Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Trusted Root CAs being deleted

Status
Not open for further replies.
AMATECH

AMATECH

Technical User
Sep 25, 2003
4
US
Hi, I need some help. I work for a large PC support desk. Starting approximately 10:00 AM EDT on Jan. 8th 2005 we started getting several calls reporting problems accessing are Web-based products. After investigating the problem we found the Root CAs in the Trusted Root Certification Authorities store were missing or deleted. In addtion to this the certificates installed at machine level were missing or deleted as well.

During the investigating it ws discover all affected PC were heavyly infested with malware and several Trojans. The Trojan common on all PCs was Troj_AGENT.FL. There is no report this trojan would delete the certificate or damage them.

I have been checking all the AV site and several forum, but find no other similar report.

WE are trying to pinpoint the exact Malware/spyware/trojan that could be causing this particular problem. We have hundreds of user through out the world affected.

 
Sort by date Sort by votes
Yes, We have ran Ad-ware and TrendMicro Online AV scan.

TrendMicro found several trojans on the affect client PCs.

TROJ_AGENT-1 5
TROJ_AGENT.FL 5
TROJ_AGENT.EB 2
TROJ_AGENT.AE 1
TROJ_AGENT.BI 1
TROJ_MULTIDRP.V 1
TROJ_MULTIDRP.B 1
TROJ_QDOWN.J 1
TROJ_IMISERV.C 2
TROJ_ALCHEMIC.A 1
TROJ_WINTRIM.M 1
TROJ_UPLOADER.F 1
TROJ_ISTBAR.J 1
TROJ_VERMONDE.C 1
TROJ_BISPY.B 1

Troj_Agent.FL seems to be very consistant and is on most Affected PCs, However ImIServer EIPlugin is on each PC and shows as spyware and a Trojan. The only description I can find on both, is they are downloaders and are used to allow other malware/spyware to infect the PC.

Can find anything that point to them removing certificates for affectting the Certificate stores.
 
Upvote 0 Downvote
In addition, Ad-Ware has found several spyware programs on the machines investigated.

VX2, ImIServer IEPlugin, and Ebates being common on all PCs.

Not sure which would be the Culprit.

Here is a list of the spyware found.

Alexa, Clientman, CoolWebSearch, DealHelper, IBIS Toolbar, 180Solutions, AsDestroyer, BookedSpace, Ebates, EUniverse, FavoriteMan, ImIServer Plugin,Roings, SahAgent, TopMoxie, Win32Adverts, VirtualBouncer, Visicom Media, VX2, Elitum.ElitebarHBO, Ebates MoneyMaker, VirtuMonde, ISTBar,
WurldMedia, IPInsight, AdRotator, BookSpace
 
Upvote 0 Downvote
O1 - Hosts: 69.20.16.183 ieautosearch

If your vx2 problem includes that line, you may be in for a challenge there too.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Hello,

I have discovered a handful of machines with this same issue. And on all of them, the only similarities I could find were the spyware infections. Namely Vx2. I'm beginning to believe that it is the culprit.

Hopefully I will be able to find some more and verify that they are infected as well.

-crymzyn
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

geeknerd
  • Locked
  • Question
Combofix Gave Rootkit . ZeroAccess Warning
Replies
5
Views
173
kjv1611
kjv1611
smah
  • Locked
  • News
Waledac botnet being taken down 1
Replies
2
Views
80
wahnula
wahnula
Noway2
  • Locked
  • News
Windows RootKit that requires re-install
Replies
9
Views
157
goombawaho
goombawaho
electricpete
  • Locked
  • Question
Rootkit Reveal Log 1
Replies
2
Views
107
goombawaho
goombawaho
bkirkpatrick
  • Locked
  • Question
No Virus found but AVAST shows spam emails being sent!
Replies
2
Views
116
electronicsfreak
electronicsfreak

Part and Inventory Search

Sponsor

Back
Top