Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Downloader . Apb Infection


  • Please log in to reply
1 reply to this topic

#1 manu1991

manu1991

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi , India
  • Local time:11:17 AM

Posted 27 June 2008 - 11:18 PM

My Cousin Sisters' PC was infected by this among other trojans/spyware . With some tools and quietman7's help i was able to remove most of them but even now whenever i search for kaspersky / avira etc on google the browser autocloses . I am not able to run hijackthis (closes as soon as opened) . I couldn even open this forum section in the infected PC . I have already scanned and cleaned the PC using Malwarebytes' Anti-Malware , SuperANTISpyware , AdAware , BitDefender Online Scanner and SDFix. All logs are posted here :

http://www.bleepingcomputer.com/forums/t/154574/strange-virus-clcrexe/

I was able to take a cloned hijackthis log using Deckard's System Scanner (even though i selected download and install HJT automatically , it created a clone log which is as follows :

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-28 07:10:39
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\EMLPROXY.EXE
C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\QUHLPSVC.EXE
C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\SCANWSCS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\EMLPROUI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Ares\Ares.exe
C:\WINDOWS\explorer.exe
C:\Program Files\DAP\DAP.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper -
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live
Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
- C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Email Protection]
C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [On-Line Protection]
C:\PROGRA~1\QUICKH~1\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [Messenger] C:\PROGRA~1\QUICKH~1\QUICKH~1\scanmsg.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows
Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy
Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program
Files\DAP\dapextie.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program
Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites -
http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download &all with DAP - C:\Program
Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -
C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -
{85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan
Agent 6.6) -
http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/windowsupd...b?1210038487812
O17 -
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E07F3E0D-27E6-402D-A1C0-2EF5066DD225}:
NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program
Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -
C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program
Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} -
C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program
Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: 1670B37565FF416 -
C:\WINDOWS\system32\1670B37565FF416.dll
O20 - Winlogon Notify: fcafcbbfefca - C:\WINDOWS\system32\fcafcbbfefca.dll
(file missing)
O20 - Winlogon Notify: notifyc - C:\WINDOWS\system32\ccc.dll (file missing)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} -
C:\WINDOWS\system32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} -
C:\WINDOWS\system32\stobject.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft -
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common
Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development
Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program
Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service
(LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common
Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common
Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT Online Protection - Quick Heal Technologies (P) Ltd. -
C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\ONLNSVC.EXE
O23 - Service: Quick Heal AntiVirus Plus Mail Protection - Quick Heal
Technologies (P) Ltd. - C:\Program Files\Quick Heal\Quick Heal AntiVirus
Plus\EMLPROXY.EXE
O23 - Service: Quick Update Service - Quick Heal Technologies (P) Ltd. -
C:\Program Files\Quick Heal\Quick Heal AntiVirus Plus\QUHLPSVC.EXE
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Quick Heal
Technologies (P) Ltd. - C:\Program Files\Quick Heal\Quick Heal AntiVirus
Plus\SCANWSCS.EXE


The PC has Quickheal installed but it has expired and doesnt get uninstalled (windows closes as soon as it is opened)

What should i do ?

// Also i dont know whether its true but i think that the WINLOGON.exe is also infected because AdWatch (which comes along with AdAware) shows it as accessing strange sounding keys in the registry

Posted Image

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:47 AM

Posted 01 July 2008 - 01:50 PM

Hello manu1991 and welcome to BC. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users