Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware


  • Please log in to reply
8 replies to this topic

#1 R Moore

R Moore

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 09 January 2008 - 09:34 PM

Hello,

I'm pulling my hair out with this one. An 8 character exe is generated every few seconds. It looks like they are hooking up to a NY ip address via https. Eventually there are so many that the machine runs out of memory. I have scanned with every available scanner, removed the drive and installed it as a slave on another machine and scanned it. I cannot find out what is doing this.
A hijack this log follows.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:31 PM, on 10/01/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dmremote.exe
C:\WINDOWS\TEMP\54DFBFCD.exe
C:\WINDOWS\TEMP\93589D9E.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\TEMP\1BEB76C1.exe
C:\WINDOWS\TEMP\A78D00D8.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Nirebo\Desktop\msconfig.exe /auto
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - WWW. Prefix: http://
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by105fd.bay105.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122955177557
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O20 - AppInit_DLLs: confatm.dll atmstat.dll ccfgwshb.dll confwmv.dll wmvstat.dll confjpg.dll jpgstat.dll confnss.dll confnxs.dll
O20 - Winlogon Notify: atmmgr - atmmgr32.dll (file missing)
O20 - Winlogon Notify: jpgmgr - jpgmgr32.dll (file missing)
O20 - Winlogon Notify: mprwanp - C:\WINDOWS\system32\mprwanp.dll (file missing)
O20 - Winlogon Notify: ole3lsas - C:\WINDOWS\system32\ole3lsas.dll (file missing)
O20 - Winlogon Notify: wmvmgr - wmvmgr32.dll (file missing)
O21 - SSODL: E404Helper - {c82964c1-817f-445b-a73f-c5c5d85cd13c} - e404d.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

BC AdBot (Login to Remove)

 


#2 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 09 January 2008 - 11:35 PM

Hello and Welcome to Bleeping Computer.

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please give me some time to analyze your log, and I will post back with instructions ASAP.


Posted Image


#3 R Moore

R Moore
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 11 January 2008 - 07:38 AM

Thanks Monsterenegy22

I haven't used this forum before so I didn't know if I was supposed to reply to your message. I do appreciate the help.

R Moore

#4 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 11 January 2008 - 09:55 PM

Hello R Moore,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**


Posted Image


#5 R Moore

R Moore
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 12 January 2008 - 01:23 AM

Hi

I ran the combofix. It detected some rootkit activity.
The combofix and hijackthis logs are attached.

Attached Files



#6 R Moore

R Moore
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 12 January 2008 - 03:36 AM

Hi

I also noticed that the removal has messed up the sockets. I can ping other machines but not connect to them or get web pages.

#7 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 13 January 2008 - 02:17 PM

Hello again,

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

Step 1
Download rustbfix from here and save it to your desktop.
Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.
The reboot will probably take quite a while, and perhaps 2 reboots will be needed.
But this will happen automatically.
After the reboot 2 logfiles will open (C\avenger.txt & C\rustbfix\pelog.txt).
Post the content of these logfiles along with a new HijackThis log.

Step 2
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Step 3
Jotti File Submission:

Please go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\Program Files\FORECAST.RPT

Click on the submit button

Please post the results of the scan in your next reply.
Please also submit and scan the following files
C:\Program Files\ARRIVAL.RPT
C:\Program Files\ACTARRIV.RPT
C:\Program Files\CASHPAY.RPT


If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Step 4
Please download Deckard's System Scanner (DSS) to your desktop.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - Main.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
  • An additional text file, Extra.txt,will also be available (by default) in the following FOLDER, C:\Deckard\System Scanner.
  • Please go to that folder and also copy the contents of Extra.txt to your post as well.
Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

Step 5
Please post the following in your next reply
  • avenger.txt
  • pelog.txt
  • DrWeb.csv
  • Jotti Logs
  • Main.txt
  • Extra.txt


Posted Image


#8 R Moore

R Moore
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 13 January 2008 - 07:16 PM

I have followed your instructions, (forgot to save the drweb.csv). After reading your warnings and seeing the results of the extra scans I will have to format and start fresh. This is a business machine with confidential data on it.The specific data files that I need haven't shown any indication of being damaged or infected so I believe that a format and reinstall is necessary.

Thank you very much for your help.

Attached Files


Edited by R Moore, 13 January 2008 - 07:18 PM.


#9 MoNsTeReNeRgY22

MoNsTeReNeRgY22

    1337 Malware Destroyer


  • Members
  • 611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 14 January 2008 - 06:40 PM

Hello,

Well Im glad you have decided to reformat, which is the safest way to make sure that all your data is secure.

Here's a good set of instructions for reinstalling Windows:

When you install, since you will be installing from scratch, you need to be certain you delete the previous installation rather than do a Repair installation.

There is an excellent set of instructions at the below link complete with screenshots of what to expect at each step.
http://www.michaelstevenstech.com/cleanxpinstall.html#steps

You should print out those instructions before proceeding.
Have the installation discs or a saved install file handy for your antivirus and firewall.
Disconnect from the Internet before proceeding with the installation (pull your connection cable).

When you get to step 10b, choose to delete the partition by pressing "D". You will then be prompted to create a new partition in the empty space. This will remove all data from the deleted space.

After you reinstall Windows:
  • Install your Antivirus.
  • Install your Firewall.
  • Reconnect to the Internet.
  • Update your AntiVirus.
  • Go to Windows Update and install SP2 and ALL critical updates.


Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users