can anyone help with this?

The other day my firewall started getting request every 15 minutes for a new version of Microsoft Internet Countermeasures that appeared in the C/Windows/Temp file.

I went to scan that file and found the following:




(all these files are labeled "Microsoft Internet Countermeasures")



Scan Started Sun Jan 20 09:30:25 2008

-------------------------------------------------------------------------------



C:\WINDOWS\Temp\110251372.exe: Removed

C:\WINDOWS\Temp\1186663350.exe: Removed

C:\WINDOWS\Temp\1335280162.exe: Removed

C:\WINDOWS\Temp\1356352785.exe: Removed

C:\WINDOWS\Temp\1414428735.exe: Removed

C:\WINDOWS\Temp\1480787257.exe: Removed

C:\WINDOWS\Temp\1680877237.exe: Removed

C:\WINDOWS\Temp\1693782630.exe: Removed

C:\WINDOWS\Temp\1733024017.exe: Removed

C:\WINDOWS\Temp\1971331807.exe: Removed

C:\WINDOWS\Temp\1983796732.exe: Removed

C:\WINDOWS\Temp\2060719770.exe: Removed

C:\WINDOWS\Temp\2083793895.exe: Removed

C:\WINDOWS\Temp\324917685.exe: Removed

C:\WINDOWS\Temp\533591625.exe: Removed

C:\WINDOWS\Temp\59705197.exe: Removed

C:\WINDOWS\Temp\837753892.exe: Removed

C:\WINDOWS\Temp\891151110.exe: Removed

C:\WINDOWS\Temp\968077260.exe: Removed



C:\WINDOWS\Temp\110251372.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\1186663350.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\1335280162.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\1356352785.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\1414428735.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\1480787257.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\1680877237.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\1693782630.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\1733024017.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\1971331807.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\1983796732.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\2060719770.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\2083793895.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\324917685.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\533591625.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\59705197.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\837753892.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\891151110.exe: Trojan.Agent-11124 FOUND

C:\WINDOWS\Temp\968077260.exe: Trojan.Agent-11124 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 191453

Engine version: 0.91.2

Scanned directories: 1

Scanned files: 19

Skipped non-executable files: 0

Infected files: 19



Data scanned: 1.71 MB

Time: 3.922 sec (0 m 3 s)

--------------------------------------

Completed









Clam is telling me it's a virus. I did a house call with Trend Micro for the entire Windows folder and it said nothing. Kapersky's online scan said it found something but wouldn't say what or where.

Deleting these files only means that more will keep coming. It created these 20 odd files overnight.

I'll do a full Clam scan tonight as that is incredibly slow, just hoping someone in the meantime had some answers to whether this is a threat and or why I'm all of a sudden getting a new internet access request every 15 minutes form something claiming to be MS.

I also see nothing unfamilar in a HJT scan.

Thanks in advance.

Sounds strange. Clam added that 11124 malware to its signatures back in December. I couldn't find out anything else about it in a quick on-line search, however. It sure sounds like some of those false security softwares that may harbor malware. See if you can upload one of those files to Jotti and let them check it out with all of their scanners. If several of them spot malware, it probably is real. If ClamWin is your only scanner, you might try the following (CureIt is supposed to be pretty good).

NOTE: These products are nonresident without daily updates and do not replace a full-time virus scanner.
CureIt from Dr. Web is a free and comprehensive scanner that is updated frequently at https://www.freedrweb.com/
MSRT from Microsoft (updated monthly on Patch Tuesday) at https://www.microsoft.com/security/malwareremove/default.mspx
Norman Malware Cleaner at https://www.norman.com/Virus/Virus_removal_tools/24789/en-us
Stinger from McAfee (updated several times a year) at https://vil.nai.com/vil/stinger/

Regards,

Did some other scans and it's also called

BehavesLike:Win32.ExplorerHijack

There are two others now found that may be the parent file.

Backdoor.agent.do


Logger.Goldun.nc

The problem is that the parent file is somewhere else and keeps putting a new file in the Windows temp file.

I'm using AVG now and it keeps quarantining the new new ones and my comodo keeps blocking them, but it's a pain to get a new comodo pop up all the time asking me to block this.

I scanned the basic files, windows/system and system32 and memory and registry and found the Backdoor.agent.do and Logger.Goldun.nc with AVG and quarantined, only to see it coming back again.

Then scanned docs and settings and found them in temporary internet files and quarantined them, just to see it still popping up.

I'm now doing a full system scan with AVG, as it scanned all of windows in 10 minutes whereas Clam took 3 hours and still wasn't finished.

I'll let you know what I find.

Any tips in the meantime welcomed.


P.S. I rarely use explorer and keep it clean with cccleaner. I only use firefox for amazon and paypal etc. I'm assuming this if it get's into explorer won't also access firefox.

Am I right?

An exploit that works for IE will probably not work with FireFox. You might get a copy of the free Spyware Blaster from Java Cool software. It protects both browsers from a lot of stuff--if you configure it. It's not updated very often (once every week or so), but it doesn't have to be, and it doesn't use any RAM--it sets "kill bits" for common browser tricks.

It sounds like you've got one of the Ad/Spy trojans. They can be hard to get rid of. You might download one of the trial versions of a good one. I don't believe LavaSoft or Spyware Search & Destroy are as good as they used to be. Here's some recommendations:
https://sunbeltblog.blogspot.com/2005/08/security-on-cheap.html on the Web.

Regards,

Here is a description of the Goldun trojan: https://www.spywareguide.com/product_show.php?id=1964 on the Web. I believe it has some removal instructions/information. Bleeping Computer Dot Com has good malware information. Here is a page linking to an explanation of several Goldun variants. Follow a link, and it will give you the files dropped. It's at https://www.bleepingcomputer.com/startups/ on the Web.

The description you gave of it coming back is classic ad/spyware trojan, and a scan with a trial version of a good dedicated antispyware/trojan program would probably kill it. If it's been around for a while and is circulated a lot, Microsoft's free Malicious Removal Tool (MSRT) might also take care of it.

Regards,

I got rid of logger in safe mode with AVG or Clam, not sure, tried a lot of options.

Backdoor has been removed from windows system32, my killbox folder (?????) and docs and settings/local services/temporary internet files...

... with AVG, Clam, and Windows Clean Up and CC Cleaner (for temp file) in both normal and safe mode, all to reappear again after reboot.

1 problem with this is that I can navigate to the temporary internet file through a program like Clam or AVG to choose the folder to scan, but can't get there manually. When I open docs and settings (XP PRo) there are only three folders, my log on user name, all users and default user.

Anyone know why my local services folder doesn't appear there anymore? Hidden folders are viewable.

Yes, a Safe Mode scan can spot some embedded malware that is not rootkitted. My AVG doesn't seem to work as well in Safe Mode, however, but ClamWin works fine, although it is slower. Incidentally, the new ClamWin version .92 is noticeably faster than .91.2.

Most likely some effects of the malware remain--it's getting hard to completely clean/reverse it. If you do some research, you might find out what registry keys/changes yours makes/made. Perhaps you can restore your system to a time before you got the malware, if you didn't turn off System Restore during this. Just be sure you don't restore the malware! When you're sure everything is clean/like you want, you might turn off System Restore and re-start it again.

Regards,

registry comes up clean.

Just don't get why I'm being told all files are quarantined or deleted, just to see them come back again 10 minutes later.

ATM, I'm trying my somewhat inconvenient, yet always faithful tactic of slaving the OS in another XP PC and removing the nasty things with the HD running merely as a storage drive, with no programs running.

We'll see how that goes.

That did it.

AVG also found some illegit svc host running that I had in another tech forum mentioned looked dodgey, but was told not to worry about it.

My Firewall traffic meter is now showing 0 inbound and 0 outbound connections for the first time in ages.

My duo cores that barely noticed a performance lag will now be roaring through cyberspace.

My advice is to always check new programs warnings from firewall, even if they say microsoft. trace them and scan them immediately.

Clam is very good for on demand scans.

Also, risky surfing and downloading do through one browser that u keep clean of personal passwords and form saving and clean temp and cache after each session, and sensitive info through another like firefox.

If ur lucky enough to have 2 PCs with the same OS, it's much more effective to delete viruses that way as many seem to still run in safe mode.

Hoped to avoid an all day virus removal, but didn't and hope someone may benefit.

Also, there is a tick box in folder options, not sure if it's a new explorer 7 thing, that says (view tab) "hide protected operating system files (recomended)" unticking this will give you back your temporary internet file folders access. It used to be just unticking the hidden folders box, now there are 2 to deal with.

That's great! I was pulling for you! It sounds like there was a rootkit involved and maybe part of it was still around.

I'm bookmarking this thread. When/if you ever get time, you might consider extracting all the pertinent information from it and put it in a F&Q type format and see if the ClamWin team wants to post it to the ClamWin FAQs.

More and more of the malware you see now disables/cripples user editing and other important Windows functions/processes, as well as AVs/firewalls. A recent virus includes ClamWin as one of the AVs it targets.

I think that every user needs to use a layered approach to security--firewall, AV, and antispyware because malware is becoming a blended threat. Comodo makes a pretty good firewall and version 3.0 now has intrusion protection. ClamWin will also be much more useful when they release the realtime version 1.0 (no announced release date yet, but they are now at version 0.92).

Regards,

Thanks for your input!!!!

I usually get these things sorted out.

Thought there might be others with the same problem, but a google of microsoft internet countermeasures brings 1 page of results all with nothing applicable to my problem.

If I knew about the 2nd tier hidden folder option in the new explorer maybe could have got it earlier with killbox or unlocker, but too late now.

I'll be doing full system scans more often as I don't notice slow downs much now with 6 ghz or processing and 2g or ram.

Hope new Clam doesn't take all night for a full scan anymore, but will be using secondary AVs as well. I hate leaving that much pc plus my nvidia 8800gt burning all night.

My scans with V.92 so far seem to be about 50% faster. That trojan has been around for a while now--don't see why we can't catch something like that, but if the virus guys change it just a little, a new signature is needed. Good case for behavior blocking/emulation, I guess.

By the way, if you are using Comodo Firewall with the HIPS, why didn't that catch it?

Regards,

Well this last one I caught because comodo kept asking me if I wanted to allow the countermeasures program.

Ones in the past came up as svchost and I probably also thought they were merely MS programs, as someone on another tech forum told me not to worry about it because it's normal to see multiple svchost apps running at once.

I had Norton years ago and after 2 years or so, Symantec stops offering support so you buy the new version. After an update, everything was getting blocked. I had to run it's removal tool to get it to stop. I switched to zone alarm for firewall and Clam for antivirus. Zone alarm started blocking email and firefox so I got rid of that. As I stated earlier, I no longer leave my pc on overnight and Clam used to need that to do a full scan, so I got lazy with scans and didn't notice the slow down with the high performance pc, and comodo was tellng me that only MS and other programs I was familiar with were accessing the internet, yet I should have checked to see if they were all legit and off course kept up on my scans.

I know now what normal traffic looks like so I will easier see when or if I get attacked again, plus I'll be more diligent with scans in future.

I hope Clam gets better at automatic on the spot detection, but AVG is now running in tandem so I think it will caught.

Either way, I've learned a lot on how these programs work now and what to look for as normal or infected.

looks like you got a rootkit
with an active rootkit it's difficult do detect hidden by api executabes
you can try to use
helios security tool at
https://helios.miel-labs.com/ https://helios.miel-labs.com/

it needs dotnet 2 to run

It was this.

https://www.prevx.com/filenames/X1370008272109980521-X1/SVCHOST.EXE:EXE.EXE.html

You're right a rootkit