couldn't figure out how the popup kept coming up. Turns out it created a couple of Background Intelligent Transfer (BITS) jobs. I noticed in the event logs that it kept trying to use BITS for a job called jman. To get rid of it you need to run from a command window started as administrator bitsadmin /list /allusers /verbose

This will list all the jobs in verbose mode and you will see the one that is attempting to got to binuser.fileave.com/IC etc

to delete you type in bitsadmin /cancel {A3A123B0-3859-4C74-90C5-B74DAD820BC5} (whatever is in the brackets before jman. Using jman is supposed to work but did not for me)

It will then say job cancelled.

Haven't had an issue since.

Hope more people find this before they reformat their hard drive




fantastic post m8
just a pitty i cant get it to work
excuse my pc ignorance but do i need to log in to admin account even though i am admin and only user ? on my xp machine
as this popup is doing my head in
any help would be appreciated

#8 tilleydog

tilleydog

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 27 May 2009 - 10:30 PM

When you say it doesn't work, is it because you can't find bitsadmin when you run in cmd window?
I checked my other XP machines and it appears that the BITS service runs is running on my boxes but the bitsadmin executable isn't available unless you install it yourself or download it from microsoft. There is a link in here that lets you download it. http://msdn.microsoft.com/en-us/library/aa362813(VS.85).aspx

#9 raptor_uk1

raptor_uk1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 29 May 2009 - 06:00 AM

When you say it doesn't work, is it because you can't find bitsadmin when you run in cmd window?
I checked my other XP machines and it appears that the BITS service runs is running on my boxes but the bitsadmin executable isn't available unless you install it yourself or download it from microsoft. There is a link in here that lets you download it. http://msdn.microsoft.com/en-us/library/aa362813(VS.85).aspx




cool many thanks for you assistace tilleydog
ive now installed this now and ran the command bitsadmin /list /allusers /verbose

mine now shows up as No Jobs??



Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\ricky>bitsadmin /list /allusers /verbose

BITSADMIN version 2.0 [ 6.6.2600.2180 ]
BITS administration utility.
© Copyright 2000-2004 Microsoft Corp.

Listed 0 job(s).

C:\Documents and Settings\ricky>


im presuming this issue had now been reloved by using some other removal tools that i used

ie: SD fix and combofix
i have not had the pop up box since
but i have also changed my antivirus etc to nod32
after dumping AVG

so i hope that probelem is no longer :thumbsup:

many thanks

#10 Lost1

Lost1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 31 July 2009 - 12:26 AM

tilleydog,

Thank you so much for posting.
This trojan downloader has been driving me nuts for days.
There is no way I wanted to format this hard drive.
I followed your advice and found 3 jman jobs that were trying to get to one of those fileave.com sites.
I canceled each of the GUIDs and haven't seen this jman thing try to get through my firewall since.
I still wish I knew where this trouble came from but at least it now seems to be fixed.

Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users