W32/Injector Win32/Peerfrag

Discussion in 'ESET NOD32 Antivirus' started by penjoseph, Jul 17, 2010.

Thread Status:
Not open for further replies.
  1. penjoseph

    penjoseph Registered Member

    Joined:
    Dec 5, 2006
    Posts:
    26
    My system running NOD32 was infected by
    1. MBR Virus - NOD32 detected as operating memory virus
    2. Trojan W32 / Injector
    3. Worm Win32 / Peerfrag

    NOD32 could not remove these infections. Though it quarantines these, they re-appear back on re-booting

    The MBR virus was removed through XP Boot CD http://pcsupport.about.com/od/fixtheproblem/ht/repairmbr.htm

    I ran a free version of anti-spyware http://www.superantispyware.com/. It detected & deleted a bunch of trojans & registry entries. However, when XP was restarted NOD32 caught the infections again

    Have submitted the files for analysis to ESET via Quarantine box.

    Scanning again with Superantispyware narrowed me down to an .exe file in folder.
    C:\Documents and Settings\Hardware\Application Data\ltzqai.exe

    Hardware is local user folder

    http://img.photobucket.com/albums/v663/eapen/software/trojan.jpg
     
    Last edited: Jul 19, 2010
  2. penjoseph

    penjoseph Registered Member

    Joined:
    Dec 5, 2006
    Posts:
    26
    Last edited: Jul 19, 2010
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  4. penjoseph

    penjoseph Registered Member

    Joined:
    Dec 5, 2006
    Posts:
    26
    siljaline thanks for the link. Had tried with a whole lot of tricks - Hijack This, AdAware - but didn't find the solution. The method listed above is the easiest way I could remove the infection.

    I think its a Success! The infection appears to be removed.

    Both NOD32 & Superantispyware shows clean.
     
    Last edited: Jul 20, 2010
  5. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,736
    Help: I Got Hacked. Now What Do I Do?
    http://technet.microsoft.com/de-de/library/cc512587(en-us).aspx
     
  6. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    You are welcome for the Link and the assistance.

    Post back to this thread if anything else should arise.

    Regards,

     
  7. penjoseph

    penjoseph Registered Member

    Joined:
    Dec 5, 2006
    Posts:
    26
    Brummelchen - Whatever written I believe if you can pin-point your root infection the problem can be solved. The infection was resident in my computer for almost a month because I thought NOD32 was doing the work - capturing & quarantining.

    Finally it hit me that everyday on re-start these programs re-appear as different .exe s

    Its the thrid day now after cleaning - no problems & clean scan

    The exe s created by ltzqai.exe were detected & deleted by both programs - NOD32 & Superantispyware - but they failed to cure the root problem. I have to give credit to Superantispyware for giving me the hint to the root infection.

    Note:
    I found an anti-virus link on how ltzqai.exe infects - though I didn't use the program.

    http://info.prevx.com/aboutprogramtext.asp?PX5=2121F1CB00F0A06482BC014316FB3C00216F5486

    File Behavior :

    LTZQAI.EXE has been seen to perform the following behavior:

    * Writes to another Process's Virtual Memory (Process Hijacking)
    * Executes a Process
    * Injects code into other processes
    * The Process is packed and/or encrypted using a software packing process

    LTZQAI.EXE has been the subject of the following behavior:

    * Created as a process on disk
    * Executed as a Process
    * Has code inserted into its Virtual Memory space by other programs
    * Deleted as a process from disk
    * Copied to multiple locations on the system
     
    Last edited: Jul 19, 2010
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,736
    pls read the entire cite of me again!
    maybe it is obviously clean... the (back)door aint shut.
    it can hit you any time again - to point that out.
    and as you wrote yourself - it was active over a month,
    time to do something right.

    Malware - what now?
    * save data (copy documents, music aso., create image/backup...)

    * insert Windows-CD/DVD, reboot
    * format windows partition with that cd/dvd
    * reinstall windows from scratch
    * install all windows updates
    (or use a clean backup/image instead)

    * use a secure browser
    * install only programs from trustable sources
    * revise your security concept
    * change all passwords at trojan infections
    * dont work as admin

    sounds hard but from my experience to normal users there aint not really a choice.

    maybe this thread can help you for the future
    https://www.wilderssecurity.com/showthread.php?t=111264
     
  9. penjoseph

    penjoseph Registered Member

    Joined:
    Dec 5, 2006
    Posts:
    26
    Yes you are right. I think the backdoor is not solved yet

    I see today other exe's caught by NOD32

    1. syscr - syscr.exe executes at winlogon

    Registry location : HKEY_USERS\S-1-5-21-515967899-1220945662-299502267-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Registry Action :
    (Shell=C:\Documents and Settings\Hardware\Application Data\ltzqai.exe,explorer.exe,C:\RECYCLER\S-1-5-21-9667281957-3319854020-242786114-8915\syscr.exe)

    Deleting this registry entry re-writes it automatically !


    2. msvmiode - msvmiode.exe

    I guess format of the system is only solution now.
    I also see this as a reason to upgrade to the new Windows 7 ! :-l
     
    Last edited: Jul 20, 2010
Thread Status:
Not open for further replies.