shanenin Posted December 9, 2008 Report Share Posted December 9, 2008 I go my first malware infection on my shop computer. I no longer can brag that I don't use anti-virus and have never gotten infected. My faith in anti-virus is crap. I don't think it would have made a difference. My employee noticed that the firewall was turned off. Then he said, "maybe we should run MalwareBytes", it found 12 bad items, backdoor trojans among some. The scary thing was this was a silent infection. Since they were hiding from us with no indication they were their(other then the fire wall being turned off), you have no idea what they were doing. I would have been happier if it was some type of fake malware program trying to extort money.I am not sure how we got infected. it was probably do to our surfing. But, One of the main things we do with this computer is extract backup files from client computers. These backups are sure to contain all kinds of malware. I am pretty certain these malware files are dormant, short of clicking on them, or if they were autorun, I don't think they can cause infection. One other possibility, we do plug infected computers onto our network. If they have a network aware piece of malware, it may have spread that way. We do have simple file sharing turned on. I still think the most probable cause was us surfing on the net.edit/added later//I usually set auto updates to download only, but they were turned off. I am fairly certain the malware did that also. Quote Link to post Share on other sites
Bubba Bob Posted December 9, 2008 Report Share Posted December 9, 2008 Bound to happen sooner or later. As you said, most likely any anti malware program wouldn't have made a difference... Other than maybe alerting you to the problem. I hope the clean up went well... Quote Link to post Share on other sites
shanenin Posted December 9, 2008 Author Report Share Posted December 9, 2008 I think the clean up went well, to be sure, I am going to reload it. The computer has been flakey for some time, this will be the event that will push me to get it done. Quote Link to post Share on other sites
shanenin Posted December 9, 2008 Author Report Share Posted December 9, 2008 If any of you experts would like to weigh in on what these items found may have been doing, I would love to hear your opinion.Registry Values Infected: 2Registry Data Items Infected: 3Folders Infected: 1Files Infected: 5Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\system32\nvaux32.dll (Trojan.Agent) -> Delete on reboot.Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\supinit_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twext.exe -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.Folders Infected:C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Delete on reboot.Files Infected:C:\WINDOWS\system32\nvaux32.dll (Spyware.Agent.H) -> Delete on reboot.C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Delete on reboot.C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Delete on reboot.C:\WINDOWS\system32\twain_32\user.ds.cla (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Delete on reboot. Quote Link to post Share on other sites
Rorschach112 Posted December 9, 2008 Report Share Posted December 9, 2008 I would head over to the HJT forum, those infections are nasty enough Quote Link to post Share on other sites
shanenin Posted December 9, 2008 Author Report Share Posted December 9, 2008 The computer was already running really buggy, so it made sense to reload it. I was still curious if anyone had an opinion on what this infection may have been doing. Since it was not trying to extort money, like anti-virus xp, I was more worried to what is was doing quietly. Quote Link to post Share on other sites
Pete_C Posted December 10, 2008 Report Share Posted December 10, 2008 Hijack.userinit just means that something added an executable file to the userinit entry In your case it was twext.exehttp://www.threatexpert.com/files/twext.exe.htmlIn your case it is the same infection detected as backdoor.bothttp://research.sunbelt-software.com/threa...threatid=175491Spyware.agent.h is also known as backdoor.agent.hhttp://spyware-wall.com/view,spywareinfo,2739.htmlhttp://www.spynomore.com/trojan-backdoor-agent-h.htmIn the past, you generally had to open an attachment, or download a file to get infected. Then came the worms which would search the web for computers which did not have some kind of firewall protection and would check for an unpatched windows security hole.Now, due to increased use of routers; and windows automatic update pushing critical security updates every month; more and more malware is targeting security flaws in third party software.You open a PDF, a ZIP file, a flash movie or ad on a website plays; if you have an older version of acrobat reader, winzip, macromedia flash java etc installed on your computer it can take advantage of security holes in these applications to connect to a remote site and download and install software; all without your knowledge or consent.This is the same sort of thing that various smitfraud variants now use to change the function of the close button and x on a dialog box to install say antivirus 2009 from close to "silently install".No longer is windows update, and careful surfing adequate.You need a good antivirus which will detect the attempt to install and stop it in its tracks. Quote Link to post Share on other sites
Rorschach112 Posted December 10, 2008 Report Share Posted December 10, 2008 Its a password stealerLooking at your system now, one or more of the identified infections is a backdoor Trojan.If this computer is ever used for on-line banking, I suggest you do the following immediately:1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Quote Link to post Share on other sites
shanenin Posted December 11, 2008 Author Report Share Posted December 11, 2008 wow, that is unsettling. Thanks for the heads up. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.