• Welcome to Valhalla Legends Archive.
 

Help please, I think I'm trojanned!

Started by brew, April 18, 2007, 07:03 PM

Previous topic - Next topic

brew

Allright, so I'm just looking at some forums and apparently an ad from "adxgate.net" loaded, which uses some kind of exploit for IE6 that apparently downloads and installs "yazzlebundle.exe" and lots of other nasty stuff..... NOD32 just popped up showing I had an infection, but it was too late. It had installed, and infected winlogon.exe, and somehow "mljhfgf.dll" is involved.... this is very nasty and I still can't find a way to get rid of it. Anyone have an idea???
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Grok

For starters,
http://housecall.trendmicro.com/

Removing a trojan can be complicated, but isn't necessarily so.  If you're not very familiar with how Windows is built, and how trojans bury themselves, you'll have a hard time with any instructions given.

Best thing you can do is protect the backups you made, make an additional backup of any and all data you need to save, and reformat your drive(s).

This time, reinstall your OS, turn on Automatic Updates for Windows, allow it to download, install, and reboot automatically at say 3:00 a.m.  This way you will at least be protected from forgetting to patch known vulnerabilities.

After you've patched your machine, create a non-privileged user which doesn't have install permissions.  Always browse the internet from this low privilege account.  No matter what page you visit, it'll never have permission to install anything locally.

Live and learn.

brew

#2
Quote from: Grok on April 18, 2007, 07:45 PM
For starters,
http://housecall.trendmicro.com/

Removing a trojan can be complicated, but isn't necessarily so.  If you're not very familiar with how Windows is built, and how trojans bury themselves, you'll have a hard time with any instructions given.

Best thing you can do is protect the backups you made, make an additional backup of any and all data you need to save, and reformat your drive(s).

This time, reinstall your OS, turn on Automatic Updates for Windows, allow it to download, install, and reboot automatically at say 3:00 a.m.  This way you will at least be protected from forgetting to patch known vulnerabilities.

After you've patched your machine, create a non-privileged user which doesn't have install permissions.  Always browse the internet from this low privilege account.  No matter what page you visit, it'll never have permission to install anything locally.

Live and learn.

Switching to a low permission account every time one needs to browse the internet seems like a hassle. Also, low privliaged accounts are still able to run executable files, and it would just replace and restart an essential windows process being run as a system task, then would have system privilages (correct me if I'm wrong about that at all). What I should (really) do is just update my insecure Internet Explorer 6.
However I am quite concerned about just how it was able to force my browser to download then run it, before my three (NOD32, AVG, Kaspersky) anti virus programs were able to do anything?

By the way, I don't really think what I got was a "trojan", but instead just adware. And I was able to just log into safe mode and delete those two dlls. Nothing seems to be happening now, and I haven't seen any foriegn addresses/programs when I netstat -abn to check.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Invert

I found this funny. Can we move it to the Fun forum?

Barabajagal

Quote from: Invert on April 18, 2007, 09:08 PM
I found this funny. Can we move it to the Fun forum?
I second that...

Use something other than IE. Firefox, Opera, etc. If you can, use Lynx! Text-based browsing is the most secure there is.

disco

Quote from: Invert on April 18, 2007, 09:08 PM
I found this funny. Can we move it to the Fun forum?

And I found THAT funny.  Please do!
Say it with me:


Newby

Quote from: Invert on April 18, 2007, 09:08 PM
I found this funny. Can we move it to the Fun forum?

lol I love you.
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

rabbit

Grif: Yeah, and the people in the red states are mad because the people in the blue states are mean to them and want them to pay money for roads and schools instead of cool things like NASCAR and shotguns.  Also, there's something about ketchup in there.

LordNevar


A good fortune may forbode a bad luck, which may in turn disguise a good fortune.
The greatest trick the Devil ever pulled, was convincing the world he didn't exsist.

brew

Quote from: Invert on April 18, 2007, 09:08 PM
I found this funny. Can we move it to the Fun forum?

You're so cute. Hey, why don't you go BROWSE a random internet site and all of a sudden have 30 notifications of an infected file being installed on your computer.

Back on topic:
Does anyone know how to Un-pack a PE32 file with UPX packers? I would love to reverse engineer this, and see if I missed cleaning up anything...
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

rabbit

#10
Quote from: brew on April 18, 2007, 07:03 PM
Allright, so I'm just looking at some forums and apparently an ad from "adxgate.net" loaded, which uses some kind of exploit for IE6 that apparently downloads and installs "yazzlebundle.exe" and lots of other nasty stuff..... NOD32 just popped up showing I had an infection, but it was too late. It had installed, and infected winlogon.exe, and somehow "mljhfgf.dll" is involved.... this is very nasty and I still can't find a way to get rid of it. Anyone have an idea???

Quote from: brew on April 19, 2007, 02:27 PM
Back on topic:
Does anyone know how to Un-pack a PE32 file with UPX packers?
On topic?

Quote from: brew on April 19, 2007, 02:27 PM
You're so cute. Hey, why don't you go BROWSE a random internet site and all of a sudden have 30 notifications of an infected file being installed on your computer.
Actually, I'm pretty sure he's happy NOT going to some random site and getting spyware.
Grif: Yeah, and the people in the red states are mad because the people in the blue states are mean to them and want them to pay money for roads and schools instead of cool things like NASCAR and shotguns.  Also, there's something about ketchup in there.

UserLoser

Quote from: Invert on April 18, 2007, 09:08 PM
I found this funny. Can we move it to the Fun forum?

Same, I think he's probably trojanned too

MyndFyre

In general the way that I remove virii from people's computers is to set the Execute - Deny permission on the file, then restart.  Then you go about your business of fixing all the shit it's done to your computer.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

brew

Do you think something like "Yazzle" is advanced enough to replace essential system files? (i.e. winlogon, explorer, smss) It injected some dll into winlogon, and attempted to create two registry keys every 1.5 seconds. Stopped when I killed that thread though... and if anything else is infected I always keep backups of them on my external hard drive (I use my own hexed version of explorer.exe & winlogon.exe)
If it was serious, it would have prevented me from going into safe mode (right?) I guess I can call this silly attempt "owned" even though it did exploit IE6, and execute.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Skywing

No way to know for sure without reverse engineering the particular piece of malware in question.  The standard assumption is to assume that everything the malware had access to has been compromised and cannot be trusted.  Making assumptions about benign-ness of any given malware is dangerous; if something compromised a process with admin/system privileges, you need to blow away the box and start from scratch (or backups, if you can with certainty trace the starting point of the compromise, though this is typically difficult to be entirely certain about as well).