Page 4 of 5 FirstFirst 12345 LastLast
Results 31 to 40 of 42

Thread: New Thread: What's yrndlcit.exe?

  1. #31
    Member
    Join Date
    Jan 2008
    Posts
    36

    Default

    Quote Originally Posted by tashi View Post
    Sorry to slip in here.


    itsleo, please respond to those questions and also my PM, thank you.
    Please note that I was responding to a FOLLOWING post, and that I did respond to your PM. My assumption is that if the questions were vitally important she would not have proceeded - was there a complaint?

  2. #32
    Member
    Join Date
    Jan 2008
    Posts
    36

    Default

    Quote Originally Posted by tashi View Post
    Sorry to slip in here.


    itsleo, please respond to those questions and also my PM, thank you.
    In any event, the answers, in order, are: Yes; Yes, I've already said so; and I don't know, but why wouldn't it?

  3. #33
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    No, we still need answers. Is this machine being used at an office and also is the data on it belong to a former employee because it may be needed to have someone do forensics on it. Maybe I'll just ask Tashi to do that with you via PM (questions, that is not forensics). I can't really proceed until we have answers to those because of the security implications of a compromised machine.
    Last edited by CalamityJane; 2008-01-19 at 00:10. Reason: Edit to clarify
    Microsoft MVP 2003-2009
    Windows-Security

  4. #34
    Member
    Join Date
    Jan 2008
    Posts
    36

    Default

    Quote Originally Posted by CalamityJane View Post
    No, we still need answers. Is this machine being used at an office
    It is not used for office work. It is a NOTEBOOK computer, and it goes with me most of the time - or it did before it cratered. It goes home, it goes upstairs, downstairs, it goes to other people's houses, coffee shops, et cetera. The reason I got it in the first place was so I had a portable that I could run a USB 11g wireless antenna on it - my other notebook is Linux and it doesn't play well with the wireless.

    Quote Originally Posted by CalamityJane View Post
    and also is the data on it belong to a former employee
    To the best of my knowledge, there is no data on it that is belong to a former employee. I may have moved data to a backup directory in case it was needed by anyone, but if so, it can go away... this is why - as I believe I have stated several times now - I have no problem burning it down.

    Quote Originally Posted by CalamityJane View Post
    because it may be needed to have someone do forensics on it.
    I have absolutely no idea what you are talking about here - what forensics, on what data, to what end?

    Quote Originally Posted by CalamityJane View Post
    Maybe I'll just ask Tashi to do that with you via PM.
    Do that? What that?

    Look - I already said, if you don't think it's worth while, just say so... I can try to reinstall XP on it, and if that doesn't work, I'll put a Linux on it.

  5. #35
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    Hello Leo,

    Let me explain why the questions.

    The KAV scan has revealed a very serious trojan on the machine

    You stated early on:
    the machine's name is SHIRLEY WILLIAMS - it came from a county auction and I believe she was a JP)
    It is not just the machine's name. You are running using her ADMIN account which may contain all of her data:

    C:\Documents and Settings\SHIRLEY WILLIAMS\
    C:\Program Files\LogMeIn
    ComboFix 08-01-15.4 - SHIRLEY WILLIAMS 2008-01-17 14:12:29.2 - NTFSx86
    Microsoft Windows XP Home Edition

    I know you don't care about the technical details but it is important to understand (my bolded lines in the text below) what this trojan does.
    It was this one that is the Bzub:

    C\WINDOWS\SYSTEM32\ipv6monk.dll.vir Infected: Trojan-Spy.Win32.BZub.ic
    ............................................
    Pay close attention: This is what that trojan does and it may mean that any data on the machine may have been stolen but I cannot tell you exact dates. It may be that it was stolen before you owned the machine, but if Shirley Williams, a JP had any data on there - you would need to have it investigated incase someone else's info contained therein has been compromised. Do you see what I am talking about?
    Name Win32.BZub.ic
    Threat Level
    Alias Win32.BZub.ic,
    Date 25 February, 2007
    Type Win32,Trojan
    Damage Theft of information,Other
    Platform Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP
    Analysis Win32.BZub.ic installs a .dll in the Windows System folder, and register this .dll as a COM object and a BHO (Browser Helper Object) for Microsoft Internet Explorer. It also lowers Windows Firewall security settings, and steals data from the infected computer.

    Malicious activity

    Here are some of the actions performed by this Trojan on execution:

    In order to lower Windows Firewall security settings, it adds the following registry entry:

    [SPACE]"ProgramFiles\Internet Explorer\EXPLORE.EXE" = "ProgramFiles\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"

    to the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
    \StandardProfile\AuthorizedApplications\List\

    The Trojan registers the said .dll as a Browser Helper Object by creating the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Browser Helper Objects\{78364D99-A640-4DDF-B91A-67EFF8373045}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\browser helper obJects\{78364D99-A240-4dff-B11A-67E448373045}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Browser Helper Objects\{73364D99-1240-4dff-B11A-67E448373048}

    It adds the following registry entries:

    "(default)" = "C:\WINDOWS\system32\ipv6mons.dll"
    "Enable Browser Extensions" = "yes"
    "ThreadingModel" = "apartment"

    to the following registry subkey:

    HKEY_CLASSES_ROOT\CLSID\{73364D99-1240-4dff-B11A-67E448373048}\InProcServer32

    in order to register the DLL as a Browser Helper Object.

    It adds the following registry entry:

    "Enable Browser Extensions" = "yes"

    to the following registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    in order to register the DLL as a Browser Helper Object.

    It creates the following files to store stolen information from the infected computer:

    System\form.txt
    System\info.txt
    System\shot.html


    It may steal the following information:

    Host name and IP Address
    Outlook Express Accounts
    SMTP and POP3 Server
    Password for Internet Explorer AutoComplete
    MSN Explorer Signup account
    Windows Cached Passwords
    URLs visited
    HTTP POST request
    Content of HTTP FORM
    TAN and PIN numbers of bank accounts


    It searches for .pfx files on the infected computer.

    It attempts to export and steal the crypto keys and certificates stored within the above files.
    Therefore someone may need to look to see what data was stored on that computer and alert the former owner so that precautions against stolen info can be taken. If you wipe all that info now they won't know. It should have been wiped before it was put up for auction. Does nobody realize this?
    Last edited by CalamityJane; 2008-01-19 at 01:30.
    Microsoft MVP 2003-2009
    Windows-Security

  6. #36
    Member
    Join Date
    Jan 2008
    Posts
    36

    Default

    Quote Originally Posted by CalamityJane View Post
    Hello Leo,

    Let me explain why the questions.

    The KAV scan has revealed a very serious trojan on the machine

    You stated early on:


    It is not just the machine's name. You are running using her ADMIN account which may contain all of her data:

    C:\Documents and Settings\SHIRLEY WILLIAMS\
    C:\Program Files\LogMeIn
    ComboFix 08-01-15.4 - SHIRLEY WILLIAMS 2008-01-17 14:12:29.2 - NTFSx86
    Microsoft Windows XP Home Edition

    I know you don't care about the technical details but it is important to understand (my bolded lines in the text below) what this trojan does.
    It was this one that is the Bzub:

    C\WINDOWS\SYSTEM32\ipv6monk.dll.vir Infected: Trojan-Spy.Win32.BZub.ic
    ............................................
    Pay close attention: This is what that trojan does and it may mean that any data on the machine may have been stolen but I cannot tell you exact dates. It may be that it was stolen before you owned the machine, but if Shirley Williams, a JP had any data on there - you would need to have it investigated incase someone else's info contained therein has been compromised. Do you see what I am talking about?

    Therefore someone may need to look to see what data was stored on that computer and alert the former owner so that precautions against stolen info can be taken. If wipe all that info now they won't know. It should have been wiped before it was put up for auction. Doesn't nobody realize this?
    I understand about removing the data prior to ditching the computer. It didn't happen. Whether you, I, we, or they understand this or not is essentially a moot point.... barn doors, spilt milk, dead-mule flogging, and all that sort of thing.

    The former owner was a County JP, and from what I can see she used the computer mostly for personal things. There was an old DOS-based program and its xBase data files on the computer, which I personally moved into a "backup" directory and archived onto CDs. I probably should have erased it, but I didn't...

    I seriously doubt that any of this particular data was stolen, but if it was, it was almost certainly useless to the thieves.

    I don't know what your background in government and law enforcement is, but I do have some experience, and I can assure you that - at least on a state and local level - there is no money and no interest in investigating maybe's, particularly given the - in my view - absolute fact that live computers on the desks of government employees all over the country are far more likely to be regurgitating data to whatever cybercriminals may be lurking.

    So... I do truly appreciate everything you've done so far...
    shall we continue cleaning, or should I just burn it down? As I stated, I'd like to keep the XP - and I think I mentioned because of the wireless playing better - but some of the newer Linuxes apparently now have improved the wireless NIC code - one of my clients said he put Ubuntu (I think it was Ubuntu) on his notebook and the wireless jumped right up, although he did have to manually download an inf from MS... so maybe that's not as much of a chore as it was a year ago!

  7. #37
    Member
    Join Date
    Jan 2008
    Posts
    36

    Default

    Quote Originally Posted by CalamityJane View Post
    It creates the following files to store stolen information from the infected computer:

    System\form.txt
    System\info.txt
    System\shot.html

    It may steal the following information:

    Host name and IP Address
    Outlook Express Accounts
    SMTP and POP3 Server
    Password for Internet Explorer AutoComplete
    MSN Explorer Signup account
    Windows Cached Passwords
    URLs visited
    HTTP POST request
    Content of HTTP FORM
    TAN and PIN numbers of bank accounts

    It searches for .pfx files on the infected computer.

    It attempts to export and steal the crypto keys and certificates stored within the above files.[/b]
    Hi, Jane. I checked for those files. Now, I don't know if the indicated files above (form.txt, etc) have already been eliminated, or simply didn't exist, but there are no such files on the system at this time.

    Furthermore - again - I DO NOT USE MS programs unless absolutely necessary (in fact, running the KAV online was, I believe, the first time I have used IE at all on the infected computer; on my XP Pro system at home I use IE only for my day-trading access, since the authors were stupid enough to use MS's java extensions and it doesn't work with FF or Opera). I have stated more than once that I don't use IE, nor do I use MS Office; I stated that I use Thunderbird, from which one should infer that I do not use Outlook, but let me state that unequivocally, anyway: I do not use any version of Outlook. I assume (always dangerous) that the trojan steals data from the directories known to be inhabited by IE, Office, Outlook, etc. The old data may have been there, I don't know, but if it was, it was almost certainly no longer valid.

    I will inform the former JP that she had managed to collect a fairly horrendous set of viruses and that she should change her passwords as a matter of security.

  8. #38
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    I will inform the former JP that she had managed to collect a fairly horrendous set of viruses and that she should change her passwords as a matter of security.
    That would be good. Also I'm concerned if the county is selling their computers without wiping them, other people's info on them could be compromised without their knowledge (the JP's cases, whatever). That JP may know best what info may been on the computer that others could now have access to.

    This computer has a lot of problems at the moment. If you decide to flatten it, check with Dell on the advisablity of that in case they have any special instructions and whether or not the version of Windows XP you have as install CD will work on that (you would almost certainly need a new version and not one borrowed off another machine).

    If you decide to clean it, let me know - I'll try.
    Microsoft MVP 2003-2009
    Windows-Security

  9. #39
    Member
    Join Date
    Jan 2008
    Posts
    36

    Default

    Quote Originally Posted by CalamityJane View Post
    That would be good. Also I'm concerned if the county is selling their computers without wiping them, other people's info on them could be compromised without their knowledge (the JP's cases, whatever). That JP may know best what info may been on the computer that others could now have access to.

    This computer has a lot of problems at the moment. If you decide to flatten it, check with Dell on the advisablity of that in case they have any special instructions and whether or not the version of Windows XP you have as install CD will work on that (you would almost certainly need a new version and not one borrowed off another machine).

    If you decide to clean it, let me know - I'll try.
    I don't know what happens with other County computers - I'll see what I can find out.

    Most people don't have a good understanding of government functioning at ANY level... here's a quick lesson: elected officials work for the voters / taxpayers, and not for some other official. For example, your County Clerk does not work for your County Judge and is under no obligation to take orders from the Judge (or the state, or anyone else)... likewise, the County Attorney doesn't work for the District Attorney or your state Attorney General or anyone else. Your state may or may not have laws specifying what can, should, or must be done with any forms of records (read, "data"), other than retention, availability or non-availability to the public, and so on. No official is liable for the acts of criminals, even in such a case as failure to lock doors or filing cabinets...

    I'm not saying your points aren't good IDEAS, but - as far as I am aware, and speaking generally - they aren't LAWS, other than "best efforts" sort of things, and defining best efforts and culpability for failure to make such efforts are incredibly hard to prosecute, even if such prosecution were desirable, which it - again, generally - almost never seems to be, at least not from the standpoint of one elected official (or staff) taking after another elected official (or staff).

    It looks to me like your heart and your interest aren't really in this, so unless you really, actually WANT to keep banging on this thing, I think I'm going to see if I can just format and (re-)install a generic XP Home on the thing. Besides, we've both spent already far more time and energy than the damned thing is worth - I'd bet there are identical ones on eBay going for less than the value of your time... in case you can't tell, I'm feeling pretty damn apologetic for even starting this in the first place... but I'm one of those people who hate like hell to junk something that can be fixed... it's sorta like spending three or four hours trying to fix a steam iron insstead of throwing the (*&#@$ thing away and buying a new one for $12.95....

    I'm sure there will be fun and games involved in finding the secret mystery Dell drivers, but I have (re-)installed plain vanilla Windowses on other Dells (and Compaqs and Gateways - albeit no notebooks, and only a couple of XP versions - I borrowed a CD from the local store and used the original product key from the computer's sticker, no big deal, although I did have to talk to someone at MS about one of them and cross my heart that this was the same computer but with a new hard disk after the old one crashed), without huge problems ensuing. Maybe I'll get with Dell and see if they can provide the CDs... The computer has a gen-you-wine Dell / Windows sticker on it, product key and all. And if that doesn't work, I'm 100% certain I can install any of a large number of Linuxes on it, and I'm guessing that the wireless is going to be much less of an issue now... and, of course, the virus issue - for all practical purposes - simply doesn't exist.

    Anyway, if you are interested, fine, I'm game to see what can be done - as I have repeatedly stated, I have absolutely no problem with simply erasing / replacing any or all of the apps or OS, by which I mean that if it's easier to erase and replace than to sanitize, that's what we do!

    What do YOU suggest? Remember, I understand completely and have no hard feelings or disrespect if you just want to file this under Nightmare and walk away!

    Jane, again, I thank you for your time and your patience in dealing with this. I hope you understand that I do really and truly appreciate it!

  10. #40
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    Quote Originally Posted by itsleo View Post
    What do YOU suggest? Remember, I understand completely and have no hard feelings or disrespect if you just want to file this under Nightmare and walk away!

    Jane, again, I thank you for your time and your patience in dealing with this. I hope you understand that I do really and truly appreciate it!
    If this were my computer, I would wipe it first and reinstall because of the type of malware that has been running on it. Some of the installed software programs are now infected and may need to be uninstalled/reinstalled. The security settings have been lowered by this trojan:
    Trojan Zonebac (aka Trojan Agent AWF)
    http://www.symantec.com/security_res...091612-5500-99

    Trojan Bzub we have already covered - it does other system damage as well. There are a number of trojan downloader agents (these trojans download additional malware to the machine). It is all in the Kaspersky scan report.

    I don't mind helping you try to clean it but I cannot guarantee we can find what settings/exploits have already been made to ensure an intruder can get back in.

    If you choose to reinstall Windows please be sure that you can get Service Pack 2. Right now the machine is on SP1 and is no longer receiving critical security updates to Windows and is at the moment quite far behind so it is exploitable and vulnerable to attack. We could try to clean it up as best as possible and hopefully an install of SP2 would reset a lot of the security settings that have been compromised - but I can't guarantee it. The system logs indicate problem trying to validate and get updates, but of course you should not do that upgrade to SP2 before getting the malware off of there first.

    I just need to know which way you want to go with this. I have gone over the logs and enumerated what infections are present and steps to begin to remove them but holding off until you tell me in which direction you would like to proceed.

    And yes, it is easier to do this:
    If it's easier to erase and replace than to sanitize....
    Last edited by CalamityJane; 2008-01-19 at 15:27.
    Microsoft MVP 2003-2009
    Windows-Security

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •