Jump to content


Photo

passwords.exe, porn.exe, sexy.exe, msn.exe


  • Please log in to reply
6 replies to this topic

#1 adam_bomb

adam_bomb

    New Member

  • Members
  • Pip
  • 1 posts

Posted 16 August 2013 - 11:32 AM

Anti-Rootkit keeps picking up instances of these Trojan.Agent files in every user profile.  After clean and reboot, they show up again.  Regular Malware Bytes, Trend Micro, Stinger, Super Anti Spyware, Roguekiller, McAfee Rootkitremover, and McAfee GetSusp do not find these either before or after running Anti-Rootkit.

 

The files cannot be found when searching, but then show up on a scan.  I'm at a loss... is this a glitch in Anti-Rootkit or is this an actual Trojan that keeps repopulating?

 

Folders Detected: 2

c:\updata (Worm.AutoRun) -> Delete on reboot.

c:\google.com (Trojan.Agent) -> Delete on reboot.

 

Files Detected: 156

c:\documents and settings\all users\passwords.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\default user\passwords.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\localservice\passwords.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\networkservice\passwords.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\pp\passwords.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\config\systemprofile\passwords.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\all users\porn.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\default user\porn.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\localservice\porn.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\networkservice\porn.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\pp\porn.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\config\systemprofile\porn.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\all users\sexy.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\default user\sexy.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\localservice\sexy.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\networkservice\sexy.exe (Trojan.Agent) -> Delete on reboot.

c:\documents and settings\pp\sexy.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\config\systemprofile\sexy.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\microsoft\msn.exe (Trojan.Backdoor) -> Delete on reboot.

c:\passwords.exe (Worm.AutoRun.Gen) -> Delete on reboot.

c:\porn.exe (Worm.AutoRun.Gen) -> Delete on reboot.

c:\sexy.exe (Worm.AutoRun.Gen) -> Delete on reboot.

c:\windows\install\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\sys64\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\messeng\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\program files\winst\msn.exe (Trojan.VBKrypt) -> Delete on reboot.

c:\windows\system23\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\all users\application data\msn.exe (Backdoor.Bifrose.Gen) -> Delete on reboot.

c:\documents and settings\default user\application data\msn.exe (Backdoor.Bifrose.Gen) -> Delete on reboot.

c:\documents and settings\localservice\application data\msn.exe (Backdoor.Bifrose.Gen) -> Delete on reboot.

c:\documents and settings\networkservice\application data\msn.exe (Backdoor.Bifrose.Gen) -> Delete on reboot.

c:\documents and settings\pp\application data\msn.exe (Backdoor.Bifrose.Gen) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\msn.exe (Backdoor.Bifrose.Gen) -> Delete on reboot.

c:\updata\autorun.inf (Worm.AutoRun) -> Delete on reboot.

c:\windows\system32\mms\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\documents and settings\all users\application data\adobs\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\default user\application data\adobs\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\localservice\application data\adobs\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\networkservice\application data\adobs\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\pp\application data\adobs\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\adobs\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\all users\application data\messanger\msn.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\documents and settings\default user\application data\messanger\msn.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\documents and settings\localservice\application data\messanger\msn.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\documents and settings\networkservice\application data\messanger\msn.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\documents and settings\pp\application data\messanger\msn.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\messanger\msn.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\program files\adobs\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\program files\dll\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\program files\hotmail\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\program files\internet explorer\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\program files\massenger\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\program files\msn\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\program files\msns\msn.exe (Backdoor.PoisonIvy) -> Delete on reboot.

c:\bin\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\msn.exe (Worm.AutoRun) -> Delete on reboot.

c:\documents and settings\all users\start menu\programs\startup\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\default user\start menu\programs\startup\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\pp\start menu\programs\startup\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\system32\config\systemprofile\start menu\programs\startup\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\all users\start menu\programs\startup\sexy.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\documents and settings\default user\start menu\programs\startup\sexy.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\documents and settings\pp\start menu\programs\startup\sexy.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\windows\system32\config\systemprofile\start menu\programs\startup\sexy.exe (Backdoor.IRCBot) -> Delete on reboot.

c:\windows\system32\1122\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\system32\computer\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\system32\mesenger\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\system32\messanger\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\system32\msn\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\system32\msnn\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\system32\mstwain32\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\system32\smn\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\system32\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\system32\systeme\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\system32\update\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\system32\windows\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\exblorer\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\help\msn.exe (Trojan.Banker) -> Delete on reboot.

c:\windows\mssn\msn.exe (Backdoor.Bot) -> Delete on reboot.

c:\windows\res\msn.exe (Password.Stealer) -> Delete on reboot.

c:\windows\system\msn.exe (Trojan.Banker) -> Delete on reboot.

c:\documents and settings\all users\application data\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\default user\application data\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\localservice\application data\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\networkservice\application data\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\pp\application data\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\program files\outlook express\autorun.inf (Malware.Trace) -> Delete on reboot.

c:\wins\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\program files\msn.exe\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\installdir\msn.exe (Backdoor.XTRat) -> Delete on reboot.

c:\program files\yahoo\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\system32\explorer\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\program files\nenatube\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system32\biff\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\documents and settings\all users\recent\msn.exe (Trojan.Passwords) -> Delete on reboot.

c:\documents and settings\default user\recent\msn.exe (Trojan.Passwords) -> Delete on reboot.

c:\documents and settings\localservice\recent\msn.exe (Trojan.Passwords) -> Delete on reboot.

c:\documents and settings\networkservice\recent\msn.exe (Trojan.Passwords) -> Delete on reboot.

c:\documents and settings\pp\recent\msn.exe (Trojan.Passwords) -> Delete on reboot.

c:\windows\system32\config\systemprofile\recent\msn.exe (Trojan.Passwords) -> Delete on reboot.

c:\windows\system32\msn.exe\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\winz\msn.exe (Trojan.Banker) -> Delete on reboot.

c:\windows\iexplorer\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\all users\start menu\programs\windows\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\documents and settings\default user\start menu\programs\windows\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\documents and settings\localservice\start menu\programs\windows\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\documents and settings\pp\start menu\programs\windows\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\windows\system32\config\systemprofile\start menu\programs\windows\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\program files\javasuppot\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\windows\system\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\publicos windows\msn.exe (Trojan.Banker) -> Delete on reboot.

c:\documents and settings\all users\application data\installdir\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\default user\application data\installdir\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\localservice\application data\installdir\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\networkservice\application data\installdir\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\pp\application data\installdir\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\installdir\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\windows\system32\system 32\msn.exe (Backdoor.Bifrose) -> Delete on reboot.

c:\windows\installdir\msn.exe (Trojan.Agent) -> Delete on reboot.

c:\program files\firewall\msn.exe (Trojan.Banker) -> Delete on reboot.

c:\system\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\msgservice\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\windows\system32\wind0ws\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\all users\application data\systeme32\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\default user\application data\systeme32\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\localservice\application data\systeme32\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\networkservice\application data\systeme32\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\pp\application data\systeme32\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\systeme32\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\program files\systeme32\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\windows\system32\install\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\windows\system32\frecel\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\documents and settings\all users\application data\live\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\documents and settings\default user\application data\live\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\documents and settings\localservice\application data\live\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\documents and settings\networkservice\application data\live\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\documents and settings\pp\application data\live\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\live\msn.exe (Backdoor.Agent.DC) -> Delete on reboot.

c:\windows\installdir\sexy.exe (Backdoor.Agent) -> Delete on reboot.

c:\windows\system32\microsoft2\msn.exe (Backdoor.Agent) -> Delete on reboot.

c:\passion\msn.exe (Trojan.Banker) -> Delete on reboot.

c:\documents and settings\default user\local settings\temp\porn.exe (Backdoor.Agent.TRJ) -> Delete on reboot.

c:\documents and settings\localservice\local settings\temp\porn.exe (Backdoor.Agent.TRJ) -> Delete on reboot.

c:\documents and settings\networkservice\local settings\temp\porn.exe (Backdoor.Agent.TRJ) -> Delete on reboot.

c:\documents and settings\pp\local settings\temp\porn.exe (Backdoor.Agent.TRJ) -> Delete on reboot.

c:\temp\porn.exe (Backdoor.Agent.TRJ) -> Delete on reboot.

c:\windows\system32\config\systemprofile\local settings\temp\porn.exe (Backdoor.Agent.TRJ) -> Delete on reboot.

c:\windows\temp\porn.exe (Backdoor.Agent.TRJ) -> Delete on reboot.

c:\documents and settings\all users\application data\autorun.inf (Worm.Agent) -> Delete on reboot.

c:\documents and settings\default user\application data\autorun.inf (Worm.Agent) -> Delete on reboot.

c:\documents and settings\localservice\application data\autorun.inf (Worm.Agent) -> Delete on reboot.

c:\documents and settings\networkservice\application data\autorun.inf (Worm.Agent) -> Delete on reboot.

c:\documents and settings\pp\application data\autorun.inf (Worm.Agent) -> Delete on reboot.

c:\windows\system32\config\systemprofile\application data\autorun.inf (Worm.Agent) -> Delete on reboot.



#2 Woomera

Woomera

    New Member

  • Members
  • Pip
  • 29 posts

Posted 16 August 2013 - 03:11 PM

have you tried running MBAR in safe mode?



#3 Firefox

Firefox

    Forum Deity

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 10,049 posts
  • Gender:Male
  • Location:USA

Posted 16 August 2013 - 06:12 PM

Hello and Welcome to Malwarebytes

Being that you are probably infected, feel free to follow the instructions below to receive free, one-on-one expert assistance in checking your system and clearing out any infections and correcting any damage done by the malware.

Please see the following pinned topic which has information on how to get help with this: Available Assistance for Possibly Infected Computers

Thank you

post-2065-0-92797800-1392234217.jpg


Dell Precision T7500, Win7 Ultimate 64bit fully updated, McAfee Corp Edition v8.8,
Watchguard Firewall, Intel Xeon E5606CPU, Dual Quad Core Processors, 16GB Ram,
E5606 @ 2.13GHz, Nvidia Quadro NVS420, Raid-1 Dual 1TB Sata 10000 rpm Hard Drives
Dual DVD Burners, IE10, Opera, MBAM, MBSB, MBAE


#4 miekiemoes

miekiemoes

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,676 posts
  • Gender:Female
  • Location:Belgium

Posted 17 August 2013 - 10:10 AM

Hi adam_bomb,

 

is there any chance you are running Trendmicro Office scan? If so, please see here:

http://forums.malwar...howtopic=122013


Mieke Verburgh
Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,248 posts
  • Gender:Male
  • Location:US

Posted 18 August 2013 - 12:00 AM

This is a document for older versions of Trend OfficeScan
It does not include some of the new files from MBAM but should give you the basic idea of setting exclusions.


Scan Exclusions


Officescan Online Help


Setting Scan Exceptions in Trend Micro OfficeScan - oit.ncsu.edu

Attached Files


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#6 juju666

juju666

    New Member

  • Members
  • Pip
  • 9 posts

Posted 21 August 2013 - 07:03 PM

Hi,

 

This is a worm :wacko:

 

MBAM and this is clean normally ;)

 

Cordially



#7 Choops

Choops

    New Member

  • Members
  • Pip
  • 1 posts

Posted 26 August 2013 - 07:13 PM

I know this worm a little too well (had dealt with a minor outbreak). This WILL spread via shares, so make sure to lockdown other computers on your network. Do not allow the infected machine on the network in a native Windows environment until you have confirmed the worm has been purged. It is also highly recommended that you investigate any other Windows computers on your network as they might be infected already. Also another note, it will spread to your USB drives, so get those cleaned out with offline scans as well.

 

For the most part, a Malwarebytes Anti-Malware scan and a combofix will take care of it. However, if you have a system image to recover from, I'd highly suggest saving time using that.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users