Recommended Posts

I go my first malware infection on my shop computer. I no longer can brag that I don't use anti-virus and have never gotten infected. My faith in anti-virus is crap. I don't think it would have made a difference.

My employee noticed that the firewall was turned off. Then he said, "maybe we should run MalwareBytes", it found 12 bad items, backdoor trojans among some. The scary thing was this was a silent infection. Since they were hiding from us with no indication they were their(other then the fire wall being turned off), you have no idea what they were doing. I would have been happier if it was some type of fake malware program trying to extort money.

I am not sure how we got infected. it was probably do to our surfing. But, One of the main things we do with this computer is extract backup files from client computers. These backups are sure to contain all kinds of malware. I am pretty certain these malware files are dormant, short of clicking on them, or if they were autorun, I don't think they can cause infection. One other possibility, we do plug infected computers onto our network. If they have a network aware piece of malware, it may have spread that way. We do have simple file sharing turned on. I still think the most probable cause was us surfing on the net.

edit/added later//

I usually set auto updates to download only, but they were turned off. I am fairly certain the malware did that also.

Link to post
Share on other sites

If any of you experts would like to weigh in on what these items found may have been doing, I would love to hear your opinion.

Registry Values Infected: 2

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\nvaux32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\supinit_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twext.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Delete on reboot.

Files Infected:

C:\WINDOWS\system32\nvaux32.dll (Spyware.Agent.H) -> Delete on reboot.

C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Delete on reboot.

C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Delete on reboot.

C:\WINDOWS\system32\twain_32\user.ds.cla (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Delete on reboot.

Link to post
Share on other sites

The computer was already running really buggy, so it made sense to reload it. I was still curious if anyone had an opinion on what this infection may have been doing. Since it was not trying to extort money, like anti-virus xp, I was more worried to what is was doing quietly.

Link to post
Share on other sites

Hijack.userinit just means that something added an executable file to the userinit entry

In your case it was twext.exe

http://www.threatexpert.com/files/twext.exe.html

In your case it is the same infection detected as backdoor.bot

http://research.sunbelt-software.com/threa...threatid=175491

Spyware.agent.h is also known as backdoor.agent.h

http://spyware-wall.com/view,spywareinfo,2739.html

http://www.spynomore.com/trojan-backdoor-agent-h.htm

In the past, you generally had to open an attachment, or download a file to get infected. Then came the worms which would search the web for computers which did not have some kind of firewall protection and would check for an unpatched windows security hole.

Now, due to increased use of routers; and windows automatic update pushing critical security updates every month; more and more malware is targeting security flaws in third party software.

You open a PDF, a ZIP file, a flash movie or ad on a website plays; if you have an older version of acrobat reader, winzip, macromedia flash java etc installed on your computer it can take advantage of security holes in these applications to connect to a remote site and download and install software; all without your knowledge or consent.

This is the same sort of thing that various smitfraud variants now use to change the function of the close button and x on a dialog box to install say antivirus 2009 from close to "silently install".

No longer is windows update, and careful surfing adequate.

You need a good antivirus which will detect the attempt to install and stop it in its tracks.

Link to post
Share on other sites

Its a password stealer

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...