?
Solved

Help Cleaning PC Infected with  W32/Trojan3.ANF

Posted on 2009-04-25
12
Medium Priority
?
1,109 Views
Last Modified: 2013-11-22
PC Infected with Trojan3.ANF

This morning I booted up my PC (Windows XP SP3) and started Outlook.  I use F-Prot for AV and SpyBot.  I also have a hardware firewall.  Halfway through loading Outlook froze and a pop-up message from F-prot said

"F-prot Antiviruse has stopped the following viruses and taken appropriate action:

Found Trojan: W32/Trojan3.ANF (exact)
      - C:\WINDOWS\system32\DRIVERS\
      - Filename = asyncmac.sys
      - Status = deleted

Found Trojan: W32/Trojan3.ANF (exact)
      - C:\WINDOWS\system32\dllcache\
      - Filename = asyncmac.sys
      - Status = deleted

After I closed this message a Windows alert said that some files are missing and I need to reinstall them from my XP SP3 CD.  I put the CD in and could not figure out what to do.  So instead I restored the system to a state that is 2 days old.  I rebooted, everything went well.  Now I am in the process of running a deep scan of my entire computer.  

Does anyone know what this Trojan is?  Is it related to COnficker?

What steps should I take to be 100% sure my PC is clean.  The PC is part of a domain and is connected to a SBS 2003 server that is acting like a file server.  

I have used TrendMicro Housecall in the past - it seems to take many hours to run.  Should I do some form of online scan and if so, am I better off with Housecall, Kapersky WebScanner, or something else?

Thanks so much for your help!
0
Comment
Question by:MrChip2
  • 8
  • 4
12 Comments
 
LVL 15

Expert Comment

by:greyknight17
ID: 24233653
That file should be legitimate unless it was replace or injected with other malware code. Windows XP has that file in those two locations mentioned and I have a feeling that F-Prot caught a false positive file. To restore your system files, try using the system file checker to see if Windows detected it as missing/corrupted:

Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD. Otherwise, it will auto-close after it's done.

If you still want to perform some online virus scan, give Panda a try:

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.
0
 

Author Comment

by:MrChip2
ID: 24233874
Thank you greynight!  Sorry for the delay in responding to your post - I had to leave the house for about 30 minutes.  Here is an update.

I tried running SFC.  The program starts and then I get a popup that says:

"Files that are required for Windows to run properly must be copied to the DLL Cache.  Insert your Windows XP Professional Service Pack 3 CD now. "

I inserted the CD and hit retry, but the same message keeps popping up!  

I should say that F-prot found the asyncmac.sys during a deep scan and deleted it.  So the file may be missing.  

So SFC can't seem to copy the file over.  I think I see the file in Windows Explorer.  There is a file called ASYNCMAC.SY_ located in the I386 folder.  Should I manually copy the file?

I am now going to run the online scanner.  I will post my results as soon as possible.
0
 

Author Comment

by:MrChip2
ID: 24233909
Hi greyknight17,

quick update.  The scan has been running for 10 minutes and is 11% done and 73,000 files.  I do not trust the 11% done because it has been at 11% for the past 10,000 files or so.  However, the status bar turned orange as it has discovered 2 infected files so far. I will post the report as soon as it is available.  I really appreciate your help as this is my main work computer.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:MrChip2
ID: 24233944
Another update...

It has now been 20+ minutes.  The Scan is still at 11% even though it is now over 229,000 files.  I am hoping that this ends soon.

According to Windows Explorer my computer has roughly 90,000 files on it.  How can the scanner (which is still in the C drive) be more than twice that?  Are there a lot of hidden system files that Windows Explorer ignores?

Do you know if this is going to scan my network drives?  I am connected to a file server that probably has 200K files on it!

More disturbing is that it is now up to 11 infected files!!!

greyknight, will you be able to help me solve this problem today?
0
 

Author Comment

by:MrChip2
ID: 24234166
OK,

After close to 2 hours it finished.  Shockingly all it said it found was cookies!  Yet while it was scanning f-prot detected the same Trojan three more times, all in different

c:\System Volume Information\_restore locations.

Below is the log that you asked for.  What should I do now?

Thanks again,
Chip

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-04-25 18:13:08
PROTECTIONS: 1
MALWARE: 9
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description                                  Version                       Active    Updated
;===================================================================================================================================================================================
F-PROT Antivirus for Windows                 6.0                           Yes       Yes
;===================================================================================================================================================================================
MALWARE
Id        Description                        Type                Active    Severity  Disinfectable  Disinfected Location
;===================================================================================================================================================================================
00139061  Cookie/Doubleclick                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\mike\Cookies\mike@doubleclick[1].txt
00145731  Cookie/Tribalfusion                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\clevinson.TECHWISELAN\Cookies\clevinson@tribalfusion[2].txt
00145731  Cookie/Tribalfusion                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\mike\Cookies\mike@tribalfusion[2].txt
00145738  Cookie/Mediaplex                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\mike\Cookies\mike@mediaplex[1].txt
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\clevinson.TECHWISELAN\Cookies\clevinson@ad.yieldmanager[1].txt
00168056  Cookie/YieldManager                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\mike\Cookies\mike@ad.yieldmanager[2].txt
00168110  Cookie/Server.iad.Liveperson       TrackingCookie      No        0         Yes            No           C:\Documents and Settings\clevinson\Cookies\chip@server.iad.liveperson[2].txt
00170495  Cookie/PointRoll                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\clevinson.TECHWISELAN\Cookies\clevinson@ads.pointroll[2].txt
00170556  Cookie/RealMedia                   TrackingCookie      No        0         Yes            No           C:\Documents and Settings\clevinson.TECHWISELAN\Cookies\clevinson@realmedia[1].txt
00171982  Cookie/QuestionMarket              TrackingCookie      No        0         Yes            No           C:\Documents and Settings\clevinson.TECHWISELAN\Cookies\clevinson@questionmarket[2].txt
00207862  Cookie/did-it                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\clevinson\Cookies\chip@did-it[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent      Location                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              *
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id        Severity   Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                *
;===================================================================================================================================================================================
;===================================================================================================================================================================================


0
 
LVL 15

Expert Comment

by:greyknight17
ID: 24236691
Yes, you may copy over that ASYNCMAC.SY_ file to the two folders where they were removed from. You will need to rename it with a .sys extension instead. If you have problems doing this, you might have to boot into the recovery console first. You might consider slipstreaming SP3 into your current Windows CD just in case that file has been modified. You can use a program like AutoStream to help you do this.

You may remove those cookie files if you want.

To remove the additional infections found by F-Prot, just disable system restore and enable it again. To do this, right click on My Computer and go to Properties. Go to the System Restore tab and check the box there to turn off system restore on all drives. Click on Apply. Then uncheck that box to enable system restore back. That should remove those infected restore points.
0
 

Author Comment

by:MrChip2
ID: 24236736
Hi greynight17,

If you can hang online for a few minutes I want to give you an update.  It will take me 5-10 minutes to type.
0
 

Author Comment

by:MrChip2
ID: 24236810
OK, thanks again for staying on top of this greyknight!  This has me really stressed out and I very much want to resolve it this morning.  Here is an update.  

1. First off this problem has now popped up on 4 out of my 5 PCs :(.  I submitted a support ticket last night to F-prot asking them to verify if this is in fact a Trojan or if it is a false positive like you suspect.  So far no word.

2. F-prot did not delete the files, they were placed in quarantine.  When I restore them it detects them immediately and puts them back in quarantine.  To get around this I added the following two exclusions on my main PC:

C:\WINDOWS\system32\DRIVERS\asyncmac.sys
C:\WINDOWS\system32\dllcache\asyncmac.sys

One of my other PC's also listed the file under a folder called Service Packs (I believe).

3. After doing this I ran a virus scan of my whole computer and F-prot reported no problems.  So the exclusions seem to be working.

4. I updated Spybot S&D and ran a full scan of all the PCs.  They come up clean.

5. One of my PC's that I just added the exclusions to this morning came up with the message that Windows is missing an important file.  

In summary, it is possible that the exclusion rules will keep F-prot happy.  However, I am very nervous because I don't know if I have an actual Trojan or not.  I did a lot of web surfing and found the site mentioned above that said that asyncmac.sys is a legitimate file if it 14,336 bytes (90% of all occurrence) or 13,568 bytes in size and appears in the C:\WINDOWS\system32\DRIVERS\ folder.  As far as I can tell, all my copies of the asyncmac.sys file are the same size.  I would need to do a systematic check to be sure of this.

Question #1: Do the above files tell you anything new?

Question #2: If I turn System Restore off and on, will I loose all my previous restore points?  Is this dangerous or risky?  What is my current configuration is infected?

Question #3: I have an original CD from Microsoft with SP3 installed.  Is it OK to use this one CD on multiple PCs even though each PC has its own valid Windows XP license?  The other XP machines all have SP2 CD disks.

Question #4. Since I restored the files from F-prot, do I need to do anything else with the XP CD?

Question #5.  Based on all of the above, what specific steps do you recommend I take?

Finally, how can I award you 1,000+ points for this because your help has been so valuable to me?

Thanks again!
Chip
0
 
LVL 15

Accepted Solution

by:
greyknight17 earned 2000 total points
ID: 24246607
Sorry for the delay Chip. I was working this past weekend and didn't have much time to check up here.

1. They are usually the same size but it may vary depending on whether a Microsoft update has changed that file. My file is 14,336 bytes and is located in the c:\windows\system32\drivers\ folder and c:\windows\system32\dllcache\ folder. They should be identical since if there is a problem, usually the dllcache copy will be copied over to replace the corrupted file.

2. Yes, you will be wiping out all previous restore point be turning it off and creating a new one once you enable it back. I usually would say this is not risky unless the station is very unstable and you want to take a chance to see if the restore points help. Otherwise, what I usually do is clear the restore points over time as they can take up space. If your current configuration is infected, we can definitely take a look at it first before you disable system restore (see below for ComboFix).

3. It should be ok to use the same CD on multiple PCs for file verification purposes. I do this at work using my Dell CD which never gave me problems since they are all Dell PCs. Using one that has SP3 on a SP2 computer may have issues though as some files are updated.

4. You may hold off on the XP CD for now if you wish. Otherwise, we can replace that file that's suspected of being infected. Use the SP3 CD since that's the latest service pack you have installed. If F-Prot still detects it as being infected, then I'm almost sure that it's a false positive found and they should definitely fix this.

5. We can run a tool to have a deeper look into your system. This can give us a better overview if there may be recent infected files that were loaded.

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

I don't think it's possible to assign any point value higher than 500. Thanks for that though. Glad to help out regardless.
0
 

Author Comment

by:MrChip2
ID: 24248664
Hi Greyknight,

Here is the email I received from F-prot:

 Hello and thank you for contacting us. This was a false positive detection which was fixed in a virus signature file update today. If you have received the update from today, you just need to restore the file from quarantine to fix this issue. Please do not hesitate to contact us again if you require further information or assistance.  
Based on this I have restored the asyncmac.sys files from quarantine.  So far so good.  I would be interested in checking out my systems thoroughly.  I would like to close this and open another question where we can work our way through ComboFix, if that is OK with you.  I will post the new question now.

Thanks for all of your help!!!
0
 

Author Closing Comment

by:MrChip2
ID: 31574558
Thank you for sticking with me and helping me through this tricky situation.  You went above and beyond the call of duty!
0
 
LVL 15

Expert Comment

by:greyknight17
ID: 24255983
No problem Chip. Glad they resolved that quickly as it can cause panic to many users if they are not sure why they got infected out of nowhere.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question