Author Topic: infected by some rootkit??? (Read 4455 times)

sasin44 · « **on:** June 10, 2007, 12:41:22 AM »

jus as i logged out of avast i was a victim of another torjan attack and avast does not detect this either ...
it was this warez download i scaned it with avast and there was no detection but i miss on scanning it with AVG it detected this file later
it was a keygen but when i clicked on it and it asked me the directory to which i needed to install..
i thought morons have named a PATCH as a kegen and continued ...30 seconds later my system went haywire....

6/9/2007 10:52:11 PM   SYSTEM   1560   Sign of "Win32:Small-EKD [Trj]" has been found in "C:\Documents and Settings\sasin\Local Settings\Temporary Internet Files\Content.IE5\10X9V5HN\ybxuerbc[1].htm" file.
6/9/2007 10:52:32 PM   SYSTEM   1560   Sign of "Win32:Small-EKD [Trj]" has been found in "C:\llmbv.exe" file.
6/9/2007 10:52:41 PM   SYSTEM   1560   Sign of "Win32:Small-EKD [Trj]" has been found in "C:\Documents and Settings\sasin\Local Settings\Temporary Internet Files\Content.IE5\UQIDXL4E\ybxuerbc[1].htm" file.
6/9/2007 10:52:44 PM   SYSTEM   1560   Sign of "Win32:Small-EKD [Trj]" has been found in "C:\llmbv.exe" file.
6/9/2007 10:52:48 PM   SYSTEM   1560   Sign of "Win32:Small-EKD [Trj]" has been found in "C:\Documents and Settings\sasin\Local Settings\Temporary Internet Files\Content.IE5\10X9V5HN\ybxuerbc[1].htm" file.
6/9/2007 10:53:18 PM   SYSTEM   1560   Sign of "Win32:Small-EKD [Trj]" has been found in "C:\llmbv.exe" file.
6/9/2007 10:53:22 PM   SYSTEM   1560   Sign of "Win32:Small-EKD [Trj]" has been found in "C:\Documents and Settings\sasin\Local Settings\Temporary Internet Files\Content.IE5\UQIDXL4E\ybxuerbc[1].htm" file.
6/9/2007 10:53:24 PM   SYSTEM   1560   Sign of "Win32:Small-EKD [Trj]" has been found in "C:\llmbv.exe" file.
6/9/2007 10:53:29 PM   SYSTEM   1560   Sign of "Win32:Small-EKD [Trj]" has been found in "C:\Documents and Settings\sasin\Local Settings\Temporary Internet Files\Content.IE5\10X9V5HN\ybxuerbc[1].htm" file.
6/9/2007 10:53:32 PM   SYSTEM   1560   Sign of "Win32:Small-EKD [Trj]" has been found in "C:\llmbv.exe" file.
6/9/2007 10:53:48 PM   SYSTEM   1560   Sign of "Win32:Agent-HHN [Trj]" has been found in "C:\imww.exe\[UPX]" file.
6/9/2007 10:54:08 PM   SYSTEM   1560   Sign of "Win32:Agent-HHN [Trj]" has been found in "C:\imww.exe\[UPX]" file.
6/9/2007 10:54:12 PM   SYSTEM   1560   Sign of "Win32:Agent-HHN [Trj]" has been found in "C:\imww.exe\[UPX]" file.
6/9/2007 10:54:16 PM   SYSTEM   1560   Sign of "Win32:Agent-HHN [Trj]" has been found in "C:\imww.exe\[UPX]" file.
6/9/2007 10:54:47 PM   SYSTEM   1560   Sign of "Win32:Agent-HHN [Trj]" has been found in "C:\imww.exe\[UPX]" file.
6/10/2007 3:21:46 AM   sasin   1372   Sign of "Win32:Agent-HHN [Trj]" has been found in "C:\imww.exe\[UPX]" file.

so i unhooked my net connection and scaned my system with avg found some stuff removed it
when i scanned keygen.exe with avg here is wat i got
Downloader.loadadv AND adware.virtumonde!!!!
but the problem is when i was getting these warning and even after i unhooked my system from the net i brought up my taskmanager and procress explorer but i never found any other process running other than the usual.....!!!
is it some kind of rootkit?

sasin44 · « **Reply #1 on:** June 10, 2007, 12:51:15 AM »

here are virustotal results
Complete scanning result of "keygen.exe", received in VirusTotal at 06.10.2007, 00:17:33 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.9.0 05.09.2007 no virus found
AntiVir 7.4.0.32 06.09.2007 DR/Dldr.LoadAdv.153433
Authentium 4.93.8 05.23.2007 W32/Downloader2.DEJ
Avast 4.7.997.0 06.09.2007 no virus found
AVG 7.5.0.467 05.08.2007 no virus found
BitDefender 7.2 06.09.2007 Trojan.Downloader.LoadAdv.B
CAT-QuickHeal 9.00 06.09.2007 no virus found
ClamAV devel-20070416 05.09.2007 no virus found
DrWeb 4.33 06.09.2007 Trojan.DownLoader.22411
eSafe 7.0.15.0 05.08.2007 no virus found
eTrust-Vet 30.7.3707 06.09.2007 no virus found
FileAdvisor 1 06.10.2007 no virus found
Fortinet 2.85.0.0 06.09.2007 W32/Dldadv!tr.dldr
F-Prot 4.3.2.48 05.08.2007 no virus found
F-Secure 6.70.13030.0 05.09.2007 no virus found
Ikarus T3.1.1.7 05.09.2007 Backdoor.Win32.Prorat.19.i
Kaspersky 4.0.2.24 06.10.2007 Trojan-Downloader.Win32.LoadAdv.gen
McAfee 5049 06.08.2007 Downloader-AWM.gen
Microsoft 1.2503 06.09.2007 no virus found
NOD32v2 2320 06.09.2007 Win32/TrojanDownloader.Small.NUS
Norman 5.80.02 06.08.2007 DLoader.CWDF
Panda 9.0.0.4 06.09.2007 Adware/CWS.LoadAdv
Prevx1 V2 06.10.2007 Prevx.Safeguard
Sophos 4.18.0 06.01.2007 Troj/Dldadv-Fam
Sunbelt 2.2.907.0 05.05.2007 VIPRE.Suspicious
Symantec 10 05.09.2007 no virus found
TheHacker 6.1.6.131 06.08.2007 no virus found
VBA32 3.12.0 06.07.2007 BackDoor.Huai
VirusBuster 4.3.23:9 06.09.2007 Trojan.DL.Loadadv.Gen
Webwasher-Gateway 6.0.1 05.09.2007 Trojan.Crypt.XPACK.Gen

and now every thing if fine but i think i may be infected with a root kit since the process did not show up...
i scanned my system with rootkit revealer i did not find any thing unusual except
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 5/22/2007 6:00 AM 0 bytes Access is denied.
so wat should i do now?

sasin44 · « **Reply #2 on:** June 10, 2007, 12:59:44 AM »

since i have a problem getting avast to notice my torjans
http://forum.avast.com/index.php?topic=28764.0
i have attached the keygen.exe file as keygen.txt so download it and change the extension to .exe and u have got ur self a torjan.. now mail it
to avast on behalf of me

polonus · « **Reply #3 on:** June 10, 2007, 01:04:14 AM »

Hi sasin44,

You have to kill the following processes LOADADV552.EXE & LOADADV455.EXE
For a cleansing routine look here: http://www.techspot.com/vb/topic78907.html

polonus

DavidR · « **Reply #4 on:** June 10, 2007, 01:53:50 AM »

Quote from: sasin44 on June 10, 2007, 12:59:44 AM

since i have a problem getting avast to notice my torjans
http://forum.avast.com/index.php?topic=28764.0
i have attached the keygen.exe file as keygen.txt so download it and change the extension to .exe and u have got ur self a torjan.. now mail it
to avast on behalf of me

I have downloaded it, added it to the User Files section of the chest and sent from there, is that how you are sending them ?
No need to zip and password protect as avast encrypts the sample when you send it, no way for any email servers scanning the attachment and deleting it before it gets to avast.

sasin44 · « **Reply #5 on:** June 10, 2007, 08:39:54 AM »

i tried to send it by adding the files thru user files but i get stuck and
incoming mail server {pop3,imap,http}
i dont know wat to enter there can any ne help me out

??

DavidR · « **Reply #6 on:** June 10, 2007, 02:11:07 PM »

Well there should be very little to do other than enter a brief description, like undetected malware, possibly rootkit, detected on VirusTotal, see avast forum link. The default Protocol to use: option is MAPI, leave that as it is.

I assume you have a normal email account that you can send emails using an email client like OE, Thunderbird, etc. then it uses the default email account settings to send the email. Depending on your email settings the email may be sent immediately or will be in the out box waiting to be sent.

Author Topic: infected by some rootkit??? (Read 4455 times)

sasin44

infected by some rootkit???

sasin44

infected by some rootkit???

sasin44

Re: infected by some rootkit???

polonus

Re: infected by some rootkit???

DavidR

Re: infected by some rootkit???

sasin44

Re: infected by some rootkit???

DavidR

Re: infected by some rootkit???