EKRN.exe is trying to contact iloveie.info ???

Discussion in 'ESET NOD32 Antivirus' started by jeparham, Feb 12, 2008.

Thread Status:
Not open for further replies.
  1. jeparham

    jeparham Registered Member

    Joined:
    Feb 12, 2008
    Posts:
    3
    Background: WinXP SP2, all patches. NOD32AV 3.0.566.0, defs: 02082008. ZoneAlarm with AntiSpyware.

    NOD32 is set to do full scan of all files weekly. No malware of any type has ever been found by the scans.

    Now... with that said... I have no idea what is going on in the guts of my PC. I was looking at the Program Logs of ZoneAlarm today and I noticed this in the log:

    Date: 2008/02/12 16:56:40-500 GMT
    Program Access: ekrn.exe
    Destination: 88.255.94.74:80
    Direction: Outgoing
    Action: Blocked
    Count: 2
    Destination DNS: iloveie.info

    Over 2 days there were a total of 22 access attempts made by ekrn.exe to connect to iloveie.info

    There were also 25 attempts to connect by UpdClient.exe, which appears to be part of ZoneAlarm itself.

    There were God only knows how many attempts by Firefox. I stopped counting there were so many. FF also tried to connect to Reservaza.com 31 times over 3 days in January.

    There were 10 attempts by Thunderbird, and a couple by "Svchost.exe"

    ZoneAlarm indicates that it has blocked all attempts to connect to the sites, which I already know are involved in bank account hijacking.

    As I already noted, NOD32 has found nothing in weekly scanning. In fact, none of the symptoms of a Trojan.SilentBanker infection have been discovered. DNS is ok. Registry appears clean.

    Anybody have any idea what might be happening?

    And I apologize if I have posted this in the wrong place. I am rather rattled by this and I had no idea where else to go for help.

    James
     
  2. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    First, I would update NOD32 to Version 3.0.621 and follow Blackspears settings as listed here:
    https://www.wilderssecurity.com/showthread.php?t=197509
    Make sure your virus signatures are up-to-date by checking here:
    http://www.eset.eu/support/update-xy1
    I would then run a custom, in-depth on-demand scan.

    Even if NOD32 doesn't find anything, you could still be infected. Especially if your computer continues to attempt to connect to iloveie.info and Reservaza.com. NOD32 detects this crap as Win32/Spy.Goldun.NCK but there may be new variants that NOD32 doesn't detect. Have you looked at the info provided by Symantec?:
    http://www.symantec.com/enterprise/security_response/weblog/2008/01/banking_in_silence.html
    http://www.symantec.com/security_response/writeup.jsp?docid=2007-121718-1009-99&tabid=3
     
    Last edited: Feb 13, 2008
  3. jeparham

    jeparham Registered Member

    Joined:
    Feb 12, 2008
    Posts:
    3
    Ok, first off, thank you very, very much for your response.

    (I haven't had a chance to use Blackspears settings as you suggested because I'm at work right now. I'll be doing that this evening.)

    I updated to the latest and greatest of NOD32 and its definitions. I ran a custom scan, all drives, all files.

    Nothing was found.

    I rechecked my ZoneAlarm logs, and it's still trying to get to iloveie.info as well as mystabcounter.info. ZoneAlarm indicates it blocked all attempts.

    I also think now that it is spoofing the names of programs on my PC when it attempts to connect. Because ZoneAlarm logged that a DDNS program I occasionally use had tried to connect to iloveie.info at a time when I know for a fact that the DDNS program was NOT running.

    I had already went to the Symantec links you provided, but their instructions for removal are all but worthless. It says to go to HKCR\CLSID.

    It then says to look for:

    {[RANDOM CLSID]}\InprocServer32\(Default Value) = "[RANDOM CHARACTERS][RANDOM DIGITS].dll"


    AND


    {[RANDOM CLSID]}\TypeLib\(Default Value) = {[RANDOM CLSID]}

    AND

    {[RANDOM CLSID]}\(Default Value) = "[RANDOM CHARACTERS][RANDOM DIGITS]"

    The problem is, in my registry under CLSID, there are HUNDREDS of entries that, for all I can tell, are ALL random strings of characters and numbers.

    In all of that, how the heck am I supposed to find the 3 specific ones they describe?

    Thanks again for your help!

    James
     
  4. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    Another suggestion I have is to run Nod32 with Blackspear's settings in 'Safe Mode'.

    You can also try running SuperAntispyware Free. The latest version can be downloaded here:
    http://www.majorgeeks.com/SUPERAntiSpyware_d5116.html
    Make sure to update its definitions first.
     
    Last edited: Feb 13, 2008
  5. Woody777

    Woody777 Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    484
    Try SAS & A2 & AVG Antispyware if nothing Download the evaluation of Kaspersky Internet Security & then Uninstall all your Security NOD32 & ZoneAlarm & See if KIS will detect any infection. Maybe Kis will sweep your system clean.
     
  6. jeparham

    jeparham Registered Member

    Joined:
    Feb 12, 2008
    Posts:
    3
    Well... it went from bad to weird.

    I don't know if SilentBanker had anything to do with it or not, but when I got home this evening I found that my PC could not connect the internet. It couldn't even see the router between it and the DSL modem. However, a PC sitting right beside this one, on the same LAN, operated normally.

    It was about this time that I realized that even if I got all of this fixed, there would always be a worry that I missed something

    So, I said "screw this.", backed up my data, wiped the drive, and reloaded an image of it that I made several months ago.

    An extreme cure to be sure, but at least I know SB is gone now, and hey, the PC even runs a tad quicker.

    Thanks for trying to help me.

    James
     
Thread Status:
Not open for further replies.