Unsolved
This post is more than 5 years old
76 Posts
0
10470
TrojanDropper:Win32/Oficla.G and Trojan:HTML/Phisbank.O
This have been going on for a few months. Everyday when my virus scan runs....I get the message that "oneCare found potentially unwanted software and requires action from you. We recommend you remove software that you do npt recognize. To remove software yourself, locate the file(s) below and then delete the unwanted software. The 2 viruses are TrojanDropper:Win32/Oficla.G and Trojan:HTML/Phisbank.O. When I open the link for the first one I get this:
TrojanDropper:Win32/Oficla.G (?)
Encyclopedia entry
Updated: May 20, 2010 | Published: Mar 18, 2010
Aliases
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Updated: May 20, 2010 | Published: Mar 18, 2010
Aliases
- W32/Trojan3.BRD (Authentium (Command))
- TR/FraudPack.anmu (Avira)
- Trojan.FakeAv.KSP (BitDefender)
- Win32/Oficla.CI (CA)
- Trojan.Oficla.26 (Dr.Web)
- Win32/Oficla.EF (ESET)
- FakeAlert-MA.gen (McAfee)
- Trj/Sinowal.WXJ (Panda)
- Mal/FakeAV-BW (Sophos)
- TROJ_BREDO.JER (Trend Micro)
- Win32/Kryptic.EFP (other)
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
| Detection last updated: Definition: 1.85.1925.0 Released: Jul 12, 2010 |
Detection initially created: Definition: 1.77.96.0 Released: Feb 26, 2010 |
Summary
TrojanDropper:Win32/Oficla.G is a detection for a trojan that installs and executes Trojan:Win32/Oficla.M. This Win32/Oflicla variant attempts to connect with a remote host and download a configuration data file that instructs the trojan to retrieve other malware from additional download locations.
Symptoms
System changes
The following system changes may indicate the presence of this malware:
-
The presence of the following files:
\rjuq.mpo -
The presence of the following registry modifications:
Sets value: " Shell"
From data: " explorer.exe"
To data: " explorer.exe rundll32.exe rjuq.mpo owbtiln"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Technical Information (Analysis)
TrojanDropper:Win32/Oficla.G is a detection for a trojan that installs and executes Trojan:Win32/Oficla.M. This Win32/Oflicla variant attempts to connect with a remote host and download a configuration data file that instructs the trojan to retrieve other malware from additional download locations.
Installation
TrojanDropper:Win32/Oficla.G may be distributed as an attachment to a spammed e-mail message. In the wild, we have observed this trojan distributed in .ZIP archive files as names similar to the following:
-
Resume_document_819.zip
-
My_Resume_621.zip
-
DHL_Tracking_NR.324-492383.zip
-
UPS_Invoice_Nr6991.zip
When run, TrojanDropper:Win32/Oficla.G drops a trojan component as the following:
\rjuq.mpo - Trojan:Win32/Oficla.M
The registry is modified to execute the dropped component at Windows start.
Sets value: "
Shell"
From data: " explorer.exe"
To data: " explorer.exe rundll32.exe rjuq.mpo owbtiln"
From data: " explorer.exe"
To data: " explorer.exe rundll32.exe rjuq.mpo owbtiln"
In subkey:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Payload
Downloads arbitrary files
The installed trojan Win32/Oficla.M may inject code into the running process "
SVCHOST.exe" that attempts to download a script from the domain "
myxmad.com".
At the time of this writing, the script was unavailable.
Analysis by Dan Kurc
Prevention
Take the following steps to help prevent infection on your computer:
-
Enable a firewall on your computer.
-
Get the latest computer updates for all your installed software.
-
Use up-to-date antivirus software.
-
Use caution when opening attachments and accepting file transfers.
-
Use caution when clicking on links to Web pages.
-
Avoid downloading pirated software.
-
Protect yourself against social engineering attacks.
-
Use strong passwords.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor Web sites.
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software, such as
Microsoft Security Essentials, that is updated with the latest signature files. For more information,
see
http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Use caution when opening attachments and accepting file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
Use caution when clicking on links to Web pages
Exercise caution with links to Web pages that you receive from unknown sources, especially if the links are to a Web page that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a Web page with harmful content.
Avoid downloading pirated software
Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see '
The risks of obtaining and using pirated software'.
Protect yourself from social engineering attacks
While attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a computer, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted computer. For more information, see '
What is social engineering?'.
Use strong passwords
Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least 8 characters, and combines letters, numbers, and symbols. For more information, see
http://www.microsoft.com/protect/yourself/password/create.mspx.
Recovery
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as
Microsoft Security Essentials, or the
Windows Live OneCare safety scanner. For more information about using antivirus software, see
http://www.microsoft.com/security/antivirus/av.aspx.
When I open the link for the second one I get this:
Trojan:HTML/Phishbank.O
(?)
Encyclopedia entry
Published: May 13, 2010
Aliases
Not available
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Published: May 13, 2010
Aliases
Not available
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
| Detection last updated: Definition: 1.81.1748.0 Released: May 14, 2010 |
Detection initially created: Definition: 1.81.1685.0 Released: May 14, 2010 |
cajung
76 Posts
0
August 3rd, 2010 07:00
Hi Kevin....a couple more questions please. I still have SuperAntiSpyware (you had me download it on my desktop) on my desk-top. I looked and there is no where to turn that off. Is that ok sitting there? Also, If I need to run in safe mode....can you please tell me how to get safe mode and what to do. I'm sorry....I really am not up-to-snuff with this stuff. Thanks, Craig
kevinf80_1d0ac6
1.1K Posts
0
August 3rd, 2010 09:00
The easiest way to get rid of SAS is to just uninstall it from Add/Remove programs via the Control Panel. When running GMER all of your security must be off. That is the firewall the Antivirus and antispyware, you can disconnect from the internet also. It is best to run in Normal mode, but Safemode is ok if you crash or Bluescreen in Normal.
The easiest way to get into safemode is to continually tap the F8 key as the pc is booting, then from the list select Safemode, there will be other options eg Safemode with networking etc.
Try the quick scan and lets see if we can catch this problem, if the quick scan does not show the problem, we`ll do the full scan but in safemode. OK.
Kevin :emotion-21:
cajung
76 Posts
0
August 3rd, 2010 10:00
Hi Kevin....I really appreciate all your help but I think that part of the probem is that I don't understand a lot of what you ask me to do....I'm not computer literate. Trying to do this is really not working for me. I think that I'll just live with this rootkit thing. Thank you very much....Craig
kevinf80_1d0ac6
1.1K Posts
0
August 3rd, 2010 11:00
Hi Craig,
You`re doing really well, you have run some very complex scans and managed ok. Its a shame to stop now. Why not give the GMER quick scan a try, just do it Normal mode, follow the previous instructions to download it. When you are ready to run it just make sure your security is off and the internet is disconnected. Because the scan is very quick I think it will run ok for you.
The decision is up to you, but I think you should not give up when you have come so far.:emotion-21:
Kevin
kevinf80_1d0ac6
1.1K Posts
0
August 3rd, 2010 12:00
OK Craig if you`re sure, please run these last two programs to remove the tools we have used:
1. Remove Combofix now that we're done with it
- Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
- Now type in
Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")2.
- Download
OTC by OldTimer and save it to your Desktop.If you are using Vista, please right-click and choose run as administrator
- You will get a prompt saying "
Begining Cleanup Process". Please select Yes.That will get rid of the main tools, Anything else can be uninstalled in Add/Remove programs from the Control panel. Anything left on the Desktop after that just delete.
Kev.
cajung
76 Posts
0
August 3rd, 2010 12:00
Hi Kevin,
Thanks anyway my friend. I really am having difficulty understanding all of this and I really am afraid that I may make things worse because I have no idea what I am doing. I am really a nit-wit when it comes to this kind of stuff. After reading the rootkit thing....I believe that this will probably not be a big problem for my computer. Believe me....trying to do all of this has been very frustrating for me. LOL...if worse comes to worse and I start having major problems, I'll just try deleting everything (all my programs) off of my computer and redo everything from scratch or I'll just bite the bullet and buy another computer.
Thanks for all of your help,
Craig
cajung
76 Posts
0
August 3rd, 2010 13:00
Thanks Kevin,
I tried to do the Combofix /Uninstall but it wasnt there to uninstall. No big deal. I also did the cleanup.
Appreciate everything,
Craig
kevinf80_1d0ac6
1.1K Posts
0
August 3rd, 2010 14:00
There is one more scan that may help, it is real easy to run. Its upto you. Here are the instructions:
Please read carefully and follow these steps.
Kevin
cajung
76 Posts
0
August 4th, 2010 07:00
Hi Kevin....your link didn't work. I went to the site and tried to download from there. Don't think I did it correctly because when I pushed start scan....it finished in about 10 seconds and found nothing. Thanks, Craig
kevinf80_1d0ac6
1.1K Posts
0
August 4th, 2010 11:00
Sorry about the link, not sure what went wrong with it. After you ran your own d/l did you check to see if there was a log, Select > Start > My Computer > double left click on C:\ Is there a folder or file named TDSSKiller. If not try again as follows, ive checked this link and it does work.
Kevin.
cajung
76 Posts
0
August 4th, 2010 23:00
Hi Kevin....this is where I get confused. I downloaded TDSSkiller and saved it to my desktop. so now how do I Extract its contents to your desktop if I've already saved it? Thanks, Craig
kevinf80_1d0ac6
1.1K Posts
0
August 5th, 2010 00:00
Hi Craig,
Double left click on the zip folder and it should open, a new window will open with two files TDSKiller and EULA. Left click and hold TDSSKiller and drag to Desktop. Then just double left click on it to run the application, then follow the instructions given previously.
When you double left on the zip file it may ask what you want to open the file with and give options, if that happens choose winzip. If that is not in the list let me know.
Kevin...
cajung
76 Posts
0
August 5th, 2010 08:00
Hi Kevin....did it. There was nothing found...211 objects processed. Thanks, Craig
kevinf80_1d0ac6
1.1K Posts
0
August 5th, 2010 10:00
Hi Craig,
Yep good news that you got TDSSKiller to run, However, because it didn`t find anything that is bad news. We still have to find what is re-infecting your system. You said this has been ongoing for a long time.
Do you recognize this program HandyBits File Shredder Did your problem start after this was installed or has that program always been installed? I found some information from another site where a guy had a problem similar to yours, his security kept alerting to Trojans. Turned out to be False Positives attributed to a startup entry related to to Handybits
Kevin.
cajung
76 Posts
0
August 5th, 2010 11:00
Hi Kevin,
TDSSKiller only ran for 15 seconds max....it's very quick. I guess it looks at a lot in that amount of time.
I do recognize HandyBits File Shredder. I put it on when I got the pc a few years ago. It's nothing that I added recently. Is it possible that the problem could have got in there and is hiding?
By the way....I now have 4 trojan anouncements when Live OneCare automatically runs. LOL....these computers are kind of funny.
Thanks,
Craig