Trojan on my PC!

[Guest Redplanet]

I have a file in the C: folder.

in the description is a link to http://www.autoitscript.com/autoit3/compiled.html

I have never heard about Autoit!

In the same Folder was a file named ISASS.exe, bat it had no description and no versionnumber.

I didnt open this files, i deleted them.

But a few hours later, i found the same files in the same directory!

What should i do?

sorry for my bad english, i speak german normally.

lg. Redplanet

[Raindancer]

Also du musst zuerst mal alle Starteinträge von Windows kontrollieren, ob dort die Datei irgendwie ausgeführt wird.

Es gab da mal einen Forumsuser "infernothebest" der schien einen Trojaner in AutoIt programmieren zu wollen. Als wird das mal geckecht haben wars aus mit unserer Hilfe. Naja, er ist ein wirklich übler Coder.

Wer weiss... vieleicht hatte er nun erfolg

Sorry, also in english:

There was a user "infernothebest" once which seemed to try to write a trojan in AutoIt. We didn't help him anymore as soon as we found out about his intention.

He was a bad coder, so we thought that he'll never reach his goal. But maybe he was successfull at last.

Edited September 22, 2005 by Raindancer

[Guest Redplanet]

danke für deine antwort, noch dazu eine deutsche

ich schau mal die starteinträge durch. ich habe meinen PC aber auch bereits über 3 tage laufen (ohne reboot) ... die dateien kamen von alleine wieder. Somit dürfte das nicht vom windowsstart sein.

bei mir haben sich auch alle programme von selber geschlossen .. zumindest sind sie alle abgestürzt.

als ich zumindest wieder zum PC ging, und über die trayiconliste drüber fuhr, verschwanden alle symbole. auchalle programme sind abgestürzt (zb open office) wo ich noch eine unabgespeicherte datei hatte.

[Raindancer]

Hol dir mal den ProcessExplorer von Sysinternals. Mit dem siehst du alle laufenden processe. schiesse alles ab was dir verdächtig vorkommt.

Checke die Starteinträge (auch RunServices).

Regedit hat einen Bug bei überlangen Schlüsselnamen. diese Schlüssel zeigt er nicht an. deshalb am besten mit msconfig32 die starteinträge checken.

Dann wenn du sicher bist das kein verdächtiges Programm mehr läuft und die STarteinträge i.O. sind, dann mal neustarten.

Die Dateien können von einem laufenden process jederzeit wieder erstellt werden. d.h. wenn der Trojaner aktiv ist kannst du nichts gegen ihn unternehmen.

Wenn alles nichts nützt von Knoppix (www.knopper.net) Live-CD booten. Deine HD mounten, die Dateien dann entfernen.

Hoffe das hilft.

IN ENGLISH:

Get yourself ProcessExplorer of Sysinternals. It shows you hidden processes too.

kill all suspicios tasks.

Check the Autorun entries inside the registry and autostart.

Regedit has a bug so that key with too long names aren't displayed (the trojan coders know that). Use msconfig32 instead. It shows you those entries too.

After killing the tasks, cleaning the startup reastart you machine.

if that didn't help. get yourself Knoppix (www.knopper.net) and boot of this Live CD mount your HD and remove the data from there.

Hope it helps.

Edited September 22, 2005 by Raindancer

[BigDod]

Hol dir mal den ProcessExplorer von Sysinternals. Mit dem siehst du alle laufenden processe. schiesse alles ab was dir verdächtig vorkommt.

Checke die Starteinträge (auch RunServices).

Regedit hat einen Bug bei überlangen Schlüsselnamen. diese Schlüssel zeigt er nicht an. deshalb am besten mit msconfig32 die starteinträge checken.

Dann wenn du sicher bist das kein verdächtiges Programm mehr läuft und die STarteinträge i.O. sind, dann mal neustarten.

Die Dateien können von einem laufenden process jederzeit wieder erstellt werden. d.h. wenn der Trojaner aktiv ist kannst du nichts gegen ihn unternehmen.

Wenn alles nichts nützt von Knoppix (www.knopper.net) Live-CD booten. Deine HD mounten, die Dateien dann entfernen.

Hoffe das hilft.

@Raindancer

Could you please continue with the english translations as I believe this topic will be of interest to a lot of forum members.

[Raindancer]

@Raindancer

Could you please continue with the english translations as I believe this topic will be of interest to a lot of forum members.

Its just a german instruction how he may get rid of the trojan he thinks he has.

Edit: Did the translation now

Edited September 22, 2005 by Raindancer

[BigDod]

Its just a german instruction how he may get rid of the trojan he thinks he has.

Edit: Did the translation now

Thanks

If they find out who did this they should cut his nuts off !!!!

[Raindancer]

We have to find a way to make AutoIt unable to be a hidden trojan...

[Bert]

I have a few suggestions

Did you use SpyBot's process viewer to see what is running? Odds are Spybot won't see what is infected the PC, due to the nature of how it works, but the process viewer might allow for you to see what the pest is, and allow for you to remove it.

Try CodeStuff Starter. http://www.simtel.net/product.php?id=57830

I use it as a tool to see what is running, and what is in startup. Works much better than msconfig.

Ad-watch in Adaware is good thing to try.

HijackThis is a good tool: http://www.spywareinfo.com/~merijn/

Beware when using this tool. You can real easily blow up your PC with this tool. Backup before making any changes, and also, if not sure, there are a bunch of websites that you can post your report files to so someone can review it.

I did a google search on the file name you provided, and found this:

http://www.liutilities.com/products/wintas...slibrary/isass/

It looks like the Optix.Pro virus is the problem you have.

isass - isass.exe - Process Information

Process File: isass or isass.exe

Process Name: Optix.Pro virus

Description:

isass.exe is registered as the Optix.Pro virus which carries in it's payload, the ability to disable firewalls and local security protections, and a backdoor capability.

Author: n/a

Part Of: Optix.Pro virus

System Process: No

Background Process: No

Uses Network: No

Hardware Related: No

Common Errors: N/A

Memory Usage: N/A ( Free Up Memory )

Security Risk (0-5): 4

Spyware: No ( Remove )

Adware: No ( Remove )

Virus: No ( Remove )

Trojan: Yes ( Remove )

[seandisanti]

We have to find a way to make AutoIt unable to be a hidden trojan...

technically, a trojan is any program that maliciously misrepresents itself. so any program written in any language could potentially be a trojan if it meets that criteria. autoit is an awesome tool, but any tool can be misused for harm. there is no way to prevent misuse and retain the power of the language... also i wanted to thank you for your translations, that's very cool of you, and makes sure that others having similar issues will be able to find help.

[infernothebest]

Also du musst zuerst mal alle Starteinträge von Windows kontrollieren, ob dort die Datei irgendwie ausgeführt wird.

Es gab da mal einen Forumsuser "infernothebest" der schien einen Trojaner in AutoIt programmieren zu wollen. Als wird das mal geckecht haben wars aus mit unserer Hilfe. Naja, er ist ein wirklich übler Coder.

Wer weiss... vieleicht hatte er nun erfolg

Sorry, also in english:

There was a user "infernothebest" once which seemed to try to write a trojan in AutoIt. We didn't help him anymore as soon as we found out about his intention.

He was a bad coder, so we thought that he'll never reach his goal. But maybe he was successfull at last.

wtf man, why blame me i did nothing wrong

[Valuater]

dut.... duta.. daaaaa !!!!

*XPClean Menu* to the rescue

adaware is included and microsoft Adware and AVG virus protector

all free stuff

8)

Get *XPClean Menu* here

[Matrix112]

Hi,

es gibt eine einfache methode das programm abzuschalten. Lade dir den J-Taskmanager herunter unter: http://www.j-software.de.vu/

Wenn das wirklich ein AutoIt programm ist, wirst du unter Unsichtbare Fenster "Autoit3" finden und den prozessnamen dazu. Du kannst im J-Taskmanager einfach dieses fenster samt process beenden.

MfG

In English:

Hi,

there is a simple way to switch off the program. Download the J-Taskmanager under: http://www.j-software.de.vu/

If this is really a AutoIt program, you will find under "hidden windows" (Unsichtbare Fenster) "AutoIt3" with the processname. You can just close the window and process with J-Taskmanager.

(Sorry, i think there is no english translation for J-Taskmanager, but if someone wants to test it: Install and Start it, click on "Unsichtbare Fenster" (hidden windows) you will find it there.)

[SmOke_N]

Off the topic and not a hi-jack, but I love that FireFox Icon!!!

[Matrix112]

Off the topic and not a hi-jack, but I love that FireFox Icon!!!

hi-jack? I´m not shure what you want to tell me but my post before is about the topic and i think this really helps Redplanet.

I love the Firefox Icon too

Edit: I think you mean the post above me, sorry. :">

Edited September 22, 2005 by Matrix112

[b1t5tR3@m]

Raindancer...

You may want to pass on to Redplanet, in German if that's easier for him to understand, that if he truly has Optix Pro on his PC (as vollyman has speculated; however it's not a virus...it's a RAT (Remote Administration Tool)), he should definitely disconnect himself from the internet for a while. Optix Pro has a healthy feature list, which is bad news for anyone who has it installed on their computer.

Firewall and AV killing

Client SOCKS 4/5 Support

Power Options - logoff,suspend,reboot,shutdown etc.

Server Information - Get info about builder settings

File Manager

Process Manager

Windows Manager

Registry Manager

FTP Manager

SOCKS 4/5 Server

Remote IP Scanner

Port Redirect

Application Redirect

Service Manager

Message Box

Matrix Chat (Client-2-vic)

Client-2-Client chat

Computer Information

Get Passwords - (RAS/Cached - 9x and AIM)

Online Key Logger - (now window titles)

Screen Capture with left click mouse manipulation

Keyboard Manipulation - (more advanced)

Cam Capture

...to name a few.

I would personally be thinking of what I've downloaded, from where, what I've installed and when...to get any idea of how damaging it could be from a passwords, keylog perspective.

Unfortunately, I believe there are those who are looking at the viability of using AutoIt progs as wrappers and delivery systems for their malicious payloads. As far as vollyman's speculation, it would be hard to be sure...someone could have bound multiple applications together; I know of a binder which will bind executables to .avi files. Just watching the video and you're owned. Additionally, a "known" application name is of little help; seeing as you can name your RAT anything you want it to be at build time. Add a binder into the equation and there could be a few more applications strewn about that need to be ferreted out as well.

If I can help in any way I'll try...