Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Midlenet Relayer Trojan


  • Please log in to reply
1 reply to this topic

#1 marinerblue

marinerblue

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 06 November 2007 - 10:31 PM

I followed the instructions in the thread at:
http://www.bleepingcomputer.com/forums/t/104486/nasty-malware-infection/

Here are my reports from running SDFic and Combofix:


SDFix: Version 1.113

Run by Matt Canham on Tue 11/06/2007 at 06:50 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\139.TMP - Deleted
C:\13A.TMP - Deleted
C:\13B.TMP - Deleted
C:\13C.TMP - Deleted
C:\13D.TMP - Deleted
C:\13E.TMP - Deleted
C:\13F.TMP - Deleted
C:\140.TMP - Deleted
C:\63.TMP - Deleted
C:\BF.TMP - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 18:54:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 21 Mar 2007 266,240 A..HR --- "C:\Program Files\Web 2.0 Submitter\MySql.Data.dll"
Mon 11 Jun 2007 495,616 A.SHR --- "C:\Program Files\Web 2.0 Submitter\web2poster.exe"
Sun 29 Oct 2006 12,208 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sat 28 Apr 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 31 Oct 2007 26,326 ...H. --- "C:\Program Files\Ipswitch\WS_FTP Professional\wsftpgui.exe-CommandBars"
Wed 4 Aug 2004 89,600 A.SHR --- "C:\WINDOWS\temp\_ISTMPI.DIR\mmc32.exe"
Thu 16 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 5 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8361ae28fcfac79271825a6b2935fdb6\BIT10D.tmp"

Finished!

---------------------------------------------------------

ComboFix 07-11-07.3 - Matt Canham 2007-11-06 19:09:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.794 [GMT -8:00]
Running from: C:\Documents and Settings\Matt Canham\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\3_exception.nls
C:\WINDOWS\system32\dnscon70.dll
C:\WINDOWS\system32\ksl48.bin
C:\WINDOWS\system32\mstcpcon20.dll
C:\WINDOWS\system32\netmanage.dll
C:\WINDOWS\system32\netused.dll
C:\WINDOWS\system32\sr1000r.dll
C:\WINDOWS\TEMP.\_istmpi.dir
C:\WINDOWS\TEMP.\_istmpi.dir\autorun.inf
C:\WINDOWS\TEMP.\_istmpi.dir\mmc32.exe
C:\WINDOWS\TEMP.\_istmpi.dir\template.tmp
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DNSCON
-------\LEGACY_NETMANAGER
-------\dnscon
-------\NetManager


((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-06 19:08 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 18:50 d-------- C:\WINDOWS\ERUNT
2007-11-06 18:49 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-06 18:45 d-------- C:\Program Files\Sun
2007-11-05 21:38 43,698 --a------ C:\WINDOWS\system32\xvid-uninstall.exe
2007-11-05 21:37 d-------- C:\Program Files\Gabest
2007-11-05 21:37 d-------- C:\Program Files\AviSynth 2.5
2007-11-05 21:37 d-------- C:\Program Files\AutoGK
2007-10-26 19:34 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-10-09 16:31 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 02:44 --------- d-----w C:\Program Files\Java
2007-11-07 01:52 --------- d-----w C:\Program Files\eMule
2007-11-05 23:13 --------- d-----w C:\Program Files\Article Submitter Pro
2007-11-05 10:03 --------- d-----w C:\Documents and Settings\Matt Canham\Application Data\Skype
2007-10-27 03:34 164 ----a-w C:\install.dat
2007-10-02 03:52 --------- d-----w C:\Program Files\VideoLAN
2007-10-01 23:40 1,526,072 ----a-w C:\WINDOWS\WRSetup.dll
2007-10-01 23:24 23,864 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-01 23:24 21,816 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-01 23:24 163,640 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-01 06:01 --------- d-----w C:\Documents and Settings\Matt Canham\Application Data\vlc
2007-10-01 05:59 --------- d-----w C:\Documents and Settings\Matt Canham\Application Data\Media Player Classic
2007-10-01 05:58 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-09-27 22:49 --------- d-----w C:\Program Files\WebEx
2007-09-24 16:22 --------- d-----w C:\Program Files\Microsoft Money 2006
2007-09-24 16:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Corporation
2007-09-24 15:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-17 12:00 --------- d-----w C:\Documents and Settings\Matt Canham\Application Data\DivX
2007-09-16 19:17 --------- d-----w C:\Documents and Settings\Matt Canham\Application Data\SopCast
2007-09-16 19:13 --------- d-----w C:\Program Files\SopCast
2007-08-24 18:06 91,520 ----a-w C:\WINDOWS\HPBroker.dll
2007-08-24 07:26 64,292 ----a-w C:\WINDOWS\easy.exe
2007-08-09 07:18 45,056 ----a-w C:\WINDOWS\NCUNINST.EXE
2006-10-30 00:56:19 12,208 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 20:56]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-03 21:58]
"NvCplDaemon"="RUNDLL32.exe" [2006-03-15 20:00 C:\WINDOWS\system32\rundll32.exe]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 03:29 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-16 21:22]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-07-11 20:55]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-01-26 15:18]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 09:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-13 14:49]
"PayPal Virtual Debit Card"="rundll32.exe" [2006-03-15 20:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-08-24 10:40 C:\WINDOWS\system32\nwiz.exe]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 20:26]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 06:51]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-03-15 12:00]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-15 12:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-15 12:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-15 12:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2006-03-15 12:00]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 15:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 09:49]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 13:43]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-11-23 03:46:41]
SBC Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2007-04-20 22:12:49]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 15:18 49152]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\Auto\command - D:\sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4cc9b7fe-6554-11dc-866f-0016d30aea52}]
\Shell\AutoRun\command - F:\wd_windows_tools\setup.exe

*Newly Created Service* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder
"2007-03-19 01:59:28 C:\WINDOWS\Tasks\OpenMG Jukebox.job"
- C:\PROGRA~1\Sony\OPENMG~1\Omgjbox.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 19:26:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????_????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-06 19:27:15 - machine was rebooted
.
--- E O F ---

I will run Spysweeper again, but hopefully this will be the last of it.

Regards,
Matt

Mod Edit: Topic moved to more appropriate forum~ TMacK

Edited by TMacK, 06 November 2007 - 11:36 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:10 AM

Posted 07 November 2007 - 09:43 AM

You should not be following specific instructions provided to someone else. Instructions provided to other victims, especially in the HJT forum, have been given under the guidance of a trained staff helper to fix that particular members problems, NOT YOURS. Before taking any action, the helper must investigate the nature of the malware issues and then formulate a fix for that particular victim. Although your problem may be similar, the solution is not always the same. Ignoring this warning and using someone else's fix instructions could lead to disastrous problems with your operating system. It's best that you tell us what specific issues YOU are having rather than point to someone else.

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

When you have done that, start a new topic and post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users