Please Tell me how much risk

Hi all,

Recently my computer was only protected by windows Firewall, no other or virusscanner. For 9 hours I excendently mounted a encrypted file with true cript which was accesable, as it showed the file in a fake drive in my explorer…

When I discovered I turned it of. My favourite virusscanner Avast ;D found the attached results. However, KASPERSKY detected much more.

The encrypted file was highly confidential, so I would like to know how large the chance was somebody hacked my PC and found the file. At the time a the file was mounted, I was running torrents with a lot of connections.

PLEASE can you help me, so I can hopefully sleep a whole lot better!! Is the firewall of windows sufficient with the updates and how big is the chance somebody found the file?

THANKX

Being on-line with reduced or no defenses against viruses/malware is highly risky and the time to infection of an unprotected system is counted in minutes rather than hours before infection.

I don’t see any attached results that you mentioned.

Windows firewall is only half a firewall and doesn’t protect against outbound connection, so any existing malware could potentially have unrestricted access to the internet to either pass information/spam/malware or download more of the same. So I suggest you get a third party firewall, zone alarm free, kerio are just two that work well with avast, there are others.

I’m not sure if there is a way of telling if someone found this file and if they were able to get past the encryption unless you had some sort of logging file access. If by mounted, you mean the file was open and unencrypted then it is possible. You may consider changing your user names and passwords as a precaution.

If you haven’t already got this software (freeware), download, install, update and run it.

  1. Ad-Aware
  2. Spybot Search and Destroy
  3. Spywareblaster Don’t install this until you are clean.
  4. Ewido Security Suite If using winXP. or a-Squared free if using win98/ME.

Thanks David for your reply :wink:

Can you please check the reattached logs? The F: drive is the one where XP is running on, the C: drive is an old harddrive from the previous owner of the PC, so I don’t know how far it’s relevant. The most recent files that were used are printed fat. But I wonder, how big the chance some kind of script kiddie scanned my ports and gained acces to the file?

I have removed the trojans and installed Kerio Firewall, so I expect that my PC is protected by now. I used Adawre a couple of times before the incident. From now on I only check the encrypted files when I unplug the cable from my PC :'(. The file was mounted as an virtual drive with the name H:, so accesable.

I am very worried about the file because it doesn’t harm me but others.

Thanks in advance!

Avast search
Bestand C:\Documents and Settings\All Users\Documenten\Config\aurora 1.1 -Digital Element.zip Fout 0xC0000022 {Access Denied}
Bestand C:\Documents and Settings\dick\Local Settings\Temp\Del3.tmp is infected door Win32:Astubin [Adw] - removed
Bestand C:\Documents and Settings\dick\Local Settings\Temp\res4.tmp is infected door Win32:Adan-138 [Adw] - removed
Bestand C:\Program Files\Common Files\achrbdnn\abbnefjtht\njcllncfe.exe is infected door Win32:Trojano-324 [Trj] - removed
Bestand C:\Program Files\Common Files\achrbdnn\laencnep\flcnlnaj.exe is infected door Win32:Trojano-324 [Trj] - removed

Kaspersky
C:\Documents and Settings\dick\Local Settings\Temp\Del3.tmp Infected: Trojan-Downloader.Win32.Small.asf
C:\Documents and Settings\dick\Local Settings\Temp\iinstall.exe Infected: Trojan-Downloader.Win32.IstBar.lw

C:\Documents and Settings..\Local Settings\Temporary Internet Files\Content.IE5\CNISP54O\jcplusbloom[1].exe/WISE0020.BIN Infected: Trojan-Downloader.Win32.Agent.er

C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\H6CX01G7\ad72ad[1].js Infected: Trojan-Downloader.JS.Small.af
C:\Documents and SettingsLocal Settings\Temporary Internet Files\Content.IE5\H6CX01G7\jcplusbloom[1].exe/WISE0020.BIN Infected: Trojan-Downloader.Win32.Agent.er
C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\M61DLR5J\jcplusbloom[1].exe/WISE0019.BIN Infected: Trojan-Downloader.Win32.Small.akj
C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\M61DLR5J\jcplusbloom[1].exe/WISE0020.BIN Infected: Trojan-Downloader.Win32.Agent.er
C:\Documents and Settings\R\Local Settings\Temporary Internet Files\Content.IE5\49S920O8\send_car_int[1].htm Infected: Exploit.HTML.CodeBaseExec
C:\Documents and Settings\R\My Documents\Incomplete\T-872159-Lord of War (2005).zip/Setup.exe Infected: Email-Worm.Win32.VB.an
C:\Documents and Settings\R\My Documents\Incomplete\T-872159-Lord of War (2005).zip Infected: Email-Worm.Win32.VB.an
C:\Mijn documenten\muziek\09.zip/Ogg-Mp3 Plugin.exe/stream/data0006 Infected: Trojan-Downloader.Win32.IstBar.ns
C:\Mijn documenten\muziek\09.zip/Ogg-Mp3 Plugin.exe/stream Infected: Trojan-Downloader.Win32.IstBar.ns
C:\Mijn documenten\muziek\09.zip/Ogg-Mp3 Plugin.exe Infected: Trojan-Downloader.Win32.IstBar.ns
C:\Mijn documenten\muziek\09.zip Infected: Trojan-Downloader.Win32.IstBar.ns
C:\Mijn documenten\muziek\10.zip/Ogg License(ACCEPT TERMS OF USE FIRST!).exe/stream/data0006 Infected: Trojan-Downloader.Win32.IstBar.ns
C:\Mijn documenten\muziek\10.zip/Ogg License(ACCEPT TERMS OF USE FIRST!).exe/stream Infected: Trojan-Downloader.Win32.IstBar.ns
C:\Mijn documenten\muziek\10.zip/Ogg License(ACCEPT TERMS OF USE FIRST!).exe Infected: Trojan-Downloader.Win32.IstBar.ns
C:\Mijn documenten\muziek\10.zip Infected: Trojan-Downloader.Win32.IstBar.ns
C:\RECYCLER\S-1-5-21-1202660629-789336058-682003330-1003\Dc14.dbx/[From “Ruiter” ruiter401@zonnet.nl][Date Wed, 21 Sep 2005 09:04:06 +0100]/UNNAMED/new__price.zip/07.exe Infected: Email-Worm.Win32.Bagle.dv
C:\RECYCLER\S-1-5-21-1202660629-789336058-682003330-1003\Dc14.dbx/[From “Ruiter” ruiter401@zonnet.nl][Date Wed, 21 Sep 2005 09:04:06 +0100]/UNNAMED/new__price.zip Infected: Email-Worm.Win32.Bagle.dv
C:\RECYCLER\S-1-5-21-1202660629-789336058-682003330-1003\Dc14.dbx/[From “Ruiter” ruiter401@zonnet.nl][Date Wed, 21 Sep 2005 09:04:06 +0100]/UNNAMED Infected: Email-Worm.Win32.Bagle.dv
C:\RECYCLER\S-1-5-21-1202660629-789336058-682003330-1003\Dc14.dbx Infected: Email-Worm.Win32.Bagle.dv
C:\System Volume Information_restore{8CFC2DB7-2D14-4A6F-80FC-D5546038856D}\RP34\A0008658.exe Infected: Trojan-Downloader.Win32.Swizzor.cn
C:\System Volume Information_restore{8CFC2DB7-2D14-4A6F-80FC-D5546038856D}\RP34\A0008659.exe Infected: Trojan-Downloader.Win32.Swizzor.bz
C:\System Volume Information_restore{8CFC2DB7-2D14-4A6F-80FC-D5546038856D}\RP34\A0008660.exe Infected: Trojan-Downloader.Win32.Swizzor.bz
C:\System Volume Information_restore{8CFC2DB7-2D14-4A6F-80FC-D5546038856D}\RP34\A0008661.exe Infected: Trojan-Downloader.Win32.Swizzor.bz
C:\System Volume Information_restore{8CFC2DB7-2D14-4A6F-80FC-D5546038856D}\RP34\A0008662.exe Infected: Trojan-Downloader.Win32.Swizzor.bz
C:\System Volume Information_restore{8CFC2DB7-2D14-4A6F-80FC-D5546038856D}\RP34\A0008663.exe Infected: Trojan-Downloader.Win32.Swizzor.bz
C:\System Volume Information_restore{8CFC2DB7-2D14-4A6F-80FC-D5546038856D}\RP34\A0008668.exe Infected: Trojan-Downloader.Win32.Swizzor.bz
C:\WINDOWS\install.exe Infected: Trojan-Clicker.Win32.VB.kq
F:\Documents and Settings\RvL\Desktop\Nero 7.0.12 eng Full Version + Crack.rar/install.exe Infected: Trojan-Clicker.Win32.VB.kq
F:\Documents and Settings\RvL\Local Settings\Temporary Internet Files\Content.IE5\0TEZ0PMB\prompt[1].htm Infected: Trojan-Downloader.JS.IstBar.j
F:\Documents and Settings\RvL\Local Settings\Temporary Internet Files\Content.IE5\4LMZ4DEV\ysb_prompt[1].htm Infected: Trojan-Downloader.JS.IstBar.j
F:\Documents and Settings\RvL\Local Settings\Temporary Internet Files\Content.IE5\WHAB89QN\cracks.spb[1].htm Infected: Trojan-Downloader.JS.IstBar.t

Well the aswBoot.txt file just shows what was removed and I assume that it no longer exists in those locations. It also shows one file that accesses was denied, that may well be a valid reason if you installed Aurora 1.1 and the settings are being protected?

Many of the others are in Temporary locations, generally it is best to clear all temporary locations periodically and preferably before a virus scan, not much point leaving them there and scanning them if they are later to be removed. Here are a couple of programs that help with clearing temp files, ClearProg - Temp File Cleaner or CCleaner - Temp File Cleaner, etc.

The Temporary Internet Explorer Files and Recyclers (your recycle bin) can be cleared, the C:\System Volume Information\ folder, which is a part of the system restore function it is often difficult for AVs to deal with infected _Restore points. If in the future you did a system restore you could reinfect the system if they weren’t removed and the only way to be completely sure is to disable system restore and reboot.

This IstBar removal tool should also help.

Thanks for your tech support…

Is their a big chance they used these trojans to acces files on my computer? Then there would be a backdoor detected by Kaspersky, right?

Your welcome, I’m just another avast user just like yourself.

Again I can’t say if these backdoors or any other trogan had access to the file/s without some form of log, I’m sorry I can’t reasure you further there is simply no way of telling for certain. It would also depend on what the purpose of the trojan was.

What you have to do is go forward with what you have and improve your security.

Using a combined detection approach of avast, Ewdio or a-squared, on-line scan by Kaspersky and the other anti-spyware tools I suggested, if you are reported clear then you are likely to be in a clean state.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR HiJackThis Log file - On-line Analysis 2