Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

troj agent gen-cryptor [egun] found on networked computer


  • This topic is locked This topic is locked
13 replies to this topic

#1 rachit30

rachit30

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 18 June 2011 - 07:34 PM

i have network lag in the cad program andt he same pc wont authenticate its adobe software installation. i tested the adobe serial numbers on other pc's and know for a fact they are good. I ran a super-antispyware scan that found troj agent gen-cryptor [egun] on this networked computer. i am not convinced it was removed and fear the trojan may have moved out on the network. i have had another pc getting the google block page like it was spamming although it hasnt been blocked recently. searches regarding the trojan led me to this site. i had tried to get help here before but never got any response to a different query i posted. i may have sent my request incorrectly. i Attached File  dll scan 6-18-11.log   79.78KB   1 downloadshope to fair better this time. i followed the instructions on your prep page. enabled fw, disabled cd emulation, i have attached the gmer log but the dds.scr would not work correctly for me. the problem pc ic a recently upgraded windows 7 professional pc on a small 20 node network. server 2003 pdc and server 2008 std fileserver, panda antivirus for exchange and small business. any help would be greatly appreciatedas i am near wits end trying to get this thing licked. Thank you

BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:09:09 AM

Posted 28 June 2011 - 10:11 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

Best Regards,
oneof4.


#3 rachit30

rachit30
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 28 June 2011 - 04:41 PM

thanks for your reply. dds.scr would not work as expected on the pc the first time but i will try again with a new download.

yes i am still dealing with this incident. we have had other malware show up on a few other computers and the traffic on my network is affecting server based softwares. logs on our firewall shows some other pcs with no detections thus far are broadcasting. i have started working in the firewall closing inbound and outbound traffic to international ip addresses. Wireshark showed Pakistan, Russia, Germany, Korea, Netherlands, UK, Austrailia, Bahamas, Brazil and Japan ip addresses. apparently we are a regular lighthouse right now. I've run Superantispyware, spybot s&d, malwarebytes on the workstations along with regular Panda Antivirus scans. Ran malwarebytes on the servers but looking for something else to use for sbs 2003 and server std 2008 since malwarebytes returned nothing on either. I know for a fact we've got bad traffic coming and going across udp,tcp, smtp and http.

Please let me know if i should simply investigate the original infected pc and send reports on that one or please suggest another approach.

to reacp i have found troj agent gen-cryptor [egun] on two pcs and also found win32.agent.aw3 on one of the same two. Several others on the network are broadcasting based on my firewall records and the server has bad ip traffic over most protocols. i am dealing with this remotely and will continue to battle to keep things fairly under control until a submittal goes out this friday so i can (hopefully) get a hands on team in the following weekend. Leaning towards a cloud based tool at this time. any direction or comments are greatly appreciated.

#4 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:09:09 AM

Posted 29 June 2011 - 08:38 AM

Please let me know if i should simply investigate the original infected pc and send reports on that one or please suggest another approach.


Let's stick with the "original infected pc" for now. Try the DDS & GMER scans, and let me know how it goes. :thumbup2:

Best Regards,
oneof4.


#5 rachit30

rachit30
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 30 June 2011 - 09:16 AM

started late. completed dds but gmer took all night and user came in and had to work. i will run both again right after 5pm est today and post tonight. thanks so much

#6 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:09:09 AM

Posted 30 June 2011 - 09:34 AM

:thumbup2:

Best Regards,
oneof4.


#7 rachit30

rachit30
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 30 June 2011 - 11:56 AM

also, forgot to ask....as i stated before i support this network remote and i noticed the dds instructions stated to disconnect from internet. Is this absolute? if so i will find someone onsite to help with this part. Please just let me know. thx! :thumbsup:

#8 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:09:09 AM

Posted 30 June 2011 - 01:26 PM

How many pc's are on this network?

Best Regards,
oneof4.


#9 rachit30

rachit30
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 30 June 2011 - 01:54 PM

probably about 26 nodes including servers and occasional laptops

#10 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:09:09 AM

Posted 30 June 2011 - 03:07 PM

Hi rachit30 :)

Is this a business/institution computer?
If it is, are you the domain administrator? If you are not, have you informed your domain administrator, (business manager, Systems Analyst, or Information Technology (IT) Specialist)?

I ask because I do NOT help remove malware from any of the Windows Server editions, like Windows 2003. I do not help in cleaning business or corporate or institution related computers for several reasons:
  • There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware.
  • Any infection could jump terminals in a computer network.
  • There may also be legal issues regarding any loss of business data that I do not wish to deal with.
  • Some people who come here use their computers for work, and the computers may contain the patient records of a physician or the financial records of an accountant's clients or credit card and bank account information of their employer's customers.
  • There may be tremendous risks and legal liability for such users for not fully securing the computer. We will not know this unless we ask. We do not want to be accidentally putting those we help in vulnerable positions for law suits.
  • Business factors outweigh technical factors in making the reformat and reinstall decision. Sometimes friends give missing CDs or lack of expertise as a reason for not doing a reformat and reinstall.
  • The cost of replacing missing Windows XP and MS Office CDs and getting an Microsoft Certified Systems Engineer to come in for 3 hours to do the reinstall and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
  • In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor trojan which puts them in a particularly vulnerable situation and sending them to seek local professional help from a Microsoft Certified Systems Engineer or Certified Information Systems Security Professional or Global Information Assurance Certification Certified Security Expert or Certified Computing Professional or Internet Service Provider than we would be trying to fully resolve their problems long distance.

Best Regards,
oneof4.


#11 rachit30

rachit30
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 30 June 2011 - 04:32 PM

wow, ok. i mentioned the systems and servers in my first post. this is for a small business that i am the IT manager for. so i assume you no longer want me to attach the logs? i am the only IT support/budget there is really. I am trying to understand the magnitude of this infection and plan an approach. would an unplugged node by node scan truly be effective? The traffic on the network is mad. I am concerned my backups etc could all be infected now too. I just upgraded 90% of the pcs to w7 so if i had to go back and do it all again that would really stink. No one has been able to give me good advice on cleaning the servers. I apologize if i have wasted your time but i am trying to get all the help i can. I guess you can remove my posts if you think i have endangered our network further discussing info here.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:09 PM

Posted 01 July 2011 - 01:48 AM

Hello rachit30,

Cleaning a network like this is very difficult if not impossible using a forum. Basically, what you would need to do is isolate all computers, clean them (but much more effective reformat/reinstall or reimage), make sure all removable devices used on any of these computers has been cleaned as well (one infected flash drive is enough to reinfect everything), clean the server computer and only if you are sure all computers, shared storage and removable storage devices are clean, you can reconnect everything.

I realize this is not what you hoped to hear, but unfortunately there is little else you can do. Network malware is very hard to clean otherwise (clean one computer, and another computer on the network will reinfect it as soon as it is connected).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 rachit30

rachit30
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 01 July 2011 - 02:43 AM

yeah, been down this road before. i usually don't have a problem reimaging it just stings beacause i have 3 out of 24 pcs left to complete the w7 upgrade ive been working on for the last month. and like i said before i am remote right now so a turn n' burn on all the systems would be an utter miracle. the part on a computer that fails most often is the user :wink: Thanks for your time.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:09 PM

Posted 01 July 2011 - 04:56 AM

I'm sorry we haven't been able to be of more help. I hope you will find a solution and have everything up and running fine again soon. :)

This topic will now be closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users