Something sneaked in

Discussion in 'NOD32 version 2 Forum' started by silversurferWV, Jun 5, 2006.

Thread Status:
Not open for further replies.
  1. silversurferWV

    silversurferWV Registered Member

    Joined:
    Jun 5, 2006
    Posts:
    26
    Comcast blocked my port 25 today claiming that unauthorized email had been sent from my machine.

    Did a complete system scan and NOD32 found something called a Trojan Clicker and deleted it.

    I regularly use Ad-Aware along with Spybot S&D.

    What else do I need to be running to keep this kind of thing from happening in the future?
     
  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi silversurferWV,

    Do you by chance have a dynamic IP address? Are you on dial-up or cable etc.?
     
  3. silversurferWV

    silversurferWV Registered Member

    Joined:
    Jun 5, 2006
    Posts:
    26
    I don't know about a dynamic address. How is that determined.

    I am connected to the Internet via a cable modem.
     
  4. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    You would need to check with your ISP to find out if your IP address is dynamic, static or even shared.
    I guess what I was alluding to is that although Comcast are saying it was from your machine, it could also have come from anothers machine using the IP address your currently on. There are many different reasons that may trigger an ISP to port block - it may have been entirely nothing to do with you.

    Cheers :)
     
  5. silversurferWV

    silversurferWV Registered Member

    Joined:
    Jun 5, 2006
    Posts:
    26
    I will check with Comast about the dynamic or static or whatever address.

    In the meantime if NOD32 did indeed let me down what other software do you recommend to supplement it?
     
  6. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    A good firewall with outbound protection so you know if anything is sending data. There are several good ones around. I used to refer people to Sygate before they were over-run by another company. In the future a seperate firewall will not be necessary as there is a firewall module planned for a future version of NOD32. There's still plenty of mirrors for the free-for-personal-use Sygate product. If you like, you can try some of -->THESE<-- and you might find a -->USER MANUAL<-- handy as well.
    Personally I use Lavasoft Ad-Aware SE and have done for many years although my need for it is decreasing daily. I can't remember the last time that NOD32 left it any real work to do, so since you already use that you should be covered quite nicely :)

    Cheers :)
     
  7. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    A firewall that scans outgoing traffic would probably alert you that a program is trying to send something out through port 25, before it ever gets to Comcast. The firewall that comes with Windows scans only incoming traffic, but most commercial firewall programs scan both inbound and outbound.
     
  8. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Are you behind a firewall of any type? Or just plugged right into your Surboard modem?

    You technically have a dynamic IP with Comcast...but your IP doesn't change too often...couple of times a month maybe. Regardless...they can track your IP no problem..they know the MAC of your modem (since you registered and they provisioned it)...so any given second of the day...they know which customer an IP address is tied to.

    You're not supposed to host a mail server..but as long as you don't "show up on their radar"...they won't take drastic measures. So for them to pick it up..you were probably pumping out some volume.
     
  9. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    A previous ISP of mine just got thier blacklist from some .org somewhere - you couldn't even access your own POP mail on thier own servers half the time without hitting redial and hoping for a different IP address the next time. :)
     
  10. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    :rolleyes: What kind of 1/2 concocted nutjob was running those servers? LOL. Wow. o_O
     
  11. silversurferWV

    silversurferWV Registered Member

    Joined:
    Jun 5, 2006
    Posts:
    26
    Outlook Express has a feature that is supposed to warn me when another application is trying to send email as me. I have always had that feature turned on. No warnings were issued to let me know that something was afoot the past few days or ever for that matter. Are the bad guys able to thwart this OE feature?
     
  12. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    From what you have described I would be surprised if it was malware. Can you let us have some more info on the trojan clicker that NOD32 cleaned out? What was the file name and the specific of the type of trojan clicker? You should be able to get this from your scanner logs.

    As for the baddies, it is possible that they have thier very own inbuilt SMTP engine but I believe that NOD32 can detect this type of behaviour heuristically I think.
     
  13. Jaska

    Jaska Registered Member

    Joined:
    May 7, 2004
    Posts:
    98
    F-Secure says:
    "Trojan Clicker (generic description)
    [FONT=Arial, sans-serif]Trojan Clicker is a trojan that remains resident in Windows memory and constantly tries to connect to certain websites on Internet. This is done to fake visit counters for certain pages in order to earn more money for displaying ads on these pages."[/FONT]

    It seems not to send any emails. You maybe your Nod32 misconfoigured somehow, maybe it is not doing sceduled scanning? I think if this trojan had lauched itself Nod would have regognized it.
     
  14. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    A trojan clicker that uses smtp? AFAIK the way trojan clickers work it would use http requests and not smtp. I think that the threat on your computer is other than a trojan clicker. I think might be a mass mailer or other trojan-proxy/bot relay software.
     
  15. silversurferWV

    silversurferWV Registered Member

    Joined:
    Jun 5, 2006
    Posts:
    26
    I should have written down the names of the files that NOD32 detected but failed to do so. It seems to me that one of them was an 8-letter alphabet soup with an extension of "qlr" or something like that. The other file was ipod.exe if memory serves.

    Since this hassle arose I've installed McAfee's personal firewall software, which is free for Comcast customers, in hopes of preventing future occurrences.

    I do not have NOD32 set for a scheduled scan. I thought that it was invincible and never expected anything to get by. Naive on my part.
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You might like to have a run through this thread

    You can see various security setups within the link of my signature.

    Hope this helps...

    Cheers :D
     
  17. silversurferWV

    silversurferWV Registered Member

    Joined:
    Jun 5, 2006
    Posts:
    26
    Here is what I gleaned from the NOD32 scan logs:

    C:\DownLoad\ProductKeyFinderkf141.zip »ZIP »keyfinder.exe »RAR »xpkey.exe - Win32/PSWTool.RAS.A application

    C:\DownLoad\ProductKeyFinderkf141.zip »ZIP »keyfinder.exe »RAR »officekey.exe - Win32/PSWTool.RAS.A application

    C:\WINDOWS\SYSTEM32\ipod.raw.exe - Win32/TrojanProxy.Lager trojan – deleted

    C:\System Volume Information\_restore{3EBA69B7-6ACF-4703-9817-9623F5C75513}\RP183\A0020577.exe - Win32/TrojanProxy.Lager trojan – deleted

    C:\WINDOWS\SYSTEM32\mtfyxkmh.fql - Win32/TrojanClicker.Small.JS trojan - deleted
     
  18. ASpace

    ASpace Guest



    Well , you told us the names but I don't see these deleted or eliminted :)
    I recommend you get into Safe Mode and perform full scan and clean everything nasty + the manually delete the whole ProductKeyFinderkf141.zip
    because this is malware

    First Turn System Restore OFF
    >>> Right click on My Computer->Properties->System Restore
    Check Turn off system restore.Click OK

    Second
    Download Ad-Aware SE Personal from Lavasoft
    http://www.lavasoftusa.com
    Download,install , update it

    Third Make sure your NOD32 is updated
    Start-Programs-ESET-NOD32 Control Center-Update-Update Now

    Then Configure NOD32 for "MyProfile" as shown here
    https://www.wilderssecurity.com/showpost.php?p=766371&postcount=6
    https://www.wilderssecurity.com/showpost.php?p=766370&postcount=5


    Now Boot your computer in SAFE MODE
    Do this by repeatedly typing F8 while Windows is starting before
    Windows logo appears.Then you'll open the Windows Advanced menu where you can choose to boot the hard drive in SAFE MODE

    Open NOD32's on-demand scanner (Start-Programs-ESET-NOD32)
    and perform full scan and clean .
    https://www.wilderssecurity.com/showthread.php?t=37509&page=3
    If you have set it to the instructions in the link above , NOD32 will automatically manage the files

    When NOD32 is ready , start Ad-Aware SE Personal
    Perform full scan and clean

    Restart and again turn your system restore ON :D

    Make sure you visit Blackspear's settings to configure NOD32 work correctly and don't download files such as ProductKeyFinderkf141.zip


    HiTech_boy :thumb:
     
  19. pojispear

    pojispear Registered Member

    Joined:
    Jan 12, 2006
    Posts:
    90
    i'd do those things too, but what if the email from Comcast is a phishing email? just to throw that in as a caution
     
  20. silversurferWV

    silversurferWV Registered Member

    Joined:
    Jun 5, 2006
    Posts:
    26
    Turning off the system restore to follow your instructions troubles me. Had a bad computer day recently and SR came to my rescue when things looked the darkest.

    Will I get any benefit from your procedure if SR is left on?
     
  21. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    These say that they already have been deleted. You may also wish to check Quarantine is enabled for any future events. There is an excellent extra settings guide -->HERE<-- you may wish to look at.
    The benefit of turning off SR is that it will clear out anything malicious that windows has bade a backup copy of. Some malware also hides itself in the SR folder on purpose.
    These two are tools for discovering your MS Product install keys. They are themselves no harm so long as they are present because you intend for them to be. Note they are each detected as 'PSWTool.RAS.A application'
     
  22. silversurferWV

    silversurferWV Registered Member

    Joined:
    Jun 5, 2006
    Posts:
    26
    Yes, a good thread. I went ahead and followed all the recommendations shown. A tip of the hat to Mr. Blackspear for developing this helpful and easy to follow posting.

    Will now sit back and watch how NOD32 protects my system now that it is armed to the teeth.

    Thanks for your insight and help also. Much appreciated.
     
  23. ASpace

    ASpace Guest

    No problem , you are welcome ! ;)
     
  24. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My pleasure.

    Cheers :D
     
Thread Status:
Not open for further replies.