2
I recently noticed "something" hijacking Google search results (on Firefox!) and so I decided to run a scan by Malwarebytes.
Sure enough, it found a Trojan.Agent
with the following information:
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AsyncMapLite (Trojan.Agent)
-> Value: AsyncMapLite
-> Data: rundll32.exe "C:\Users\WinWin\AppData\Local\Nativeobjdrv\AsyncMapLite.dll",rasGLLite lanAuthenticationlib
Memory Modules Infected:
c:\Users\WinWin\AppData\Local\nativeobjdrv\asyncmaplite.dll (Trojan.Agent)
Files Infected:
c:\Users\WinWin\AppData\Local\nativeobjdrv\asyncmaplite.dll (Trojan.Agent)
Well, I Googled asyncmaplite
and couldn't find anything about it.
So, I suspect the name is totally irrelevant and may be mutating... But since Malwarebytes did find it, there must be some information about it somewhere.
Any idea what type of Trojan this is and how I can find more information about it?
UPDATE (Sep 19): After tracking my system for a while, this Trojan.Agent re-appeared -- with a different name: iecrtlog
. It's clear now that the name is meaningless, as it keeps mutating.
But.. even after MBAM cleanup, it happens to be leaving a "souvenir" in the registry:
[HKEY_CURRENT_USER\Software\Nativeobjdrv]
"gFtOQZs"="TeL90WPbzngPabEduP5DI0"
"lgT"=dword:045371ea
"hUV"=dword:00004e8d
And:
[HKEY_CURRENT_USER\Software\iecrtlog]
"mUuwFxgJ"="TeL90WPbzngPabEduP5DI0"
"xifo"=dword:0487c61a
"imRTPr"=dword:0000526d
Which shows, again, that everything about this Trojan keeps mutating, except for the signature string "TeL90WPbzngPabEduP5DI0"
.
Interesting.
1Have you tried deleting the file infected file, rebooting and seeing if the hijacking continues? – Paul – 2011-08-10T23:56:57.813
1@Paul Malwarebytes was kind enough to do all of that for me: delete the infected file, remove the registry entry and reboot. So far so good, but I need to know whether I am going to be surprised a few days down the road... – WinWin – 2011-08-11T00:01:58.623
1Totally agree, it's good to be prepared. I can't find anything on any search engine either on any of the search terms in your code. Have you made sure the registry entry is also deleted? – Paul – 2011-08-11T00:17:22.560
1@Paul Yes, I made sure the registry entry is deleted and I check it periodically to see whether it re-appears. The nasty thing about this Trojan is that it doesn't even require Administrator access... – WinWin – 2011-08-11T00:38:46.597
Hopefully someone more knowledgeable can help you. You've already taken the steps I would have done. Sorry for not being able to help more, good luck. – Paul – 2011-08-11T00:40:38.450