Question on Win32/Rootkit.Agent.CF trojan

Discussion in 'NOD32 version 2 Forum' started by salgau_catalin, Sep 23, 2007.

Thread Status:
Not open for further replies.
  1. salgau_catalin

    salgau_catalin Registered Member

    Joined:
    May 13, 2007
    Posts:
    6
    I know this place is just for discussing antivirus stuff, and not removal information.
    I just want an opinion on this.
    Got a Windows XP computer over here with a PPPoE connection to the ISP over fiber.
    It's been overrun by malware and now it has serious problems. When I was called in it was very sluggish. I managed to remove a few files and now it's running at near normal speed but the Internet connection is still not working.
    Without PPPoE, DHCP provides a 192.x.x.x IP and a fake DNS server. Any and all addresses will resolve to an internal page that just provides instructions to how to use the PPPoE connection. That works just fine at all times.
    If I boot up, start the PPPoE connection and try go connect online, it will work for a few seconds, even up to half a minute. Then anything gives time outs. I tried pinging. It goes just fine as long as web pages load, and then I get timeouts to everything, even the gateway. Dropping and redialing the connection doesn't change a thing. If I disconnect and just try without it, the internal instructions page still works(it's not cached. I checked). No extra protocols are installed into the PPPoE connection(except QoS and TCP/IP) and I have checked the winsock chain for extra files. It's all standard.

    Now for the thread title. The files I removed were:winwim32.dll,ssqqpmk.dll,protector.exe,ntio256.sys,hGC4y6j1.exe,ddabc.dll,cbadd.ini,cbadd.bak1,14cMxe7D.dll.
    That computer lacked an installed antivirus so I had to test the files elsewhere. NOD32 says ntios256.sys contains Win32/Rootkit.Agent.CF Trojan
    All other files are clean.
    winwim32.dll,ssqqpmk.dll, protector.exe and ntio256.sys were locked. I removed the files by bootable CD.
    winwim32.dll and ssqqpmk.dll were loaded as notifiers by winlogon. Also, they were both loaded into explorer.exe.
    protector.exe seems to be generated. It's a UPX compressed file. I removed only that file once and it was recreated at nearly double the size. It didn't seem to be loaded into any process.
    14cMxe7D.dll is the only one with Version information ProductName : WebAssist; ProductVersion : 2.0.0.4.
    HijackThis log was very clean.

    I'm going to perform some more rootkit checks, then remove windows and reinstall it. but I'm really puzzled by this situation. Anyone have any suggestions on any way of solving this for future cases?

    Thanks for reading
     
    Last edited: Sep 23, 2007
  2. salgau_catalin

    salgau_catalin Registered Member

    Joined:
    May 13, 2007
    Posts:
    6
    I will.
    Just checked all heuristics and unpack options.
    hGC4y6j1.exe contains Win32/Virut virus
    and
    protector.exe contains Win32/TrojanProxy.Wopla trojan
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    There's no need to promote other security products here. With the assistence of our technical support it's possible to remove everything suspicious by standard means. Please contact support[at]eset.com and provide a link to this thread.
     
  4. salgau_catalin

    salgau_catalin Registered Member

    Joined:
    May 13, 2007
    Posts:
    6
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Sorry about that :)
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    We have 24-hour support so the response time will depend on the number of support queries in the queue.
     
  7. salgau_catalin

    salgau_catalin Registered Member

    Joined:
    May 13, 2007
    Posts:
    6
    I'll remember that for next time.
    I found another rootkit in c:\windows\system32\drivers\runtime2.sys. That was causing the problems apparently. I removed it by bootable CD and the internet connection worked fine, but I was forced to wipe the drive because just after I installed NOD32 and rebooted I found the computer to be entirely infected with Win32/Virut. Every executable ran within the last two months was infected so I decided to wipe the drive. I tried a virus remover specifially designed for it from Grisoft, but it failed to remove the infection even when scanning offline.
    I would be glad to provide samples I still have if ESET is willing to write a real cleaner for this thing. I had to use my flash drive and it's full of the stuff now.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,375
    You can send 2 or 3 of them in a RAR/ZIP archive protected with the password "infected" and this thread's url in the subject to samples[at]eset.com
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    File infectors are reappearing (Parite, Tenga, Virut)
     
Thread Status:
Not open for further replies.