| Author |
Topic: Can't get rid of Trojan horse(s) - any suggestions? |
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 23 Apr 2007 3:31 am |
|
Okay, so a few days ago my PC got a Trojan horse infection (please don't ask....  ) and "stuff" keeps popping up,- not very often, but often enough to present a real annoyance.
The Trojans in question are named Generic3.UUB and Collected.11.B, plus an Adware Generic2.DO. The dll names of these files change every time AVG finds them..
I have searched all over the Internet and run every program I've come over (including VundoFix which was supposed to remove this specific threat), tried to track them down and remove them manually, and my last attempt was to follow the instruction in this post at the AVG forum:
* turned off system restore
* ran a disk cleanup
* installed, updated and ran CW Shredder
* installed, updated and ran SpyBot - Search And Destroy
* installed, updated and ran Ad-Aware
* updated and ran AVG 7.5 Internet Security (my default firewall and virus program)
Hoping this had taken care of the problem I rebooted the PC and reactivated system restore.
5 minutes later - kaboooom!! - annoying ads pops up (they pop up in IE7 even if I have Firefox set as my default browser), and AVG catch the Trojan files and place them in the virus vault for the umpteenth time...
What to do now? Is reformatting the only way to rid of this %&&%%"ยค"?
Steinar
_________________
"Play to express, not to impress"
Website - YouTube |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 23 Apr 2007 8:58 am
|
|
download and install/update AVG anti-rootkit and AVG anti-spyware, formerly Ewido. Both are available for free at http://free.grisoft.com. Run these progams after disabling System Restore, the reboot into safe mode and run them again, along with AVG anti-virus.
Be sure that AVG anti-virus is fully updated.
Empty all temporary files, everywhere on the hard drive, including the Recycle Bin. A lot of threats hide in those various temp locations.
Run SFC /SCANNOW after all the above are completed. You must have your Windows XP CD in the CD tray when you run this utility. Allow it to replace changed files. Afterward go to Windows Update and download all available updates, in case SFC replaced an updated file.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 23 Apr 2007 10:04 am
|
|
Thanks Wiz, I'll go through the procedures later tonight. Just one question,- what's SFC /SCANNOW?
Steinar
_________________
"Play to express, not to impress"
Website - YouTube |
|
|
|
Joe Harwell
From:
"I've never been bad." ........ Many, LA
|
Posted 23 Apr 2007 10:18 am UnhackMe
|
|
Click on the link below.
UnHackMe
Their complete security suite is pretty good.
The demo is fully functional.
Not free but worth the investment in my opinion.
Worked for me.
_________________
Joe in LA
"How far you go in life depends on your being tender with the young, compassionate with the aged, sympathetic with the striving, and tolerant of the weak & the strong; because, someday in life you will have been all of these". |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 23 Apr 2007 12:50 pm
|
|
| Steinar Gregertsen wrote: |
Thanks Wiz, I'll go through the procedures later tonight. Just one question,- what's SFC /SCANNOW?
Steinar |
Steinar;
SFC is an abbreviation for System File Checker. This command line utility from Microsoft verifies that critical operating system files have not been tampered with or corrupted, and replaces them with known good backups if they are. However, in the process of replacing files it is possible that the replacement will be older than the current version, if the current version is a patch file or hotfix. That's why I recommended running Windows Updates after SFC has completed.
If all the previously mentioned tools fail to remove your adware problems you may have to go to a HijackThis forum for help from a trained professional. This is usually the last resort before Format C, because the process gets very involved and is time consuming. Often, if a person doesn't have a lot of data files that aren't already backed up externally, the fastest repair is a format, reinstall, re-update. Of course, if you have image backups that are made daily, or weekly, you can be back up and running within a half hour, with a minimum of updating to get back to current status.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 23 Apr 2007 4:25 pm
|
|
I've gone through the full procedure now and it seems to have killed the horses. Anti-Rootkit didn't find anything and all Anti-Spyware found was 20 tracking cookies - only problem I ran into was that Anti-Rootkit wouldn't run in safe mode after the first run and reboot.
Been about half an hour without any pop-ups yet, so everything seems fine (I usually got a rush of pop-ups when logging on after a reboot), but I don't feel entirely safe yet, they'll probably start popping up again as soon as I hit the "submit" button.... 
Thanks a lot for your assistance, much appreciated!
Steinar
_________________
"Play to express, not to impress"
Website - YouTube |
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 24 Apr 2007 3:26 am
|
|
They're back........... 
I knew it was too good to be true when AntiRootkit failed to find anything and all AntiSpyware found were a bunch of "medium risk" tracking cookies...
I will download the UnHackMe software that Joe suggested, and if that doesn't help either I guess there is only one option left... 
Steinar
_________________
"Play to express, not to impress"
Website - YouTube |
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 24 Apr 2007 4:26 am
|
|
UnHackMe didn't find anything, but I'll go through the procedures mentioned in the post at AVG's forum one more time (see my first post) - I realized that I forgot to reboot in safe mode and rerun the programs. That should take at least 7-8 hours all in all, it'll be a long night...
I don't have a recent image of this PC, but I'll just burn the most important personal stuff from "My Documents" plus email address list, bookmarks and calendar to CDs, and reinstall all programs if I have to reformat. Hopefully none of my personal stuff is infected...
Steinar
_________________
"Play to express, not to impress"
Website - YouTube
Last edited by Steinar Gregertsen on 24 Apr 2007 4:30 am; edited 1 time in total |
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 24 Apr 2007 4:29 am
|
|
double...
_________________
"Play to express, not to impress"
Website - YouTube |
|
|
|
Joe Harwell
From:
"I've never been bad." ........ Many, LA
|
Posted 24 Apr 2007 4:51 am Messaging
|
|
Do the messages start with your email on or off?
It's kind of an old exploit and probably not your problem. But make sure Messaging is turned off.
It is a Service.
Control Panel> Admin Tools> Component Services> Services> Messenger
Double click and disable if not already.
Are you running any Instant Messaging programs?
Steiner, download the whole suite from the UnHackMe site and run the security tools. They will fully function in the demo version.
It's worth a try before you reformat/reinstall.
_________________
Joe in LA
"How far you go in life depends on your being tender with the young, compassionate with the aged, sympathetic with the striving, and tolerant of the weak & the strong; because, someday in life you will have been all of these". |
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 24 Apr 2007 5:34 am
|
|
Thanks Joe - I don't run any messaging programs, don't want them so I deactivated them long ago. The pop-ups usually start when I open Firefox, but they open in IE.. Doesn't seem to have anything to do with my email program (Thunderbird).
I'll give the full UnHackMe suite a run if the advice from the AVG forum doesn't help,- that'll probably keep me busy until 3-4 this morning since I can't start after I'm finished teaching for the evening. If it gets me nowhere I'll run the UnHackMe suite tomorrow..
This stuff was hidden in a .rar file including a keygenerator for a CD burning program. I stopped running cracked programs several years ago, but for some reason I went and got the keygen when this demo expired.
So I brought this on myself and guess I got what I deserved for being cheap - point taken and lesson learned...
Steinar
_________________
"Play to express, not to impress"
Website - YouTube |
|
|
|
Joe Harwell
From:
"I've never been bad." ........ Many, LA
|
Posted 24 Apr 2007 6:06 am Messaging
|
|
I hope that I didn't confuse you concerning Windows Messenging Service and instant messaging programs.
Not the same. So if the malicious code is exploiting the Messenging Service, turning it off will not help.
Also, I missed some critical info you supplied in your original post that reminded me of something that I need to check. What you have described, I believe, is some sort of polymorphic device that was embedded in the .rar file which is used to fly under normal AV scans of compressed files. They are usually well crafted which makes them so nasty. Not your normal kiddie scriptors probably.
But like Dracula, you must invite him in.
Confession is good for the soul.
Your penance: Treat us with one of your outstanding performances  !
_________________
Joe in LA
"How far you go in life depends on your being tender with the young, compassionate with the aged, sympathetic with the striving, and tolerant of the weak & the strong; because, someday in life you will have been all of these". |
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 24 Apr 2007 6:18 am
|
|
One of several things that happened when I opened the rar file was that the black DOS (?) window opened for a few seconds and some stuff was written in a frenetic tempo - as if it went straight for the heart of my system. Does that give you any clue?
| Quote: |
| Your penance: Treat us with one of your outstanding performances! |
I've never written an angry punk tune before, but this may be the excuse I need to do one.....
Steinar
_________________
"Play to express, not to impress"
Website - YouTube |
|
|
|
Joe Harwell
From:
"I've never been bad." ........ Many, LA
|
Posted 24 Apr 2007 6:44 am DOS box and .rar decompressing
|
|
Was probably just a call to the dos box to echo the decompression of the files. Was there an installation wizard launched after the decompression?
I guess you could say that would be a constructive, creative use of computer-generated frustration. I personally prefer something a little more soul soothing a la Jimmy Day.
_________________
Joe in LA
"How far you go in life depends on your being tender with the young, compassionate with the aged, sympathetic with the striving, and tolerant of the weak & the strong; because, someday in life you will have been all of these". |
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 24 Apr 2007 6:50 am Re: DOS box and .rar decompressing
|
|
| Joe Harwell wrote: |
Was there an installation wizard launched after the decompression?
|
I don't remember, there was so much happening. But I did my best to shut down everything that popped up as fast as I could. You can say I was struck by more than a touch of panic.....
It's been 'quiet' here for several hours now, the pop-ups and warnings I've seen today all came when I turned on my PC and launched Firefox.
Steinar
_________________
"Play to express, not to impress"
Website - YouTube |
|
|
|
Joe Harwell
From:
"I've never been bad." ........ Many, LA
|
Posted 24 Apr 2007 8:22 am
|
|
While you're cleaning house, I'd run a SmitFraud fix, too. Link below.
SmitfraudFix
_________________
Joe in LA
"How far you go in life depends on your being tender with the young, compassionate with the aged, sympathetic with the striving, and tolerant of the weak & the strong; because, someday in life you will have been all of these". |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 24 Apr 2007 8:30 am
|
|
Steinar;
Are you protected by a hardware router/firewall? If not, what software firewall is protecting your computer from unsolicited incoming tranmissions?
If you need a software firewall, ZoneAlarm from Checkpoint is excellent and comes in either free or paid versions.
The reason I mentioned this has to do with what Joe told you, concerning the "Messenger Service." This is not the same thing as Windows (Live) Messenger, or MSN Messenger, or any IM program. This is a popup notice service that is capable of reacting to remote input on UDP ports 1026 through 1031. Originally created to allow SysAdmins to send notices about server reboots to company employees at workstations, the Messenger Service is now mostly used by spammers to send Messenger Blasts to millions of un-firewalled computers at the same time.
To disable this totally useless service go to Start > Run and type or copy/paste this into the input field:
Services.msc
When the Services Management Console opens look through the list for "Messenger" and double click on it. If you opened the correct service you will see this in the description field:
| Quote: |
| Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start. |
Click the STOP button, then change the "Startup Type" to Disabled, then click Apply, then OK. to close the management console.
You will no longer receive any popup alerts from spammers using the Messenger Service.
Any firewall should block incoming traffic on the ports used to blast Messenger spam.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 24 Apr 2007 8:33 am
|
|
Thanks for the instructions, I'll deal with that asap.
The firewall/AV I use is AVG 7.5 Internet Security (full version, not the free).
Steinar
PS - checked the Messenger Service, it was already disabled.
_________________
"Play to express, not to impress"
Website - YouTube |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
|
|
|
Joe Harwell
From:
"I've never been bad." ........ Many, LA
|
Posted 24 Apr 2007 8:46 am Re: Can't get rid of Trojan horse(s) - any suggestions?
|
|
| Steinar Gregertsen wrote: |
The Trojans in question are named Generic3.UUB and Collected.11.B, plus an Adware Generic2.DO. The dll names of these files change every time AVG finds them..
Steinar |
Another question:
Is the .dll actually be renamed or just finding more .dll's associated with the trojans?
_________________
Joe in LA
"How far you go in life depends on your being tender with the young, compassionate with the aged, sympathetic with the striving, and tolerant of the weak & the strong; because, someday in life you will have been all of these". |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
|
|
|
Steinar Gregertsen
From:
Arendal, Norway, R.I.P.
|
Posted 24 Apr 2007 9:00 am
|
|
Wiz - thanks again! I'll read them as soon as I get the chance.
Joe - here are some examples, this is what I currently have in AVG's Virus Vault:
1 - Virus name:
Trojan horse Generic3.UUB
File name:
brjcwoyk.dll
2 - Virus name:
Trojan horse Generic3.UUB
File name:
ixpbmbkc.dll
3 - Virus name:
Trojan horse Collected.11.B
File name:
bkvmcriv.dll
4 - Virus name:
Adware Generic2.DO
File name:
dwbkjump.dll
The names registered under "Virus name" remains the same every time they're caught by AVG, the .dll file names changes.every time.
The paths to all these are also the same -
Documents And Settings\Steinar\Local Settings\Temp
Don't know if this helps or not, but that's all I know so far...
Steinar
_________________
"Play to express, not to impress"
Website - YouTube |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
|
|
|
Joe Harwell
From:
"I've never been bad." ........ Many, LA
|
Posted 24 Apr 2007 9:12 am excellent
|
|
To Steinar: that helps a lot. It appears it is just finding multiple .dll's associated with the trojan.
Where ever the executable on this thing is,
it generates a random filename each time and places it in that temp directory.
Even tho you delete the temp, you haven't deleted the source. So...you have an infinite loop.
That's good because things should be able to be fixed.
Wiz is bringing it up to the next level with the port monitoring and your firewall which I had some questions about myself but this has been a pretty heavy exchange of info.
To Wiz: Correct. The fix will look at some other issues besides the SmitFraud if I understand it correctly that could be rootkit oriented. In particular, the dos scan on reboot looks especially good.
_________________
Joe in LA
"How far you go in life depends on your being tender with the young, compassionate with the aged, sympathetic with the striving, and tolerant of the weak & the strong; because, someday in life you will have been all of these". |
|
|
|
Joe Harwell
From:
"I've never been bad." ........ Many, LA
|
Posted 24 Apr 2007 11:02 am HiJackThis log to Spybot forum
|
|
I think you are close to cleaning this up, Steinar.
If the SmitFraud fix does not work, go here:
http://forums.spybot.info/
Read the FAQ and start a thread with your issues.
Some one will reply and give you some instructions.
Follow the instructions.
I think posting a HiJackThis log to the spybot forum will be the quickest way
to locate the malicious executable/s and to clean up your registry.
They've got the tools to analyze the log.
Basically, what Wiz said at the beginning is what they'll have you do again.
_________________
Joe in LA
"How far you go in life depends on your being tender with the young, compassionate with the aged, sympathetic with the striving, and tolerant of the weak & the strong; because, someday in life you will have been all of these". |
|
|
|
