PDA

View Full Version : Win32.Agent.pz and others -- trojans, loggers, downloaders



remedy
2007-04-05, 01:15
I came back from a long weekend to find NOD32 and AVG all blown up on my screen with warnings. It was all fine when I left (no accidental clicks or anything that I can recall anytime recently). I immediately ran NOD32, AVG, and Spybot repeatedly (including safe mode), but threats kept reappearing. Logs from Panda and HJT are below... Win32.Agent.pz is the only one still appearing in Spybot scans -- Spybot says it can only fix 1 of 4 related issues, even on reboot scan.

Background: I recently switched to NOD32 (from NIS, about 3 weeks ago). I have a legally licensed version of NOD32 -- the "crack" files in the logs are from when I downloaded it in order to evaluate an unrestricted version before I purchased it. I suppose that is a pretty good guess for the source of these issues...

When I came back from my long weekend, NOD32 was intercepting what looked like trojan downloads from some sketchy URL. AVG was detecting and removing loggers. Of course, I instructed to terminate/clean all of them.

Thanks in advance for your time and assistance.

Panda ActiveScan Log:

Incident Status Location

Virus:trj/torpig.a Disinfected Operating system
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Jacob Wills\Application Data\Mozilla\Firefox\Profiles\112e7579.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Jacob Wills\Application Data\Mozilla\Firefox\Profiles\112e7579.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jacob Wills\Application Data\Mozilla\Firefox\Profiles\112e7579.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Jacob Wills\Application Data\Mozilla\Firefox\Profiles\112e7579.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jacob Wills\Application Data\Mozilla\Firefox\Profiles\112e7579.default\cookies.txt[.belnk.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Jacob Wills\Application Data\Mozilla\Firefox\Profiles\112e7579.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Jacob Wills\Application Data\Mozilla\Firefox\Profiles\112e7579.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Jacob Wills\Application Data\Mozilla\Firefox\Profiles\112e7579.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jacob Wills\Application Data\Mozilla\Firefox\Profiles\112e7579.default\cookies.txt[.dist.belnk.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Jacob Wills\Application Data\Mozilla\Firefox\Profiles\112e7579.default\cookies.txt[.go.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Jacob Wills\Application Data\Mozilla\Firefox\Profiles\112e7579.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Jacob Wills\Application Data\Mozilla\Firefox\Profiles\112e7579.default\cookies.txt[.xiti.com/]
Virus:Trj/Agent.EHT Disinfected C:\Documents and Settings\Jacob Wills\Local Settings\Temporary Internet Files\Content.IE5\WO94M9YL\czpgdnjtdq[1].htm
Potentially unwanted tool:Application/CloseApp Not disinfected C:\WINDOWS\system32\closeapp.exe
Virus:Bck/Agent.ENA Disinfected C:\WINDOWS\system32\utorrent.exe
Virus:Bck/Agent.ENA Disinfected F:\Downloads\NOD32 2.70.32 + Crack\Crack.exe
Virus:Bck/Agent.ENA Not disinfected F:\Downloads\NOD32 2.70.32 + Crack.rar[NOD32 2.70.32 + Crack\Crack.exe]
Dialer:Dialer.Gen Not disinfected Archive Folders\Deleted Items\Have Fun.... You will enjoy...\serials.zip[serials/s2k.serials2k7.1.zip][s2k.hacking.exe]
Hacktool:Exploit/iFrame Not disinfected Archive Folders\Deleted Items\ Re: FW: Tips forTelemarketers & Junk Mail
Hacktool:Exploit/iFrame Not disinfected Archive Folders\Sent Items\RE: Bounce Emails update\Japanese girl VS playboy
Hacktool:Exploit/iFrame Not disinfected Archive Folders\Sent Items\FW: GE Capital spokeswoman said the company closed
Hacktool:Exploit/iFrame Not disinfected Archive Folders\Sent Items\bounce\Undeliverable: Mail Delivery (failure kp@realty.sdcoxmail.com)\Mail Delivery (failure kp@realty.sdcoxmail.com)
Virus:W32/Netsky.P.worm Disinfected Archive Folders\Sent Items\bounce\Undeliverable: Mail Delivery (failure kp@realty.sdcoxmail.com)\Mail Delivery (failure kp@realty.sdcoxmail.com)\message.scr
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Deleted Items\Message
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Inbox\Jun 21 2001 18
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Sent Items\FW: Please try again
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Newport Wireless\FW: Please allow approximately 10 days for
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Newport Wireless\RE: Please allow approximately 10 days for
Hacktool:Exploit/iFrame Not disinfected Archive Folders\Sent Items\FW: Please try again
Virus:Trj/Agent.DIL Disinfected Archive Folders\Personal\hmm\salary_survey_2.exe
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Deleted Items\Re: Merry Chirstmas
Virus:W32/Badtrans.B Disinfected Personal Folders\Deleted Items\Re: Merry Chirstmas\NEWS_DOC.DOC.scr
Dialer:Dialer.Gen Not disinfected Personal Folders\technologist.com\Have Fun.... You will enjoy...\serials.zip[serials/s2k.serials2k7.1.zip][s2k.hacking.exe]
Hacktool:Exploit/iFrame Not disinfected Personal Folders\technologist.com\ Re: FW: Tips forTelemarketers & Junk Mail
Virus:Trj/Shutdown.Z Disinfected G:\Software\SmitfraudFix\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected G:\Software\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Virus:Trj/Shutdown.Z Disinfected G:\Software\SmitfraudFix.zip[SmitfraudFix/restart.exe]

-------------------------------------
HJT Log in following post...

remedy
2007-04-05, 01:16
Logfile of HijackThis v1.99.1
Scan saved at 2:53:38 PM, on 4/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\BMWgroup\ETKLokal\transbase\tbmux32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunServices: [Dcom Helper] utorrent.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D94D151A-2B8F-469B-867E-DFEB0FA5C6BA} (EphoxEditLive3.EditLive) - http://bosdemo2.fnistools.com/Include/EditLive3/editlive3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A55D8C69-6FA0-46E3-9609-9DA3564A78D4}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\dtsslsrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\PerfectSuite\DTSRVC.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)
O23 - Service: Transbase - Transaction Software, D 81737 Munich - C:\BMWgroup\ETKLokal\transbase\tbmux32.exe

Angelfire777
2007-04-05, 03:44
Hi, welcome to Safer Networking forums!

I'm afraid I have bad news...

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

remedy
2007-04-05, 04:24
I already changed all my passwords and took the machine offline immediately after posting the logs. i will def be rebuilding the machine, but a couple questions.

1. I have Norton Ghost, and have several images of my entire C drive ranging from 30 days to a year old. Is there a way I could restore one of my more recent images and have some reasonable assurance that my machine is clean?

2. I have 2 data volumes (raid5 and raid0) in addition to my C drive... can the data on those volumes be trusted if I reformat C and reinstall OS, etc?

3. Is there any way to detect how the backdoor trojan got in? I know I use my machine in risky ways (p2p, experimental apps, etc), but I also pay close attention and take a lot of steps to counter those risks. Regardless of how I rebuild my machine, I'd like to know where I messed up to let it in so I don't do it again.

Thanks for the quick reply.

remedy
2007-04-05, 04:57
After a bit more thought, I have a couple more questions...

4. I am running scans on the other machines on my network now... how concerned should I be about those machines?

5. This is a home network, but I have 3-5 machines up at any given time, as well as several "network appliances" (networked tivo, etc). It is running on a Linksys WRT54G upgraded with DD-WRT firmware, so there is a hardware firewall. Does that change the risk, either for my primary (compromised) machine or the rest of the network?

6. I also have a work laptop on my network, but it is always connected to the corporate network via VPN. It is locked down all kinds of ways by corp IT, of course. Is this machine at risk? I told my network admin about the personal machine infection on my network, as an fyi... he did not seem concerned. This work laptop does not have personal or sensitive biz data on it, but since it is connected to the corp network, I am concerned. Any thoughts?

Thanks again.

Angelfire777
2007-04-05, 05:08
1. I have Norton Ghost, and have several images of my entire C drive ranging from 30 days to a year old. Is there a way I could restore one of my more recent images and have some reasonable assurance that my machine is clean?

I'm very sorry but I have very limited knowledge when it comes to those things. You could register here and ask: www.pcpitstop.com


2. I have 2 data volumes (raid5 and raid0) in addition to my C drive... can the data on those volumes be trusted if I reformat C and reinstall OS, etc?

Yes, If you reformat those will be clean again.


3. Is there any way to detect how the backdoor trojan got in? I know I use my machine in risky ways (p2p, experimental apps, etc), but I also pay close attention and take a lot of steps to counter those risks. Regardless of how I rebuild my machine, I'd like to know where I messed up to let it in so I don't do it again.

You answered your own question already :) There's no real way to track down how malware gets in but usually it is when users use p2p programs and other "risky" programs and if they are in a bad surfing habit (visiting questionable sites etc..)


4. I am running scans on the other machines on my network now... how concerned should I be about those machines?

Not very much but there are chances that they may be infected.


5. This is a home network, but I have 3-5 machines up at any given time, as well as several "network appliances" (networked tivo, etc). It is running on a Linksys WRT54G upgraded with DD-WRT firmware, so there is a hardware firewall. Does that change the risk, either for my primary (compromised) machine or the rest of the network?

From the best of my knowledge, it won't affect the risk as all of them are protected equally by a hardware firewall it all depends on which machine was infected in the first place. It's all on the user of that certain machine.


6. I also have a work laptop on my network, but it is always connected to the corporate network via VPN. It is locked down all kinds of ways by corp IT, of course. Is this machine at risk? I told my network admin about the personal machine infection on my network, as an fyi... he did not seem concerned. This work laptop does not have personal or sensitive biz data on it, but since it is connected to the corp network, I am concerned. Any thoughts?

I cannot guarantee you if it is clean but the chances that it is infected is very low.

Hope that answers your questions :)

So, what is your decision? Will we clean your machine?

remedy
2007-04-05, 05:32
Thank you again for the quick attention.

I will either be rebuilding the machine or restoring from an image... but will not be cleaning it. Still debating my non-cleaning options and will ask the question about Ghost images at the site you suggested. One last question for you...

In general, do backdoor trojans like this begin their effects immediately upon infection, or do they stay dormant for a while after the initial infection before taking action on the machine? I realize I am asking for a huge generalization and there are no guarantees, but in your experience/knowledge, how quickly do they usually begin showing their effects?

Angelfire777
2007-04-05, 05:36
Hi,


In general, do backdoor trojans like this begin their effects immediately upon infection, or do they stay dormant for a while after the initial infection before taking action on the machine? I realize I am asking for a huge generalization and there are no guarantees, but in your experience/knowledge, how quickly do they usually begin showing their effects?

Although I haven't been infected by backdoors before, I've tested some already and depending on the nature of the backdoor, some could immediately have a nasty effect on your machine. In general, having a backdoor in your system even for a while could compromise your machine immediately and it is at risk. So whether short term or long term, if you have a backdoor in your system, the best way to clean it is to reformat.

remedy
2007-04-05, 05:55
That last question was not really about whether I should rebuild the machine or not... I was more trying to determine the risk in restoring the machine using a disk image from 30 or 60 or more days ago.

On the surface, it seems that an image from 30 days ago (well before I saw any effects of the infection) would be from before the infection occurred, so the image is most likely clean. However, if it is common for a backdoor to sit on a machine unnoticed for weeks or months, then that idea may not be viable.

If that explanation changes anything, let me know. Otherwise, thank you for your efforts. Good karma.

Angelfire777
2007-04-05, 06:34
Hi,

as I've said in my previous post, it all depends in the nature of the backdoor but most of them will have an effect immediately in your system. About restoring the image, you need to ask the experts of the forum I pointed you to. :)

remedy
2007-04-05, 06:59
sorry, i misinterpreted your first reply. understood now... thanks.

Angelfire777
2007-04-05, 07:24
Here are some free programs I recommend that could help you improve your pc's security.

AntiVirus - Having one AntiVirus is a MUST in your system. If you do not have one, it is very important to get one right now. Here are some free but good AntiVirus:

» Avast! (http://www.asw.cz/eng/avast_4_home.html)
» AVG AntiVirus (http://free.grisoft.com/freeweb.php/doc/2/)
» AntiVir (http://www.free-av.com/)

Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.

» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http://http//www.sunbelt-software.com/Kerio-Download.cfm)

Adaware
~You can download it from here (http://www.lavasoft.de)
~There is a tutorial on how to use Adaware properly here (http://forums.spywareinfo.com/index.php?showtopic=11150)

Spybot Search and Destroy
~You can download it from here (http://security.kolla.de/index.php?lang=en&page=download) . Just choose a mirror and off you go.
~There is also a tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)

Install Spyware Guard
~You can download it from here (http://www.javacoolsoftware.com/spywareguard.html)
~You can read the tutorial on how to use Spyware Guard here (http://www.bleepingcomputer.com/tutorials/tutorial50.html)

Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)

IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)

Happy safe surfing!

Angelfire777
2007-04-08, 06:48
Glad we could be of assistance :bigthumb:

Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.