PC compromised by Trojan?

[zimmerframe]

I think my PC has been compromised by a Trojan, possibly WIN32InjectXP[Trj]

Wednesday evening I was browsing LP record revue sites after running a Google search for a particular LP.  One site I visited caused my Windows firewall to switch off.  This immediately caused me concern.  I was able to switch it back on again.  I restarted my PC and windows hung without loading my desktop.  I did another restart and my desktop loaded but windows firewall switched itself off again.  I tried logging into a secure website, (Barclays Stockbrokers) and noticed that my normally saved password information had been cleared.

I ran Spybot Search & Destroy and Adaware.  Neither found anything.  I looked in Administrator Tool/ Security logs and my Antivirus, (Avast) had logged a suspect Trojan, listed above.  I ran a full scan and it found the above Trojan and gave me the option to clean it which I selected.  I allowed the scan to continue overnight but the scan froze at 65%.

This morning I again tried to start my PC and Windows hangs before the desktop is loaded.  I can access Task Manager with Ctr/Alt/Del and can see running processes. Finally before leaving for work this morning, I tried starting in Safe Mode, which I was successfully able to do.

My PC is running WinXP SP3 fully patched up.

Any suggestions?  I could try running a scan in Safe mode maybe?  Are there any on-line scan tools I could try, assuming I can access them from safe mode?

[Rik]

It would be worth getting hold of a copy of Super Anti-Spyware and Malware bytes, Zim, see if they can do the deed for you.

[zimmerframe]

This?

http://www.superantispyware.com/index.html

And this?

http://www.malwarebytes.org/mbam.php

[Simon]

I would also recommend the above.  AdAware and Spybot are quite outdated now.

[Rik]

Yes, those, Zim.

[zimmerframe]

My worry is that if this is a W32 inject, it has most likely compromised the registry too.  Are these removal tools able to cope?

I also suspect that doing a roll back will be of no use if Windows files have been changed.  It will just re-load itself

[Simon]

I think they should remove it fully, Zap.  You could also try the free version of PrevX.

[zimmerframe]

Cheers folks, will try tonight

[Glenn]

They may take an hour or so to run, so be patient.

[Rik]

Read a good book, Zim.

[zimmerframe]

Success; finally. 

After 5 hours of scanning, rescanning etc etc.  I have finally rid my machine of what turned out to be several malware bots that had installed themselves on my PC.

Even after running scans using the two tools above, as soon as I restarted my PC, they reinstalled themselves.  I resorted to not restarting after I had run a scan and then rolling back a week.  I then rescan and finally they were gone.

For reference this was what was logged.

Malwarebytes' Anti-Malware 1.44
Database version: 3885
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

19/03/2010 20:43:16
mbam-log-2010-03-19 (20-43-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 239630
Time elapsed: 26 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

I am amazed and appalled at how easily they installed themselves on my PC.  I wasn't visiting some lurid dodgy site, (well it seems it was dodgy) but was viewing what I thought was an Innocent record review site.  It just shouldn't be that easy to spread this stuff

[Tacitus]

Before the usual crowd get round to this and we start the, 'Mac security is an oxymoron' posts, I thought I'd post it  first:  Researcher Set to Announce 20 Zero-Day Holes in Mac OS X

Just out of interest how many Mac users have actually seen stuff in the wild?  In 18 years of Mac use I've only seen the Autostart worm back in System 7 days.

I imagine the crowd over on Engadget are having a field day with this.

[Gary]

Before the usual crowd get round to this and we start the, 'Mac security is an oxymoron' posts, I thought I'd post it  first:  Researcher Set to Announce 20 Zero-Day Holes in Mac OS X

Just out of interest how many Mac users have actually seen stuff in the wild?  In 18 years of Mac use I've only seen the Autostart worm back in System 7 days.

I imagine the crowd over on Engadget are having a field day with this.

Mozillas old security chief now works for Apple, Windows Syder got things moving at Mozilla so hopefully things will move faster there, and 20 holes,  as to which platform...hell I like Apple for more that the security aspect, I'm not deaf dumb and blind to such things as some Apple fans are,but as Tacitus said OSX so far seems to have a good track record, and I'm sure Apple will have some fixes in OSX 10.6.3 and some patches out for older OS's and weaks for the new one as well, just like Microsoft etc

[DorsetBoy]

Success; finally. 


I am amazed and appalled at how easily they installed themselves on my PC.  I wasn't visiting some lurid dodgy site, (well it seems it was dodgy) but was viewing what I thought was an Innocent record review site.  It just shouldn't be that easy to spread this stuff

Zimmer, this is why I NEVER trust my machines to Windows Firewall , it has no defence. Avast though quite good has let me down in the past, I went back to ESET products which are excellent at preventing drive by installs like this. My lads machine was always getting infected with the free AV's on board. Eset Smart Security keeps it clean and he is for ever visiting the free download/screensaver/image sites where the garbage resides.

[Gary]

Zimmer, this is why I NEVER trust my machines to Windows Firewall , it has no defence. Avast though quite good has let me down in the past, I went back to ESET products which are excellent at preventing drive by installs like this. My lads machine was always getting infected with the free AV's on board. Eset Smart Security keeps it clean and he is for ever visiting the free download/screensaver/image sites where the garbage resides.

XP's Firewall was never good Though was it? Vista and Windows 7 had a more robust one in place, which I think are yet to be breached in this way, though I could be wrong, using the full version of Prevx and just Nod32 and windows defender I was fine on Vista, I found the Eset firewall to be somewhat lacking, and buggy when it came to UPNP which some people do use, not everyone can port forward. People generally like to set and forget and Esets automatic mode is not the best. Software firewalls are a pain tbh and cause more issues than they are sometimes worth, also WIN32InjectXP is dedicated to Windows NT,2000, XP and these OS's are very long in the tooth now.

I think using a newer OS helps, and between windows firewall and a hardware firewall you should be ok, also what proactive defence you have counts, that should really nab something like this trojan before it does any damage in the first place.

[zimmerframe]

I shall certainly be reviewing my security.  My PC sits behind a Netgear router which has hardware firewall capability.  That and Windows firewall are obviously not enough.

I've just noticed that Barclays are offering Kaspersky 2010 free to their on-line bank users.  Its something I heard of in a good light, is it a good product?

like I said, what amazes me is the ease at which I was infected.  I was savvy enough to realise straight away that something wrong had happened.  How many thousands, (millions?) dont and are infected? 

[Rik]

Gary used to use Kaspersky, Zim, he should be able to give you a full rundown on it's capabilities.

The big problem for all of us is the great uneducated mass of people who 'drive' infected computers around the 'net, not realising the harm they are doing.

[Gary]

I shall certainly be reviewing my security.  My PC sits behind a Netgear router which has hardware firewall capability.  That and Windows firewall are obviously not enough.

I've just noticed that Barclays are offering Kaspersky 2010 free to their on-line bank users.  Its something I heard of in a good light, is it a good product?

like I said, what amazes me is the ease at which I was infected.  I was savvy enough to realise straight away that something wrong had happened.  How many thousands, (millions?) dont and are infected? 

I used to use it but it had issues, it can slow browsing down very badly, also you need to remove every source of your old antivirus out of your machine, uninstall Malwarebytes, Superantispyware etc before installing it as it does not like those programs, tbh I found it very buggy and problematic even though its detection ratings are great, Norton 2010 has just as high a detection rating, is more user friendly and does not slow your browsing down and scans faster, I know this sounds odd but I would go for Norton rather that Kaspersky, its simpler to use just as robust, and is not like the Norton of old days. Both programs got a 99% score in AV Comparatives, and I would not put the Kaspersky suite on a windows box of mine again, it alters the file structure permanently by messing with the NTFS stream, I would go for Norton, fast light and very reliable in these times, don't be put off by Norton from years back, they are not the same beast.

[Rik]

Thanks, Gary.

[Tacitus]

Mozillas old security chief now works for Apple, Windows Syder got things moving at Mozilla so hopefully things will move faster there, and 20 holes,  .......

I saw that about Mozillas security chief moving to Apple.  Maybe they are starting to revamp their security procedures.  Although they are moving in the right direction with address randomisation and so on, they still have a long way to go. 

It's interesting that although Miller keeps finding security holes he has been quoted (can't find the link) as saying OSX is 'safer', possibly due to the security/obscurity myth.  Security has gone from the realms of the schoolboy hacker to organised crime and it can only get worse.

[Den]

I had Kasperski on both my desktop and my laptop using Windows 7, it caused so many problems on the desktop I uninstalled it and tried a trial of Norton 2010 for 3 months, The difference was outstanding and I can not imagine moving back so I have now bought the paid for version of Norton Security for both machines.   

[zimmerframe]

Unfortunatly, my problems have compounded.  The payload must have had a virus along for the ride too.  WIN32:Malware-Gen.  It has now locked my PC down totally.  I cant log on, even in safe mode. My PC immediatley logs me off again.

Any fix is further compounded by the fact that my drives are RAID'ed.  RAID 0.  So I cant remove the drive to put in another PC to work on.

I tried using system restore.  Big mistake,  That had also been infected.  I did a virus scan using AVAST that found the above virus but could not remove it.  Since trying that, my PC has locked down.

What next, re-format?  If so, maybe time to move to Windows 7

[Glenn]

Will it start in safe mode at all?

[zimmerframe]

Starts in safe mode but cant log on.  It auto logs off again, even Admin role is affected. 

Sunday night I passed my machine onto a freind who works in IT.  Its beyond my capabilities now.  I think he will attempt either setting up a second RAID drive or pu it on a temporary network in order to access my machines registry which has been changed by removing the virus.

Research since on some forums shows that I am far from being alone in having this problem.  Solutions do exist to fix so I'm still hopeful that the machine is still recoverable and will not require a format.

[Rik]

 

[Ray]

Seconded, 

[Gary]

System restore needed to be turned off as it keeps the nasty within it sadly, I think a format with boot and nuke, (takes hours but is worth it) and an update to windows seven is the safer route now I would say.

[Simon]

Good luck, Zim! 

[zimmerframe]

My PC was finally fixed by booting from the WIN XP CD then editing the registry.

I've bought and installed Norton 2010.  There have been horror stories in the past regarding Norton.  I can only say how impressed I am with it.  Its footprint is fairly low, it updates its virus defs every 5 mins.  It has network protection that looks at other devices on my home network.  There is  feedback from its community that check exes on your machine with known safe and unsafe ones.  Its Spam filtering is good and this I really like.  When you do a Google search, each hit is marked with a tick, a question mark or a cross, warning about payloads etc that the website has.

[Ray]

Good to hear, Zim, I would agree with you about Norton 2010, I'm currently running a 180 day trial that came with a magazine cd on one of my machines and it pains me to say it but I'm very impressed with it so far.

It's a vast improvement on previous versions and very light on system resources.

[Rik]

Norton getting back to what Norton used to be?

[Inkblot]

Norton getting back to what Norton used to be?

A motorbike?

[Ray]

Norton getting back to what Norton used to be?

Seems to be with this latest version, Rik, I've been using this trial for just over 2 weeks and no problems so far, the install is much quicker, only a couple of minutes with no reboot either. 

[Rik]

What sort of memory footprint does it have, Ray?

[Rik]

A motorbike?

Preferred Triumph myself.

[Ray]

What sort of memory footprint does it have, Ray?

The highest memory usage I've seen in task manager is around 10,900k most of the time it seem to run around 4,5000k

The 30 minute plot below gives a better idea, the yellow trace is Norton usage and the blue total memory used by all running processes.

[attachment deleted by admin]

[Rik]

That does look good, Ray. 

[Ray]

It does, Rik, it's vastly different to the last time that used Norton.

[Rik]

Shame I've just bought a four-seat, three-year, licence for NOD.

[Ray]

I think I might be tempted to change to it if the trial goes all the way with no problems, the last time I looked Amazon were doing the 3 pc version for just under £25.

Edit it's £22.97 now.

[Rik]

Wait a week, Ray, it should be £20. 

[Ray]

Most likely, Rik, 

[Glenn]

The day you buy it, it will be reduced the following day

[Rik]

Murphy's second law.

[Ray]

It never fails, Rik, 

[Rik]

Except when overtaken by Murphy's third law.