Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan infection


  • Please log in to reply
6 replies to this topic

#1 luckysh0t

luckysh0t

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 19 December 2009 - 06:37 AM

A couple of days back Google Chrome - my default web browser - inexplicably stopped requesting webpages. No traffic coming from the app at all, which was working fine up to this point. I removed it and installed again but no difference.

Ran AVG free 8.5 which picked up a trojan virus in System Volume Information. Couldn't remove it.

Tried System Restore back to a point prior to when the Chrome browser stopped working. System Restore doesn't work.

After this failed restore I ran AVG again and this time it didn't pick up any trojans or any virus at all.

Sygate Personal Firewall now picks up IExplorer trying to connect to a 'gusmon.net' -> ip address 222.170.127.100 which is Chinese address. IE was apparently requested to do this by wmiprvse.exe so I'd say the Trojan has infected my system files.

Yesterday it was trying to connect to 'tolule.net'.

spybot snd doesn't detect anything either

any clues for resolution?

BC AdBot (Login to Remove)

 


#2 luckysh0t

luckysh0t
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 19 December 2009 - 11:03 AM

blocked traffic with Chinese ip addresses & now discovered the Trojan seems to be disguising it's traffic as arbitrary applications e.g. HijackThis, Firefox, java, etc.

also using the url somemon.net

#3 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:06:32 PM

Posted 19 December 2009 - 11:32 AM

First things first
Turn off System Restore
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.


Perform a Full scan with AVG and also perform a malware Scan with Malwarebytes(you will need to install this application)
Microsoft Certified Desktop Support Technician

#4 luckysh0t

luckysh0t
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 20 December 2009 - 08:43 AM

Thanks Matt - AVG still didn't report anything but MBAM did.

btw MBAM couldn't update it's virus db as when I tried to connect the trojan hijacked it and sygate reported back MBAM was trying to connect to tolule.net again. I can't tell whether this is the trojan actually hijacking the connection and attempting to connect to that malicious url or whether it's just trying to fool the firewall into thinking MBAM is trying to connect to a banned url to stop it from updating to the latest updates. Anyway here is the log:

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/12/2009 13:35:03
mbam-log-2009-12-20 (13-34-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 182046
Time elapsed: 58 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 9
Folders Infected: 3
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\generic host process for winxp services (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\generic host process for winxp services (Backdoor.Bot) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wab (Trojan.Dropper) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\LUCKY~1\APPLIC~1\MACROM~1\Common\cc9fe0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\LUCKY~1\APPLIC~1\MACROM~1\Common\cc9fe0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\LUCKY~1\APPLIC~1\MACROM~1\Common\cc9fe0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\LUCKY~1\APPLIC~1\MACROM~1\Common\cc9fe0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\LUCKY~1\APPLIC~1\MACROM~1\Common\cc9fe0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\LUCKY~1\APPLIC~1\MACROM~1\Common\cc9fe0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\LUCKY~1\APPLIC~1\MACROM~1\Common\cc9fe0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\LUCKY~1\APPLIC~1\MACROM~1\Common\cc9fe0241.dll) Good: (wdmaud.drv) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,) Good: (Userinit.exe) -> No action taken.

Folders Infected:
C:\Documents and Settings\LocalService\Application Data\sysproc64 (Trojan.Agent) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\sysproc64 (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\sysproc64 (Trojan.Agent) -> No action taken.

Files Infected:
C:\WINDOWS\system32\a.exe (Trojan.Agent) -> No action taken.
C:\WinRAR\winrar.v3.80.final-patch.exe (Malware.Packer) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\sysproc64\sysproc32.sys (Trojan.Agent) -> No action taken.
C:\Documents and Settings\NetworkService\Application Data\sysproc64\sysproc32.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\sysproc64\sysproc32.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\sysproc64\sysproc86.sys (Trojan.Agent) -> No action taken.
C:\Documents and Settings\LUCKY\Application Data\Macromedia\Common\cc9fe0241.dll (Hijack.Sound) -> No action taken.
C:\WINDOWS\system32\descript.lnk (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\sqla.dll (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\LUCKY\Application Data\Macromedia\Common\cc9fe02419.exe (Trojan.Dropper) -> No action taken.



#5 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:06:32 PM

Posted 20 December 2009 - 11:52 AM

Have you managed to remove the quoted infections , also i suggest you download and install avast , during the install youll be asked if you wish to do an on boot scan , allow it to do this and restart , avast will then scan your machine before windows starts up properly, let me know if it manages to find anything and remove it
Microsoft Certified Desktop Support Technician

#6 luckysh0t

luckysh0t
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:32 PM

Posted 20 December 2009 - 09:01 PM

update:

A combination of manual deletion and ABAM did the trick cheers - even Chrome working again now

wrote a wee report about it - installing itself in the system restore area and disabling the default browser is quite a trick to pull...

#7 MATTSPCHELP

MATTSPCHELP

  • Members
  • 196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Leicester, United kingdom
  • Local time:06:32 PM

Posted 20 December 2009 - 09:05 PM

Thanks for the mention :D
Microsoft Certified Desktop Support Technician




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users