Sweet… Trojan!

So, somehow, my system finally got infected. I’ve done very little on my box at home recently, which narrows it down to a few very limited possible causes.

First symptoms:

  1. Couldn’t access my own blog from my home machine, nor google;
  2. Pop-up windows warning me my computer wasn’t secure (“Win Antivirus Pro” infection);
  3. Opening/Closing control panel very slow and produces pop-ups (“Trojan/IHook” infection);
  4. Trying to run the Microsoft Malicious Software Removal Tool … fails (something actually kills the app);
  5. Unable to install or run Windows Live One Care (task manager shows “winlogon.exe” taking up 12% cpu, when I finally kill winlogo.exe Windows Live One Care seems to advance but still fails);
  6. Lots of rundll32.exe’s that weren’t there before, one of which continually restarts when killed;
  7. Several new svchost.exe’s;
  8. “GoogleUpdate” which won’t uninstall from control panel or otherwise go away aside from removing the folder;
  9. Nod32 quarantined a whole bunch of trojan files but seemed to miss the main infections;

I still have a Norton license, so I installed and scanned with that … Didn’t even discover the files Nod had quarantined. I tried the AVG free trial, it discovered one of the quarantined files.

Ok – so Windows Live One Care? Oh, the infection doesn’t like that, it won’t even download.

I managed to get the Microsoft malware removal app downloaded but it didn’t seem to do anything. When I tried it again while my system was busy I saw a little “Extracting Window” appear. When I tried without anything else happening, the window didn’t open. When I tried again and the system was really busy (virus scan AND disk defrag) it actually managed to display a “Welcome” window (you know, the first screen of an application which tells you what the application is etc) which then dissapeared. The infection is killing the malware removal tool.

I rebooted the box and went into Safe Mode with Command Prompt, went to where I had saved the malware tool and ran it by hand. Voila! 6 infected files found, “Trojan/IHook”.

Rebooted, launched control panel and it still felt sluggish. Closed control panel and … pop-up window. Repeated the trip to Safe Mode, 6 infected files again. Rebooted to Safe Mode again, re-tested, no files.

Apparently, my Control Panel is infected. So back into Windows kill all the services and exes I think I can get away with, and download Live One Care. Reboot, launch live one care … Fail. As soon as it starts up, “winlogon.exe” starts using 12% CPU. I kill that and I get a new window from Live One Care but it still fails :(

Then I remembered I have a Vista partition which I booted into. Ahh, yes, Vista is pretty, but it’s like walking around a submarine, I seem to keep banging my head on bulkhead doors, and I have to absolutely wrestle with Live One Care before I finally figure out it’s failing because I was on a 90 day trial that just expired.

I’ve been updating Live One Care for 2 hours now… It’s installed a bunch of updates one-at-a-time most of which require a reboot before it can proceed. Ugh.

It did, at one point, go long enough between updates to allow me to do a scan – it found an infection but before I could “OK” it to remove it, there was another update and it restarted itself, taking the window with it.

Also, in its scan report, it found one file with an infection. It tells me “user action required”. I clicked on the link, hoping to find out what user action was required, and it tells me:

“User Action Required.

“Infected files were discovered. User action is required”

Remarkable.

17 Comments

I had an infection 2 weeks ago Win Antivirus Pro XP 2008 Was a nightmare to get rid of, I had Norton running at the time and it didn’t notice it, Ad-Aware didn’t spot it either. there were like 12 svchost.exe in taskmgr. It would pop-up saying Win Antivirus and to download something to fix infection, when it was actually downloading ridiculous amounts of stuff through internet explorer although IE wasn’t actually running. It took lots of registry editing and deleting of fikles before I finally got rid of it. In the end I spotted that it had created a folder called microsoft (small m) and the only file in there was svchost.exe, deleting this folder finally rid me of the infection.

You’ve been visiting cakefarts.com again, haven’t you?

Seriously though, I don’t want what you got.. I use Live One Care, but I do have another antivirus that my work provides to us for free so we don’t infect their computers, Computer Associates.

http://shop.ca.com/virus/antivirus.aspx

Not this newer version, but it’s pretty faithful in keeping updated. Let me know if you want to try it out.

Well, knocks on wood, so far I’ve not caught anything
on this comp. I’ve used Avast AV on it.
The prior comps I had I always used norton, and I did
get crap that I had to kill out.

But of course on dialup maybe they just don’t bother anymore……. Sad when it takes so long to d/l stuff that the
viruses even give up I guess.

Right now I wouldn’t trust any website, you may not be going where you think you are.

http://arstechnica.com/news.ars/post/20080726-new-dns-exploit-now-in-the-wild-and-having-a-blast.html

Ok – found a “microsoft” folder and deleted it (I had “IdentityCRL” inside it). In hindsight, I should have submitted the files inside for analysis to my AVs. Bah.

Breed. You expect me to click on a link at a time like this?!? :)

I’m not clicking links, hell – I’m not even opening my web browser, until I’m back in XP.

Wait… DOH!

It’s about the DNS exploit going around since only have of the DNS servers are patched to prevent it from happening.

I read it through my news reader.

Ok, so Live One Care under Vista kept finding the infections but apparently got itself infected. It did, however, manage to slow them up long enough for me to download PC Doctor, which scanned and found and then wanted me to pay… Grrr. Hard not to be suspicious. Especially since I had to uninstall my AV software to get PC Doctor to work…

search through your registry and delete anything with the winantivir in it, also check to see if there are any other .exe’s running in taskmgr, i had ones like rhjv4cd0gr.exe or something similar, and deleted those entries in taskmgr, as well as uninstalling through add/remove programs for the winantivirusxp2008.

Check your temp folder for IE, mine was LOADED with stuff, and I had to delete it every time until I got rid of that microsoft folder.

Ah betcha your Mac is sitting pretty.

Yep. I gave it a big hug when I walked into the office this morning. Then I had to plug all the flippin’ cables back in and reboot it.

Several of the large antivirus program sellers have free virus check programs on the internet that I use. All the companies update the scans daily with the latest information. You can check it out on another computer to assure the safety.

Panda Activescan is good but takes a long time as it checks every partition of my hard drive when most virus reside on the C: drive.
http://www.pandasecurity.com/activescan/index/

Other free scans are at Computer Associates: http://www.ca.com/us/securityadvisor/virusinfo/scan.aspx

and Trend Micro: http://housecall.trendmicro.com/

you have to go into ‘safe mode’ to remove this one. I’ve removed it twice over the last few weeks. Here is some more detailed info on how to remove it:

http://www.xp-vista.com/spyware-removal/av2009-av2009exe-removal-instructions

There are a few varieties of it, but those instructions are close enough for all of them. Good luck!

This is why i have a storage box that holds all my important suff and know one logs in but me. my laptop is for online banking and other stuff. theres 3 gaming computers here 1 for me, 1for my little girl with no internet and the last for my son Who got the same Trojan. Avast and nortons both didnt find it. Did the only safe thing and FORMATTED THE HARD DRIVE. when its only a gaming box 4 hours and done.

Take off and nuke the entire site from orbit. It’s the only way to be sure.

try to use Panda. I do not use it normally, because is very resources hungry (i normally use avg free) but for this kind of things is welcomed.

Recommend Kaspersky AV. Won’t have another virus / trojan problem ever again.

I bet this was your pc itself. He probably heard, that you got a mac and got jealous :)
I personally recommend AntiVir:
http://www.free-av.de/en/index.html

Never had a problem since I have this one. I also didn’t install it once and got a virus. There was no problem installing it afterwards and removing the virus.

Drave

Leave a Reply

Name and email address are required. Your email address will not be published.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You may use these HTML tags and attributes:

<a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <s> <strike> <strong> 

%d bloggers like this: