1. This website uses cookies to improve service and provide a tailored user experience. By using this site, you agree to this use. See our Cookie Policy.
    Dismiss Notice

PLEASE HELP! Trojan Problem on PC

Discussion in 'BlackHat Lounge' started by GoldenTiger, Apr 7, 2009.

  1. GoldenTiger

    GoldenTiger Junior Member

    Mar 17, 2008
    Likes Received:
    Ok, heres what happened.

    Was browsing the web... then some pop under ad appeared.
    Pop under was trying to open Adobe Acrobat for some reason, was like WTF and terminated the process (I have BlackICE defender application protection, it automatically alerts you when an unknown app. tries to run).

    Then a file called unwise_.exe tries to open itself, located in the c:\windows\fonts folder. WTF again, terminated it.

    Forgot about it for a few hours, then BlackICE firewall started going off like crazy. Checked Task Manager, and noticed several instances of cmd.exe and ftp.exe running.

    Crap... somehow got a trojan. The thing is, I dont run any executable files from "shady" sources, just download some PDF files at most. So it was probably a vulnerability in Acrobat or FireFox that allowed the trojan to install.

    Here is what I did:

    - Ran AVG, it removed the unwise_.exe trojan, WIN/32 Heur.
    - Deleted the service the trojan created "Windows Host Controller" from the registry. Its gone.
    - Deleted ftp.exe (dont have a need for it anyways) from system32 and DllCache folders. Gone, and never re appeared.
    - Ran Malwarebytes Anti Spyware and SUPER Antispyware. Nothing found.
    - Checked HiJack This log, nothing suspicious.
    - Ran 2 different online AV scans, nothing found
    - Ran a task manager program (forgot the name), that shows all processes, even hidden ones, eveythng ok
    - Ran MCAfee Anti-Rootkit, nothing found.
    - Checked Services and startup items in registry, nothing suspicious present.
    - Got rid of Acrobat reader, replaced with FoxIT. Probably its Acrobat that caused the trojan to install itself in the first place.

    Now heres the problem:
    Whenever I run a portscan on my PC, the FTP port 21 is still shown as OPEN!!

    I blocked that port in BlackICE, but still shows as Open, normally it was always on "stealth".

    How the F%&@ do I close port 21?? Its not supposed to be open!
    Tried connecting to it though, but connections always fail when trying to connect to my ip:21.

    That PC is a laptop that I use to do some work, but contains no "sensitive" data on it whatsoever, asides from a collection of crap DP ebooks and WSOs I downloaded.

    Any help on how to make the port 21 "stealth" again would be appreciated... Tried searching and figuring it out myself, but didnt find anything!
  2. iglow

    iglow Elite Member

    Feb 20, 2009
    Likes Received:
    Okay mainly i dont know why do you want to close 21 since its one of default ports that most applications use. But lets say you forwqarded and changed ports in a way that 21 is never used.

    Download nod32 [from their site, 30 trai lfree], update, Go to maitenancemode and then run the global scan.
    Also try uninstalling acrobat for now.
  3. keinehabe

    keinehabe Supreme Member

    Nov 4, 2008
    Likes Received:
    -= CEO =-
    Home Page:
    few words for you : 1. loads of peoples will recommend you different anti virus solutions truth is most of them are crap . Only antivirus which never made me to go crazy is mcafee , yes is true is paid and you have to pay the fees every year but ... if you care about your computer you have to do it like you have to do with the license for OS . So ... mcafee will be only one who will never miss nothing.
    Second thing : ... make a backup about your important to keep files ( family pics / docs from school , stuff's like this ... ) and FORMAT , try and use partition magic when you will format your computer after such viruses / trojans and allways use fat32 :) .... partition magic will do everything clean and faster than any other ...
    3'th : install a clean copy of OS , before to do anything install and configure the internet connection and go to mcafee site download and install the antivirus ( you can even if you wanna use the firewall which is one of best from the market , and other security tools from them are also top ones ) .

    Most of the new era viruses/trojans are trying to migrate on the ntfs partitions, most of the antivirus aren't capable to scan the 8mb of swap which ntfs keep the sistem up . *( this 8 mb are hidden from hard view ) you can see them if you are trying to use any linux or advanced hard drive manager ....

    if you need any help with partition magic / or how you can install / manage it easy feel free to pm me on msn ...
  4. marttali

    marttali Junior Member

    Sep 3, 2007
    Likes Received:
    oh, it's the famous pdf hole.
    try system restore
  5. tissa2

    tissa2 Junior Member

    Jan 12, 2009
    Likes Received:
    I think youve done just about all you can, except for a rebuild.... Lat thing to do, run another full system scan in safemode and do a rootkit scan.
  6. jasonac2

    jasonac2 Junior Member

    Nov 23, 2008
    Likes Received:
    I'm going to get raped for having an opinion, but I suggest getting a mac.
  7. sonja

    sonja Newbie

    Jun 15, 2010
    Likes Received:
    If you want not to have any problems regarding trojans you can install on your PC this antivirus http://www.trustdownload.com/Antivirus-and-Spyware-Cleaners/Antivirus/Kaspersky-Internet-Security-7.0.html which I personally believe it's the most appropriate to help you get rid of these problems! Good Luck!