Trojan Horse Poebot-L

The infection happend when i was installing Look’n stop Lite FW, the installation was not succesful as Microsoft pop up and there was a message that the FW will not work (possibly) becouse the product is not signed by Microsoft, or something like that .After that this Trojan Horse Win32:Poebot-L start to show up (about 13 times)and i put him in the chest.Now I am not sure do i delete this from the chest or to left the files there??
OS W2000
FW Zone free
scaned with AD Aware SE nothing found
Scaned with EWIDO Micro scaner- found “paradrop” i am not sure for the name, but i did not succed to delete this, an error pop up showed and the system was rebooted and after that I scaned two times with Ewido wich did not find the same infection again.
Avast free- not scaned yet

The error message that i received while scaning with ewido was error conected with this file “scvhost.exe” and that it must be shut down.I did some google search and found this for ParaDrop:

W32/ParaDrop-A is a multi-component network worm.

W32/ParaDrop-A drops two files to the Windows system folder, scvhost.exe and iexplore.exe. Scvhost.exe is a member of the W32/Agobot family of worms and iexplore.exe is a member of the W32/Poebot family of network worms, and it is this latter file that spreads W32/ParaDrop-A to network shares with weak passwords and via network security exploits.

Hi Snowwhite,

This is the technical info on this worm:
http://www.sophos.com/security/analyses/w32paradropa.html

polonus

oooops…the icons of avast! vanished :cry: I just noticed this what is happening ??? :-\

Thanks polonus i read that info and also some other informations, I dont understand why did my avast! icons disapeared and also why ewido cant detect the “ParaDrop” as the first time it detected and i did not deleted it.Avast only detected the “Poebot-L” .I am not sure what to do now…

Edit:Software\Avast4\ashWebSv.exe" /service (file missing)
Software\Avast4\ashMaiSv.exe" /service (file missing)

I take it the edit in your post relates to hijackthis ?

If so, ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if they were truly missing then neither the web shield or email scanner would be working.

Hi David you are right this are from hijackthis.The avast!scan of drive:E just finished and again it detect the poebot wich i put it in the chest again. I did reboot and the icons of avast are back and working, but now the Ewido Micro scaner is not working.So i will try something else now and try to make the ewido work…I dont have many ideas how to deal with this…So thanks for any help provided.
I am not sure do I have to start to delete the files in the chest, or do diferent scan now??So far i did scan with avast drive E using Thorough scan with archive files.

OK, I scaned with ewido found 3 infections this time i deleted them.

You are getting a lot of stuff in the system folders and they need permissions to do that.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

The problem is getting to a clean state for this to take effect, with a backdoor on your system it can bypass your firewall and security and because you are using an account with administrator rights the malware already on your system inherits this too. So initially the DropMyRights might not appear to be working as the infection isn’t coming in through your browser or email, etc. as it already exists on your system.

Since you have run HJT, run it again after your ewido scan and post the contents of the saved log file here.

OK, I was just doing hijackthis scan and read it in Eddy’s site the diference is that now I dont see the "Performance32…"Here is the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:41:39 AM, on 9/2/2006
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\system32\ZoneLabs\vsmon.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\Explorer.EXE
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
E:\WINNT\System32\internat.exe
D:\cd\transparent42\TransparentW.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\Alwil Software\Avast4\ashSimpl.exe
E:\Program Files\WinRAR\WinRAR.exe
E:\temp\Rar$EX04.t00\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O4 - HKLM..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Zone Labs Client] E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU..\Run: [internat.exe] internat.exe
O4 - Startup: TransparentW.lnk = D:\cd\transparent42\TransparentW.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - E:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINNT\system32\ZoneLabs\vsmon.exe

I see also that i forgot to update the IE from the last time, but thats couse something bad happend two weeks ago and i totaly forgot to do this :cry:

David when I click on the link in your signature its not opening this is the message that its showing:
Server not found
Firefox can’t find the server at snipurl.com.
* Check the address for typing errors such as
ww.example.com instead of
www.example.com

*   If you are unable to load any pages, check your computer's network
      connection.

*   If your computer or network is protected by a firewall or 

proxy, make sure
that Firefox is permitted to access the Web.

I tryed this few times, and its strange couse while ago i was checking that link and i know that is from this forum.

That is a very short HJT log, the shortest I’ve seen and I thought mine was short.

There doesn’t appear to be anything in your log now other than your browser being way out of date. That could be the root cause of your problems as there will be many vulnerabilities in the version that are being exploited and have long since been patched. If you absolutely can’t get IE6 SP1 (as you can’t get IE6 SP2 without winXP SP2 installed) then I recommend you stop using IE and use a more secure browser, firefox or opera.

The link redirect is working for me, try right clicking and select open in a new tab, if you can’t get it to work here is the forum link http://forum.avast.com/index.php?topic=7204.msg128315#msg128315, I think you can see why I used the snipurl.com link which redirects to the above forum link. It doesn’t take up as much space in the limited Signature string.

David i dont use this IE brw., I use Mozilla Firefox, and i was using in the past also Opera and Avant Browser, but Firefox is the one that I use as the “main” one.
About the link, I opened it and I will read the post now :wink: Thanks

By the way try tinyurl if you havent already :wink:
http://tinyurl.com/
here is one tiny for your link http://tinyurl.com/r8vcd :slight_smile:

:slight_smile: Hi Snow :

  Things seem to be getting serious and recommend you
  ask some malware Experts that are also expert in
  reading HijackThis logs. First off, the Hijackthis program
  should NEVER be in a "temporary folder" and I wonder
  why all your programs are running in "E" Drive when the
  usual is "C" Drive !? And when posting a HJT log in a
  forum, it should be after running it in "normal" mode
 ( NOT "Safe Mode" ) if at all possible . Since you have
   mentioned Ad-Aware, I recommend the Ad-Aware
   oriented Support Forums @ www.landzdown.com .

Hi Spiritsongs,

First off, the Hijackthis program should NEVER be in a "temporary folder"

I was little in panic so i just downloaded Hijackthis and i run it from temp

and I wonder why all your programs are running in "E" Drive when the usual is "C" Drive !?
OK dont laugh about this...I share the computer with my brother so we shared the computer in two pieces ;D So i have the "E" Drive and one part of "D"Drive :-X My brother doesnt want to use antivirus(why do you need something that is only slowing your comp? !?) and other security programs, he have only one old Firewall TPF (that is not slowing the CPU) So i dont want to fight with him and this was the only solution.By the way i always clean his parts of the CPU ;D
And when posting a HJT log in a forum, it should be after running it in "normal" mode
  But this log is made after running in normal mode
I recommend the Ad-Aware oriented Support Forums @ www.landzdown.com .
   Thanks  :) see you there!!!

:slight_smile: Hi “Snow” :

 I see you have "registered" at landzdown, but see no
 posts !? Now that you have directly mentioned that there
 are at least 2 Users on this computer, who is the
"Administrator" and who has the "limited account" ?

Hi “Spirit”

I see you have "registered" at landzdown, but see no posts !?

I will post a new Hijackthis log today. :slight_smile:

who is the "Administrator" and who has the "limited account" ?

this is what i have infront of me:
Pentium MMX CPU at 200Mhz ::slight_smile:
OS W2000 - I use this os
OS W98- he use this os
The “Administrator” accounts are with no limitations, there is no account with limited rights…