Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ntos Winnt32.dll Malware Found


  • This topic is locked This topic is locked
2 replies to this topic

#1 jackynewman

jackynewman

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 05 June 2008 - 05:50 PM

This computer was inflected with NTOS and WINNT32.dll malware. I was able to manually disarm NTOS in safemode and delete the file last week. Today, after installing Avira AntiVir Personal, a lot of auxiliary malware was found and deleted leaving WINNT32.DLL behind and undeletable.

After finding and removing the elk11.dll driver, the WINNT32.DLL could finally be deleted without it reappearing. A full Avira AntiVir Personal system scan confirms the system is clear, however I would appreciate it if someone here would be kind enough to verify this for me.

The log generated by DSS is below, noting that it would not generate extra.txt anymore after the first execution, I did not include it in this post as it's data may no longer be accurate.

Thank you.


Deckard's System Scanner v20071014.68
Run by MediaUser on 2008-06-05 18:24:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 18.39 GiB (less than 15%) free.


-- HijackThis (run as MediaUser.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:55 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zinio\ZinioReader.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\dss\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\MEDIAU~1.EXE

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cmaudio8788] RunDll32 cmicnfgp.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [BelkinAPM] C:\Program Files\Belkin Automatic Power Management Software\BelkinAPM.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Media Center] RunDLL32.exe C:\WINDOWS\ehome\ehuihlp.dll,BootMediaCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [webcamXP] "C:\Program Files\webcamXP\webcamXP.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioReader.exe /autostart
O4 - Startup: Q9 Tray.lnk = C:\WINDOWS\system32\QTRAYIME.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: 发送到 Bluetooth 设备(&:thumbsup:... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Avira AntiVir Personal ¨C Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal ¨C Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BelkinAPMmanager - Macrovision - C:\PROGRA~1\BELKIN~1\BE8806~1.EXE
O23 - Service: BelkinAPMmonitor - Macrovision - C:\PROGRA~1\BELKIN~1\BELKIN~4.EXE
O23 - Service: BelkinAPMRMI - Macrovision - C:\PROGRA~1\BELKIN~1\BELKIN~3.EXE
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe (file missing)
O24 - Desktop Component 1: Aqua Real 2 - AD0FABD2-7EAE-40B8-8F44-6FCFE6C883CD

--
End of file - 6325 bytes

-- Files created between 2008-05-05 and 2008-06-05 -----------------------------

2008-06-05 17:36:41 0 d-------- C:\Program Files\dss
2008-06-05 14:34:40 0 d-------- C:\Program Files\Trend Micro
2008-06-05 11:11:59 0 d-------- C:\Program Files\Avira
2008-06-05 11:11:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-28 12:56:06 0 d--h----- C:\Documents and Settings\Administrator.MEDIA\Templates
2008-05-28 12:56:06 0 dr------- C:\Documents and Settings\Administrator.MEDIA\Start Menu
2008-05-28 12:56:06 0 dr-h----- C:\Documents and Settings\Administrator.MEDIA\SendTo
2008-05-28 12:56:06 0 d--h----- C:\Documents and Settings\Administrator.MEDIA\Recent
2008-05-28 12:56:06 0 d--h----- C:\Documents and Settings\Administrator.MEDIA\PrintHood
2008-05-28 12:56:06 1048576 --ah----- C:\Documents and Settings\Administrator.MEDIA\NTUSER.DAT
2008-05-28 12:56:06 0 d--h----- C:\Documents and Settings\Administrator.MEDIA\NetHood
2008-05-28 12:56:06 0 d-------- C:\Documents and Settings\Administrator.MEDIA\My Documents
2008-05-28 12:56:06 0 d--h----- C:\Documents and Settings\Administrator.MEDIA\Local Settings
2008-05-28 12:56:06 0 d-------- C:\Documents and Settings\Administrator.MEDIA\Favorites
2008-05-28 12:56:06 0 d-------- C:\Documents and Settings\Administrator.MEDIA\Desktop
2008-05-28 12:56:06 0 d---s---- C:\Documents and Settings\Administrator.MEDIA\Cookies
2008-05-28 12:56:06 0 dr-h----- C:\Documents and Settings\Administrator.MEDIA\Application Data
2008-05-28 12:56:06 0 d---s---- C:\Documents and Settings\Administrator.MEDIA\Application Data\Microsoft
2008-05-28 12:12:38 0 d-------- C:\Program Files\ProcessExplorer
2008-05-11 18:32:55 0 d-------- C:\WINDOWS\system32\LogFiles
2008-05-11 18:15:31 0 dr-h----- C:\Documents and Settings\MediaUser\Application Data\SecuROM
2008-05-11 18:13:53 0 d-------- C:\WidescreenFixer_v1.32
2008-05-11 16:26:48 0 d-------- C:\ProgramData
2008-05-10 00:18:35 0 d-------- C:\glovepie
2008-05-09 18:47:00 0 d-------- C:\Autohotkey
2008-05-09 01:37:06 0 d-------- C:\Program Files\DOSBox-0.72
2008-05-06 22:23:05 0 d-------- C:\Documents and Settings\MediaUser\Bluetooth Software
2008-05-06 22:03:04 0 d-------- C:\Program Files\WIDCOMM


-- Find3M Report ---------------------------------------------------------------

2008-06-05 15:09:10 0 d-------- C:\Program Files\Belkin Automatic Power Management Software
2008-05-20 12:39:33 0 d-------- C:\Documents and Settings\MediaUser\Application Data\ContentGuard
2008-05-11 18:05:13 0 d-------- C:\Program Files\EA GAMES
2008-05-11 18:05:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-11 16:26:50 0 d-------- C:\Program Files\Electronic Arts
2008-05-10 16:45:26 0 d-------- C:\Program Files\Steam
2008-05-02 21:59:01 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>
2008-05-02 21:59:00 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-05-02 21:22:20 0 d-------- C:\Program Files\AutoHotkey
2008-04-25 18:15:03 0 d-------- C:\Program Files\RealFlightG3
2008-04-13 21:07:51 0 d-------- C:\Program Files\Java
2008-04-12 01:26:28 0 d-------- C:\Documents and Settings\MediaUser\Application Data\ImgBurn
2008-04-11 23:41:35 0 d-------- C:\Program Files\ImgBurn


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/03/2004 08:32 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/03/2004 08:32 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/03/2004 08:32 PM]
"Cmaudio8788"="cmicnfgp.cpl" []
"@"="" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/05/2005 01:56 PM]
"BelkinAPM"="C:\Program Files\Belkin Automatic Power Management Software\BelkinAPM.exe" [09/02/2007 02:28 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [03/14/2007 10:01 PM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [03/14/2007 10:01 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/18/2007 08:55 PM]
"nwiz"="nwiz.exe" [12/18/2007 08:55 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/18/2007 08:55 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 12:24 PM]
"Windows Media Center"="C:\WINDOWS\ehome\ehuihlp.dll,BootMediaCenter" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 10:56 PM]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [06/19/2007 03:46 AM]
"webcamXP"="C:\Program Files\webcamXP\webcamXP.exe" []
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [07/03/2007 01:32 PM]
"Zinio DLM"="C:\Program Files\Zinio\ZinioReader.exe" [05/04/2007 04:52 PM]

C:\Documents and Settings\MediaUser\Start Menu\Programs\Startup\
Q9 Tray.lnk - C:\WINDOWS\system32\QTRAYIME.EXE [6/19/2007 4:05:40 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [6/7/2006 5:05:38 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa]
antiwpa.dll 07/22/2006 11:49 PM 5376 C:\WINDOWS\system32\antiwpa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
"C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Norton Ghost"=2 (0x2)




-- End of Deckard's System Scanner: finished at 2008-06-05 18:25:12 ------------

Edited by jackynewman, 05 June 2008 - 05:51 PM.


BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:09:52 AM

Posted 01 July 2008 - 06:54 PM

Welcome to the BleepingComputer Forums. Since it has been a few days, please post a new HijackThis log. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:09:52 AM

Posted 08 July 2008 - 10:15 AM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users