Spyware problem (Udpfloder)

[Marshal108]

Platform: Win 2K pro. as a workstation.
Was using AVG 7.x as the virus protection.
Was accessing the web w/ firefox as the browser, Zone Alarm Pro as the Firewall s/w and gaim as the IM client.

Two days ago, the AVG resident shield detected the udpflooder.exe deep into many directories below the \"Document and Settings" directory\ user name\Locals~1\Temp\--\--\--(this level of subdirectory) .

Was not able to heal it, delete it or move it to the vault (w/ Avg s/w).

My research shows that this udpflooder.exe is (aka "Udpfloder, a Trojan horse").
fyi- UDPFlood is a UDP packet sender. It sends out UDP packets to the specified IP and port at a controllable rate. Packets can be made from a typed text string, a given number of random bytes or data from a file.

Been watching it with some s/w. ... Presuming that this trojan horse is still there. ... No activity of uploading data onto the web through my firewall program.

Surprised that this spyware program got through and embedded itself into my system.
Tried different anti-spyware programs to remove it. ... Was not successful.

Q: Is there any chances that this spyware s/w is inactive?

If I logged out of the system as an user, would lose access to the system because of forgeting the password. Aghhh!

Surprised that this spyware got through.
Q: What can I do to eliminate this spyware program?

And

Q: What can I do to prevent this event from ever occuring.

Been surfing through the web, no valid solutions were available.

Any suggestion(s) is appreciated!? ...

MarshaL

 

[Marshal108]

As I was surfing through the technical support, found this pair of links from another thread within this forum-
( http://theflyingpenguin.com/spyware-removal.shtml )
( http://www.spywarewarrior.com/rogue_anti-spyware.htm)

Will try these solutions later. ... Any suggestion is appreciated.

 

[OZEE]

You should be able to get rid of it if you login to Safe Mode. AVG can't do anything with it because it's running.

 

[mechBgon]

Also...

1) try this scanner. Download & extract it, then run it while in Safe Mode. McAfee > AVG on Trojans and downloaders, there might be more than you realize :Q

2) use Microsoft Baseline Security Analyzer and fix what it nails you for, especially missing security updates or weak/blank passwords on Admin-class accounts

3) get a router and lock it down. If you already have one, that's a good start... now lock it down.

4) Consider using a Limited account if possible, it will enhance your other security measures by limiting what your account can do behind your back if it does get compromised. This bolsters all your other security measures. More about Limited accounts
EDIT: Since you're on Win2000Pro, its equivalent of a Limited account is the "Restricted User" account, use that.

 

[Marshal108]

Thanks OZEE and MechBgon's for your insights. ... Appreciate all the good information. ... Right now, if I logged out of this specific user mode, I cannot log back into any "other" mode because I forgot my password as an user and an admin. ... Aghhh. ...

Contemplating on how to setup a boot up disk.. ...

Some more questions:

> Two days ago, the AVG resident shield detected the
> udpflooder.exe deep into many directories below the
> \"Document and Settings" directory\ user
> name\Locals~1\Temp\--\--\--(this level of
> subdirectory) .

Q: Since the subdirectories below "Temp" directory are invisible and I cannot ["undo"] their invisibility. Is it because of my level of login access?

Q: When operating the Win Task Mgr, notice the udpflooder has not done anything.
Is it inactive or it hiding their true activity within another file?

Q: How did a program like udpflooder get into my system esp through a slow dialup line
and a Zone Alarm program?

Q: How come my three different anti-spyware detectors were not able find it?

Q: Does these Spyware programs work well under a dialup line?

I know I ask a lot of questions. ... Just being detailed and thorough. ...

Any suggestions and/or insights!? ... Thanks again. ...

 

[mechBgon]

Originally posted by: Marshal108
Thanks OZEE and MechBgon's for your insights. ... Appreciate all the good information. ... Right now, if I logged out of this specific user mode, I cannot log back into any "other" mode because I forgot my password as an user and an admin. ... Aghhh. ...

Huh, well that's not good If your present account is an Administrator-class account, then you can reset the passwords for your account and any other account. One way is just to open a command-prompt window (Start > Run > cmd) and type the command

net user username newpassword for the username and new password you desire.

> Two days ago, the AVG resident shield detected the
> udpflooder.exe deep into many directories below the
> \"Document and Settings" directory\ user
> name\Locals~1\Temp\--\--\--(this level of
> subdirectory) .

Q: Since the subdirectories below "Temp" directory are invisible and I cannot ["undo"] their invisibility. Is it because of my level of login access?

Try going to Tools > Folder Options > View tab and enable viewing of hidden files and also protected/OS files. If they won't show up after that, then I'm yellin' "rootkit."

Q: When operating the Win Task Mgr, notice the udpflooder has not done anything.
Is it inactive or it hiding their true activity within another file?

It doesn't take much system resources to ping, and you've got a rather small pipe out anyway. I wouldn't make assumptions that it's inactive. Efficient, maybe.

Q: How did a program like udpflooder get into my system esp through a slow dialup line and a Zone Alarm program?

Were you operating your browser or IM client based out of an Administrator-class account? Do you have any illegit software (sorry for asking, it's just common) or a P2P program (ditto)? Is Windows2000Pro fully updated with SP4 and the 40+ post-SP4 patches & updates?

Q: How come my three different anti-spyware detectors were not able find it?

A ping flooder is not spyware, really, it's probably best bracketed as a Trojan Horse program. That's why it's your antivirus software that is detecting it. Try other antivirus software, since AVG is weak against Trojans. The McAfee command-line scanner I mentioned is quite good and always up-to-date, and it needs no installation per se, so give it a try and post the output from the C:\report.html file when it's done so I can see what it found.

Q: Does these Spyware programs work well under a dialup line?

Ought to work fine, just takes longer to fetch updates and stuff.

 

[Marshal108]

Originally posted by: mechBgon

Originally posted by: Marshal108
Thanks OZEE and MechBgon's for your insights. ... Appreciate all the good information. ... Right now, if I logged out of this specific user mode, I cannot log back into any "other" mode because I forgot my password as an user and an admin. ... Aghhh. ...

Huh, well that's not good If your present account is an Administrator-class account, then you can reset the passwords for your account and any other account. One way is just to open a command-prompt window (Start > Run > cmd) and type the command

net user username newpassword for the username and new password you desire.

> Two days ago, the AVG resident shield detected the
> udpflooder.exe deep into many directories below the
> \"Document and Settings" directory\ user
> name\Locals~1\Temp\--\--\--(this level of
> subdirectory) .

Q: Since the subdirectories below "Temp" directory are invisible and I cannot ["undo"] their invisibility. Is it because of my level of login access?

Try going to Tools > Folder Options > View tab and enable viewing of hidden files and also protected/OS files. If they won't show up after that, then I'm yellin' "rootkit."

Q: When operating the Win Task Mgr, notice the udpflooder has not done anything.
Is it inactive or it hiding their true activity within another file?

It doesn't take much system resources to ping, and you've got a rather small pipe out anyway. I wouldn't make assumptions that it's inactive. Efficient, maybe.

Q: How did a program like udpflooder get into my system esp through a slow dialup line and a Zone Alarm program?

Were you operating your browser or IM client based out of an Administrator-class account? Do you have any illegit software (sorry for asking, it's just common) or a P2P program (ditto)? Is Windows2000Pro fully updated with SP4 and the 40+ post-SP4 patches & updates?

Q: How come my three different anti-spyware detectors were not able find it?

A ping flooder is not spyware, really, it's probably best bracketed as a Trojan Horse program. That's why it's your antivirus software that is detecting it. Try other antivirus software, since AVG is weak against Trojans. The McAfee command-line scanner I mentioned is quite good and always up-to-date, and it needs no installation per se, so give it a try and post the output from the C:\report.html file when it's done so I can see what it found.

Q: Does these Spyware programs work well under a dialup line?

Ought to work fine, just takes longer to fetch updates and stuff.

'MechBgon'. ... Thanks again for the insight!
Running behind schedule. ... Will get to it later this week. No P2P program or illegit s/w on my sys. ... Heard something about SP4 that screws up the system which is why I did not update my Win 2K Pro. Will follow your instructions after re-starting the system from a boot start disk. ... Need to regain access to system as the administrator of the system. ... Thanks again. .., Will report the results to you later this week.

Q: Is there any thing fatal to my system or work since this Trojan horse is embedded in to my system? ... Another words, what negative thing comes from this "udpflooder"?

All I know is that the "UDPFlood is UDP packet sender. It sends out UDP packets to the specfied IP and port at a controllable rate.
<Packets can be made from a typed text string, a given number of random bytes or data from a file. Useful for server testing.>

Appreciate your time and insight. ... Thanks again.

 

[mechBgon]

If I had to guess, I'd guess that the UDP flooder is your computer helping in a "pay-us-or-we'll-order-a-zillion-computers-to-DDoS-you" extortion scheme. It could just be a symptom of your computer being infected by something else that AVG is not detecting. The other capabilities of that unknown program could include logging your keystrokes (do any online purchasing with your credit card?) or harvesting email addresses from your computer to sign them up for Spam and/or send them piles of MyTob worms in emails. It could even steal your game CD keys :Q OMG NOES NOT THAT!! (seriously, they do this frequently).

So I would deal with it. Ruthlessly. :evil: Reformat, reinstall, follow best practices (since it's Win2000, install ZoneAlarm free firewall before dialing up or connecting to any other type of network, firewall is key for initial protection).

 

[Marshal108]

Hi MechBgon,
I screwed up earlier when my firewall crashed. I did not reconfig the Zone Alarm Pro properly. This is why that T-horse got through. ...Thanks again for your horse. ... As I reconfig the Zone Alarm, I found out that the T-Horse cannot transmit out now . Now I have two alternatives to get rid of this sob. ... (1) reformat the hard drive and reinstall 20 different programs. [ A lot time is wasted] ... or (2) gain access as an admin via the boot up disk, then delete the bug. ... Thanks again for your help. You are the man!