hi
2 days ago i scanned my system with AVG anti-spyware and i found a memory resident totjan named
“downloader.agent.uj”
i took a look at the processes and found that there was no active process running…
after self analysing the HIJACKTHIS log i found some thing really weird…
all i could make out of it was that it was a dll infection …
it was rpcc.dll in system32 folder
i decided to ignore the dll infection and take help from u guys after my exams…
since it was not effecting my band width anyway.
but now i got another infection now…i clicked on a 2.56mb .exe file after scanning it with AVG n AVAST which detected nothing
then i saw that my mozilla firefox was running as process i knew i was infected right away…
but
then i could terminate the process and it would come right back in 30 seconds .
i managed to rename firefox.exe to 1firefox.exe…
but unfortunately there was some hidden process running which used 70% of the CPU and my comp became very slow…
i had disabled access to regedit thru AVG-antispyware >>tools
so i figured that if i reboot the malware in my system would not be able to autostart itself …
but it was able to do auto start now i have two firefox.exe running in process…
Logfile of HijackThis v1.99.1
Scan saved at 12:11:53 AM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
log file after reboot
Logfile of HijackThis v1.99.1
Scan saved at 1:13:14 AM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
i was using IEXPLORER when taking the HIJACKTHIS LOG…
do u guys want be to treminate the firefox.exe processes
and rename firefox.exe as 1firefox.exe
and take out another log and post it??? ;D
if i do the renaming my system starts to slow down since there is another invisinble process running
which is trying the start the firefox.exe process and eats up my CPU
These can be associated with a rootkit, so try some rootkit scans, or the anti-rootkit tool mentioned in the thread, if you see the signs of that rootkit.
rpcc.dll is bad.
Try the usual suspects. (Here follows cut and paste advice.)
Look for and remove rootkit (hidden malware) scans:
I think Winlogon processes run even in SafeMode, so you will need a process injecting killing anti-malware program: AVG Anti-Spyware is another option, or a boot time scan with avast! if it detects this file.
You will also need to remove the DNS hijack entries with HijackThis! If they come back, it means a rootkit, so you will need to scan for rootkits, or maybe use FixWareout (see thread).
Check the 017 entries and if they are domains associated with a DNS hijack, fix them.
hi frank fsecure backlight so the work till some extent
it picked up a hidden process which rootkitreavler didi not pick up.
Hidden file: c:\WINDOWS\system32\cswxl.exe
i renamed it an and rescanned with avg anti root kit and fsecure again
nothing alse was found…
but the firefox.exe keeps running
i just suspended the prccess with process explorer…
and the virus total analysis for cswl.exe was suprisingly sad…
and as i expressed by inablity to send malware to avast thru the chest i am helpless
and even if i send the malware thru e-mail using 7z and password protected(even encrypt the name while zipping)
there has been no detections for the malware i sent
AhnLab-V3 2007.6.21.1 06.21.2007 no virus found
AntiVir 7.4.0.34 06.21.2007 TR/Dldr.DNSChanger.Gen
Authentium 4.93.8 06.21.2007 could be a corrupted executable file
Avast 4.7.997.0 06.21.2007 no virus found
AVG 7.5.0.467 06.20.2007 Downloader.Agent.KQC
BitDefender 7.2 06.21.2007 Trojan.Peed.Gen
CAT-QuickHeal 9.00 06.21.2007 TrojanDownloader.Agent.uj
ClamAV devel-20070416 06.21.2007 no virus found
DrWeb 4.33 06.21.2007 no virus found
eSafe 7.0.15.0 06.21.2007 Win32.Agent.uj
eTrust-Vet 30.8.3731 06.21.2007 Win32/Alureon!generic
Ewido 4.0 06.21.2007 no virus found
FileAdvisor 1 06.21.2007 no virus found
Fortinet 2.91.0.0 06.21.2007 Agent.BC!tr.spy
F-Prot 4.3.2.48 06.21.2007 W32/new-malware!Maximus
F-Secure 6.70.13030.0 06.20.2007 Trojan-Downloader.Win32.Agent.uj
Ikarus T3.1.1.8 06.21.2007 Trojan-Downloader.Win32.Agent.uj
Kaspersky 4.0.2.24 06.21.2007 Trojan-Downloader.Win32.Agent.uj
McAfee 5058 06.21.2007 Spy-Agent.bc
Microsoft 1.2607 06.21.2007 Trojan:Win32/Alureon.A
NOD32v2 2343 06.21.2007 a variant of Win32/Small.FB
Norman 5.80.02 06.21.2007 W32/DNSChanger.CJL
Panda 9.0.0.4 06.21.2007 Trj/Ruins.MB
Sophos 4.18.0 06.21.2007 Mal/Behav-027
Sunbelt 2.2.907.0 06.21.2007 Bloodhound.Packed.7
Symantec 10 06.21.2007 Downloader
TheHacker 6.1.6.136 06.20.2007 no virus found
VBA32 3.12.0.2 06.21.2007 MalwareScope.Trojan.DnsChange.1
VirusBuster 4.3.23:9 06.21.2007
Webwasher-Gateway 6.0.1 06.21.2007 Trojan.Dldr.DNSChanger.Gen
gee i have accumulated a lot of malware which avast does not detect but i am helpless ???
@ sasin44
Don’t forget to send samples to avast, it may help others.
You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
yes after 4 recent infections i will dropmyrights from now on…
and dravid can u help me with this not able to send samples to avast prob??
i downloaded thunderbird guessing that it is needed to send the samples but it says POP3 in not enabled for my gmail account
so got to look into it i hope i will be able to send samples to avast soon
and any suggessions on how to stop firefox.exe
i guess 2.56 mb is packed with multiple malware one of them a root kit which fsecure detected and the other yet undetected one which has my firefox running.
some one pass it on to avast… godknows how many malware i am infected
with…
Avast mail scanner doesn’t support SSL (Secure Socket Layer) connections and does not scan Gmail as it. But take a look here: http://forum.avast.com/index.php?topic=10428.0 to see how to set up secure email with avast!.
The solution is to pass e-mail in and out un-encrypted from your client (Outlook Express, Thunderbird, …) to a proxy program (Stunnel) that does the actual ssl or tls encryption/decryption of the pop3/smtp e-mail and communicates directly with the ISP server on the appropriate ports. Download here: http://www.stunnel.org/download/binaries.html
the firefox.exe is run by the malware i am using Iexplorer …
i have mozilla installed on my system but i did not cick on it.its autostarting and running by itself …
and even the browser window is not showing …
and i am 100% sure that the link i gave u has a virus… cos 45 seconds after i clicked the .exe file all the things happend
ok one ultimate test extract the file and try to generate a account for ur self ;D
jus kidding… i am sure it is some kinda super advanced malware. by be the first of its kind …
fsecure backlight light jus found the rootkit…component…
the firefox u see in my hijack log is mostly a dialer
and can i know which software u use to get snapshots of ur window ??
see as i suspected the exe file is rigged extract the zip file and scan it
and note none of the top anti virus softs detect it so if avast detects it …it’ll be great
and none of them detected
Hidden file: c:\WINDOWS\system32\cswxl.exe
in the orginal exe file it is mostly encrypted in the exe
STATUS: FINISHEDComplete scanning result of “RapidShare_Premium_Accounts_Gener”, received in VirusTotal at 06.22.2007, 00:41:09 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007 no virus found
AntiVir 7.4.0.34 06.21.2007 BDS/Bifrose.NU
Authentium 4.93.8 06.21.2007 no virus found
Avast 4.7.997.0 06.21.2007 no virus found
AVG 7.5.0.467 06.20.2007 no virus found
BitDefender 7.2 06.21.2007 no virus found
CAT-QuickHeal 9.00 06.21.2007 no virus found
ClamAV devel-20070416 06.21.2007 Trojan.Pakes-248
DrWeb 4.33 06.21.2007 no virus found
eSafe 7.0.15.0 06.21.2007 no virus found
eTrust-Vet 30.8.3731 06.21.2007 no virus found
Ewido 4.0 06.21.2007 no virus found
FileAdvisor 1 06.22.2007 no virus found
Fortinet 2.91.0.0 06.21.2007 no virus found
F-Prot 4.3.2.48 06.21.2007 no virus found
F-Secure 6.70.13030.0 06.20.2007 no virus found
Ikarus T3.1.1.8 06.21.2007 Backdoor.VB.EV
Kaspersky 4.0.2.24 06.22.2007 no virus found
McAfee 5058 06.21.2007 no virus found
Microsoft 1.2607 06.21.2007 no virus found
NOD32v2 2343 06.21.2007 no virus found
Norman 5.80.02 06.21.2007 no virus found
Panda 9.0.0.4 06.22.2007 no virus found
Sophos 4.18.0 06.21.2007 no virus found
Sunbelt 2.2.907.0 06.21.2007 VIPRE.Suspicious
Symantec 10 06.22.2007 no virus found
TheHacker 6.1.6.136 06.20.2007 no virus found
VBA32 3.12.0.2 06.21.2007 no virus found
VirusBuster 4.3.23:9 06.21.2007 no virus found
Webwasher-Gateway 6.0.1 06.21.2007 Trojan.Bifrose.NU
na …i downloaded the zip file and extracted it and sent to virustotal for anaysis…
u can see the results ur self…and this was a link given in one of the forums so i guess it is delibrate
so i have to look up info on the bifrose torjan
and jus a reminder i am having multiple infections as the topic reads…
1.the rpcc.dll infection which ii knew was there for the pst few days
2.the rootkit infection which fsecure removed whic came from this exe
3.and the current dialer problem i am still having the process running as firefox.exe
Is this the name of the file you uploaded ‘RapidShare_Premium_Accounts_Generator.zip’ which would seem very strange to me. I more appropriate name suspect-files.zip, etc would be more appropriate.
I also doubt ‘RapidShare.com’ was that the source of your malware, or did you mean here is the link where I have stored the malware… ?
Sorry I’m totally confused now.
I though you were talking about the rpcc.dll and cswxl.exe that you did the virustotal/jotti checks on. If that were the case I would be happy to help, but downloading a 2.5MB file and then sending it by email, whilst on dial-up is going to take too long.
I don’t know what you have been trying to do but you shouldn’t need to download anything from rapidshare, just create a free account, when you first try to upload a file it will ask you to create an account. You don’t have to create a premium account, click the Browse and select the file you want to upload (like VirusTotal), once selected, click Upload, at this point you will be asked to create an account.
So there should be absolutely no need to download anything from rapidshare. I didn’t have an account but created one just for the creation steps and uploaded the first image you see below, http://rapidshare.com/files/38609337/b1134.gif.
So the free account is setup and working and no download required.