Help please, I think I'm trojanned!

brew · April 18, 2007, 07:03 PM

Allright, so I'm just looking at some forums and apparently an ad from "adxgate.net" loaded, which uses some kind of exploit for IE6 that apparently downloads and installs "yazzlebundle.exe" and lots of other nasty stuff..... NOD32 just popped up showing I had an infection, but it was too late. It had installed, and infected winlogon.exe, and somehow "mljhfgf.dll" is involved.... this is very nasty and I still can't find a way to get rid of it. Anyone have an idea???

Grok · April 18, 2007, 07:45 PM

For starters,
http://housecall.trendmicro.com/

Removing a trojan can be complicated, but isn't necessarily so. If you're not very familiar with how Windows is built, and how trojans bury themselves, you'll have a hard time with any instructions given.

Best thing you can do is protect the backups you made, make an additional backup of any and all data you need to save, and reformat your drive(s).

This time, reinstall your OS, turn on Automatic Updates for Windows, allow it to download, install, and reboot automatically at say 3:00 a.m. This way you will at least be protected from forgetting to patch known vulnerabilities.

After you've patched your machine, create a non-privileged user which doesn't have install permissions. Always browse the internet from this low privilege account. No matter what page you visit, it'll never have permission to install anything locally.

Live and learn.

brew · April 18, 2007, 08:09 PM

Switching to a low permission account every time one needs to browse the internet seems like a hassle. Also, low privliaged accounts are still able to run executable files, and it would just replace and restart an essential windows process being run as a system task, then would have system privilages (correct me if I'm wrong about that at all). What I should (really) do is just update my insecure Internet Explorer 6.
However I am quite concerned about just how it was able to force my browser to download then run it, before my three (NOD32, AVG, Kaspersky) anti virus programs were able to do anything?

By the way, I don't really think what I got was a "trojan", but instead just adware. And I was able to just log into safe mode and delete those two dlls. Nothing seems to be happening now, and I haven't seen any foriegn addresses/programs when I netstat -abn to check.

Invert · April 18, 2007, 09:08 PM

I found this funny. Can we move it to the Fun forum?

Barabajagal · April 18, 2007, 11:40 PM

I second that...

Use something other than IE. Firefox, Opera, etc. If you can, use Lynx! Text-based browsing is the most secure there is.

disco · April 19, 2007, 12:04 AM

And I found THAT funny. Please do!

Newby · April 19, 2007, 12:24 AM

lol I love you.

rabbit · April 19, 2007, 06:41 AM

<3

LordNevar · April 19, 2007, 10:02 AM

http://usa.kaspersky.com/products_services/internet-security.php

brew · April 19, 2007, 02:27 PM

You're so cute. Hey, why don't you go BROWSE a random internet site and all of a sudden have 30 notifications of an infected file being installed on your computer.

Back on topic:
Does anyone know how to Un-pack a PE32 file with UPX packers? I would love to reverse engineer this, and see if I missed cleaning up anything...

rabbit · April 19, 2007, 04:21 PM

On topic?

Actually, I'm pretty sure he's happy NOT going to some random site and getting spyware.

UserLoser · April 19, 2007, 08:37 PM

Same, I think he's probably trojanned too

MyndFyre · April 20, 2007, 12:43 PM

In general the way that I remove virii from people's computers is to set the Execute - Deny permission on the file, then restart. Then you go about your business of fixing all the shit it's done to your computer.

brew · April 20, 2007, 02:07 PM

Do you think something like "Yazzle" is advanced enough to replace essential system files? (i.e. winlogon, explorer, smss) It injected some dll into winlogon, and attempted to create two registry keys every 1.5 seconds. Stopped when I killed that thread though... and if anything else is infected I always keep backups of them on my external hard drive (I use my own hexed version of explorer.exe & winlogon.exe)
If it was serious, it would have prevented me from going into safe mode (right?) I guess I can call this silly attempt "owned" even though it did exploit IE6, and execute.

Skywing · April 20, 2007, 02:54 PM

No way to know for sure without reverse engineering the particular piece of malware in question. The standard assumption is to assume that everything the malware had access to has been compromised and cannot be trusted. Making assumptions about benign-ness of any given malware is dangerous; if something compromised a process with admin/system privileges, you need to blow away the box and start from scratch (or backups, if you can with certainty trace the starting point of the compromise, though this is typically difficult to be entirely certain about as well).

Help please, I think I'm trojanned!

Barabajagal

UserLoser