Trojan.Win32.Agent

[Heather]

Hi Folks.....

I discovered this trojan using a-Squared.....EZ Trust, Spybot and
AdAware (among a few I ran) did not alert on it. A-Squared called it
"Trojan.Win32.Autoit.b"

I fired the infected files off to Virus Total and got the following
analysis. I have been running with just XP's firewall for 2 weeks,
which is not my usual thing.....but heck, none of us are perfect!! (G)

I got on the trail of this when I lost all sound with both Firefox and
IE browsers about midnight last night. I have done many things to
figure this sound problem out with no joy, I might add. But I will now
remove these files.

Any other suggestions before I remove them?? I was sure it was a false
alarm!!

Heather
Results of a file scan
This is a report processed by VirusTotal on 01/27/2006 at 20:24:55 (CET)
after scanning the file "set5200.exe" file.
Antivirus Version Update Result
AntiVir 6.33.0.77 01.27.2006 TR/AutoItroj.A
Avast 4.6.695.0 01.27.2006 no virus found
AVG 718 01.27.2006 no virus found
Avira 6.33.0.81 01.27.2006 TR/AutoItroj.A
BitDefender 7.2 01.27.2006 no virus found
CAT-QuickHeal 8.00 01.27.2006 no virus found
ClamAV devel-20051123 01.27.2006 no virus found
DrWeb 4.33 01.27.2006 no virus found
eTrust-InoculateIT 23.71.61 01.27.2006 no virus found
eTrust-Vet 12.4.2058 01.27.2006 no virus found
Ewido 3.5 01.27.2006 no virus found
Fortinet 2.54.0.0 01.27.2006 suspicious
F-Prot 3.16c 01.26.2006 no virus found
Ikarus 0.2.59.0 01.27.2006 no virus found
Kaspersky 4.0.2.24 01.27.2006 no virus found
McAfee 4684 01.27.2006 no virus found
NOD32v2 1.1383 01.27.2006 no virus found
Norman 5.70.10 01.27.2006 no virus found
Panda 9.0.0.4 01.27.2006 no virus found
Sophos 4.02.0 01.27.2006 no virus found
Symantec 8.0 01.27.2006 no virus found
TheHacker 5.9.3.082 01.27.2006 no virus found
UNA 1.83 01.27.2006 Trojan.Win32.Agent
VBA32 3.10.5 01.27.2006 no virus found

 

[Art]

Hi Folks.....

I discovered this trojan using a-Squared.....EZ Trust, Spybot and
AdAware (among a few I ran) did not alert on it. A-Squared called it
"Trojan.Win32.Autoit.b"

I fired the infected files off to Virus Total and got the following
analysis. I have been running with just XP's firewall for 2 weeks,
which is not my usual thing.....but heck, none of us are perfect!! (G)

I got on the trail of this when I lost all sound with both Firefox and
IE browsers about midnight last night. I have done many things to
figure this sound problem out with no joy, I might add. But I will now
remove these files.

Any other suggestions before I remove them?? I was sure it was a false
alarm!!

Heather
Results of a file scan
This is a report processed by VirusTotal on 01/27/2006 at 20:24:55 (CET)
after scanning the file "set5200.exe" file.

Hey Figgs, do you have a \Net Assistant folder under Program Files? If
so, inder \bin do you have several of these xxx5200.exe files? Do you
now or did you once use Bell Symatico as your ISP?

Anyway, some quick Googling suggests a false alarm. You should know
enough to send file samples to a good av vendor for analysis when it
looks like a FP. Haven't you learned nuttin?

Art
http://home.epix.net/~artnpeg

 

[Heather]

Hey Figgs, do you have a \Net Assistant folder under Program Files? If
so, inder \bin do you have several of these xxx5200.exe files? Do you
now or did you once use Bell Symatico as your ISP?

Yes, all of the aboved. I suspected they were part of the software for
Sympatico. You ain't just a pretty face, lol.

Anyway, some quick Googling suggests a false alarm. You should know
enough to send file samples to a good av vendor for analysis when it
looks like a FP. Haven't you learned nuttin?

I thought I did send it to a reputable vendor when I used your Virus
Total to get the analysis......8-((

Still no sound, but I called Willy the Wonder Tech and he says to use
Add/Remove to take out SoundMax and then reinstall it from the ASUS
disc. Something I don't undertake lightly.

Didn't work with Repair, so will uninstall it. Weird....the sound works
on everything but the 2 browsers. And the only new thing on here is MS
Messenger, but that was some 10 hours earlier.

Baffled Blonde

 

[Joan Archer]

<lol> She's probably still trying to get her head around XP <g>
Joan

 

[Art]

Yes, all of the aboved. I suspected they were part of the software for
Sympatico. You ain't just a pretty face, lol.

Peg thinks I'm handsome anyway. Or so she says. When she's in a good
mood. Or wants help with her PC. Or wants to go out for dinner.

I thought I did send it to a reputable vendor when I used your Virus
Total to get the analysis......8-((

It's true that VT is supposed to pass on samples to vendors. I meant
getting a analysis for yourself from one or more av vendors.

Still no sound, but I called Willy the Wonder Tech and he says to use
Add/Remove to take out SoundMax and then reinstall it from the ASUS
disc. Something I don't undertake lightly.

Didn't work with Repair, so will uninstall it. Weird....the sound works
on everything but the 2 browsers. And the only new thing on here is MS
Messenger, but that was some 10 hours earlier.

Baffled Blonde

Doesn't ring any bells here. I'd restore from backup myself. I suppose
you ever did clone a backup drive? It can really save your butt when
Windows gets screwed up. Saves a lot of time and effort.

Art

http://home.epix.net/~artnpeg

 

[Heather]

Peg thinks I'm handsome anyway. Or so she says. When she's in a good
mood. Or wants help with her PC. Or wants to go out for dinner.

ROFL!! I do the same to Ron, for dinner, etc. He is clueless about
computers.

Doesn't ring any bells here. I'd restore from backup myself. I suppose
you ever did clone a backup drive? It can really save your butt when
Windows gets screwed up. Saves a lot of time and effort.

No...never got into cloning, but it is not a bad idea. I have thought
of getting an external HD and using that.

Sound is now back. And Willy is still howling after I did the reinstall
of the sound drivers and finally figured out what the problem was. I am
too embarrassed to tell you.....but I am still laughing myself!! Spent
bloody hours trying to figure it out and I said it would turn out to be
something DUMB!!!! IT WAS!! (I will tell you off List, grin)

Thanks, old guy.....takes the senior citizens to run the world, and
computers too, chuckle.

Figgs

 

[Heather]

Yup!! And the router and the new ISP and so on. The router is
preventing me from some *serious Pogo playing*, lol. So I disconnected
it.

Figgs

 

[Joan Archer]

<lol> You and your Pogo, I think that's caused you more problems than
anything, do you think it might be trying to tell you something <g>
Joan

 

[Noel Paton]

Figgs - try installing UPnP, and then going back through your router - it
may circumvent it

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

 

[Heather]

OK...is that the one in Windows Components? UPnP User Interface?? It
is not ticked off. According to Pogo's tech support (choke), you can't
specify ports, but have to add IP numbers to the router.

I have to update the router anyway, so will probably phone DLink and see
if they can help. It is total gibberish to me!!

E. says *HI*....and she just called me a *ditz*, lol.

Seeya....heading out for a burger.

Figgs

 

[Art]

Figgs - try installing UPnP, and then going back through your router - it
may circumvent it

.... providing you don't care about security:

http://www.securiteam.com/securityreviews/6K00L20EUE.html
http://www.grc.com/unpnp/unpnp.htm

Figgs, you had better get that backup drive quick


Art
http://home.epix.net/~artnpeg

 

[Noel Paton]

... providing you don't care about security:

http://www.securiteam.com/securityreviews/6K00L20EUE.html
http://www.grc.com/unpnp/unpnp.htm

Figgs, you had better get that backup drive quick

stuff Gibson! - He's been preaching Falling Skies for years about UPnP, and
the sun's still shining (except here in Wales - but that was the case before
UPnP anyhow<g>)!
Using the UPnP behind a NATted router introduces a very small chance of
infection (not zero, granted - but very small, and one which hasn't yet,
AFAIK, been exploited)

Figgs - if you want to set up the router for Port-Forwarding - have a look
here
http://www.portforward.com/english/routers/port_forwarding/routerindex.htm

speak to you later?


--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

 

[Art]

stuff Gibson! - He's been preaching Falling Skies for years about UPnP, and
the sun's still shining (except here in Wales - but that was the case before
UPnP anyhow<g>)!
Using the UPnP behind a NATted router introduces a very small chance of
infection (not zero, granted - but very small, and one which hasn't yet,
AFAIK, been exploited)

I see you ignored the other link I provided where the guy points out a
combo of "indiscriminate use of IE" (I'll call it) and upnp presents a
risk.

Figgs - if you want to set up the router for Port-Forwarding - have a look
here
http://www.portforward.com/english/routers/port_forwarding/routerindex.htm

And be sensible by using a alternate browser ... which I think Figgs
now has _finally_ done

Art
http://home.epix.net/~artnpeg

 

[Noel Paton]

I see you ignored the other link I provided where the guy points out a
combo of "indiscriminate use of IE" (I'll call it) and upnp presents a
risk.


And be sensible by using a alternate browser ... which I think Figgs
now has _finally_ done

My second para was intended as a response to that - note the use of the
NATted router!

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

 

[Heather]

Using the UPnP behind a NATted router introduces a very small chance
of infection (not zero, granted - but very small, and one which hasn't
yet, AFAIK, been exploited)<

Figgs - if you want to set up the router for Port-Forwarding - have a
look > here
http://www.portforward.com/english/routers/port_forwarding/routerindex.htm

speak to you later?

The problem with Pogo is that you can't forward Ports. You have to put
about 10 IP? numbers in the router somewhere. I had checked that
website before and I think it was you who pointed me there.

I have to get an update for the router which will wipe out existing
settings, so will do that and then phone DLink and see what they can do.

Plan on chatting later, but have to do the *housewifely* chores like
shopping for food and so on.

Cheers....Figgs

 

[Heather]

On Sat, 28 Jan 2006 11:16:31 +0000 (UTC), "Noel Paton"

And be sensible by using a alternate browser ... which I think Figgs
now has _finally_ done

That I did, Uncle Artie.......and it was at your urging I do so. I
believe Shaggy pushed me too. I use Firefox 99% of the time. Love it.

Thanks......Figgs

 

[Noel Paton]

Plan on chatting later, but have to do the *housewifely* chores like
shopping for food and so on.

Food? - wassat?? <g>

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

 

[Beauregard T. Shagnasty]

That I did, Uncle Artie.......and it was at your urging I do so. I
believe Shaggy pushed me too. I use Firefox 99% of the time. Love
it.

<pushpush>Coulda been ... eh?</pushpush>