Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Worm/autoit.bzt


  • This topic is locked This topic is locked
4 replies to this topic

#1 jhsu

jhsu

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 11 September 2008 - 06:19 PM

Running Windows XP SP3

AVG detected the Autoit.BZT worm and removed it.
I ran CCleaner & Spybot then rebooted.

Still experiencing:

-really slow standby & hibernate issues
-constant hard drive access

Watching Process Monitor I am seeing a string of Explorer.EXE Reg operations (...\services\Tcpip\... - paths) coinciding with the hard drive light. In other words the hard drive never remains idle even when I am running 0 applications.

I just want to make sure these issues have nothing to do with the worm.

-Thanks!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:39 PM, on 9/11/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\apps\Grisoft\AVG7\avgamsvr.exe
C:\apps\Grisoft\AVG7\avgupsvc.exe
C:\apps\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\apps\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\APPS\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\apps\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 60.12.193.37 auto.search.msn.es
O1 - Hosts: 60.12.193.37 ie.search.msn.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\apps\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\apps\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\apps\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\apps\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\apps\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\apps\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\apps\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0154D07-2627-4B7C-8C99-A176BFE9F8D8}: NameServer = 67.211.172.29 67.211.172.30
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\apps\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\apps\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\apps\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 5665 bytes

BC AdBot (Login to Remove)

 


#2 jhsu

jhsu
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 12 September 2008 - 10:58 AM

Hi, I have done a little more research on the constant hard drive access/exlporer.exe process and found this post:
http://www.techspot.com/vb/topic82030.html

I don't know if it's the same thing, but I downloaded Sysinternal Process Explorer and I'm noticing a program called mDNSResponder.exe which is connected to iTunes?
http://www.liutilities.com/products/wintas.../mdnsresponder/

But I definitely don't have iTunes and haven't ever noticed this program before.

Others have had similar problems and have excluded malware, but I'm thinking there must be some malware I can't detect working here.

Any help would be greatly appreciated!

Thanks in advance...

Here's a copy of the lines that keep running in Process Monitor:
1073983 11:54:34.4200812 AM Explorer.EXE 1640 RegOpenKey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{251BC1D5-B5AD-4051-96B4-8169C1B50E4B} SUCCESS Desired Access: Read
1073984 11:54:34.4201376 AM Explorer.EXE 1640 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{251BC1D5-B5AD-4051-96B4-8169C1B50E4B}\EnableDHCP SUCCESS Type: REG_DWORD, Length: 4, Data: 1
1073985 11:54:34.4201518 AM Explorer.EXE 1640 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{251BC1D5-B5AD-4051-96B4-8169C1B50E4B}\LeaseObtainedTime SUCCESS Type: REG_DWORD, Length: 4, Data: 1217302297
1073986 11:54:34.4201667 AM Explorer.EXE 1640 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{251BC1D5-B5AD-4051-96B4-8169C1B50E4B}\LeaseTerminatesTime SUCCESS Type: REG_DWORD, Length: 4, Data: 1217907097
1073987 11:54:34.4202057 AM Explorer.EXE 1640 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{251BC1D5-B5AD-4051-96B4-8169C1B50E4B}\DhcpServer SUCCESS Type: REG_SZ, Length: 20, Data: 10.1.10.1
1073988 11:54:34.4202195 AM Explorer.EXE 1640 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{251BC1D5-B5AD-4051-96B4-8169C1B50E4B}\DhcpServer SUCCESS Type: REG_SZ, Length: 20, Data: 10.1.10.1
1073989 11:54:34.4202466 AM Explorer.EXE 1640 RegCloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{251BC1D5-B5AD-4051-96B4-8169C1B50E4B} SUCCESS
1073990 11:54:34.4202952 AM Explorer.EXE 1640 RegOpenKey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A0154D07-2627-4B7C-8C99-A176BFE9F8D8} SUCCESS Desired Access: Read
1073991 11:54:34.4203262 AM Explorer.EXE 1640 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A0154D07-2627-4B7C-8C99-A176BFE9F8D8}\EnableDHCP SUCCESS Type: REG_DWORD, Length: 4, Data: 0
1073992 11:54:34.4203380 AM Explorer.EXE 1640 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A0154D07-2627-4B7C-8C99-A176BFE9F8D8}\DhcpServer NAME NOT FOUND Length: 144
1073993 11:54:34.4203544 AM Explorer.EXE 1640 RegCloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A0154D07-2627-4B7C-8C99-A176BFE9F8D8} SUCCESS
1073994 11:54:34.4204377 AM Explorer.EXE 1640 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Linkage\Bind BUFFER OVERFLOW Length: 144
1073995 11:54:34.4204466 AM Explorer.EXE 1640 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Linkage\Bind BUFFER OVERFLOW Length: 144
1073996 11:54:34.4204559 AM Explorer.EXE 1640 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Linkage\Bind SUCCESS Type: REG_MULTI_SZ, Length: 320, Data: \Device\{8F9C2F43-FBE4-46F7-B7AF-D19666B62B36}, \Device\{251BC1D5-B5AD-4051-96B4-8169C1B50E4B}, \Device\{09399D62-3DDB-497B-8A6F-78E2547D323D}, \Device\NdisWanIp


And actually now as I type I'm seeing new process entries from service.exe:
1074363 11:54:34.8911864 AM services.exe 1044 RegOpenKey HKLM\System\CurrentControlSet\Services\Simbad SUCCESS Desired Access: Read
1074364 11:54:34.8912023 AM services.exe 1044 RegCloseKey HKLM\System\CurrentControlSet\Services SUCCESS
1074365 11:54:34.8912112 AM services.exe 1044 RegQueryValue HKLM\System\CurrentControlSet\Services\Simbad\ObjectName NAME NOT FOUND Length: 12
1074366 11:54:34.8912224 AM services.exe 1044 RegCloseKey HKLM\System\CurrentControlSet\Services\Simbad SUCCESS
1074367 11:54:34.8912668 AM services.exe 1044 RegOpenKey HKLM\System\CurrentControlSet\Services SUCCESS Desired Access: Read
1074368 11:54:34.8912887 AM services.exe 1044 RegOpenKey HKLM\System\CurrentControlSet\Services\Sparrow SUCCESS Desired Access: Read
1074369 11:54:34.8913046 AM services.exe 1044 RegCloseKey HKLM\System\CurrentControlSet\Services SUCCESS
1074370 11:54:34.8913132 AM services.exe 1044 RegQueryValue HKLM\System\CurrentControlSet\Services\Sparrow\ObjectName NAME NOT FOUND Length: 12
1074371 11:54:34.8913250 AM services.exe 1044 RegCloseKey HKLM\System\CurrentControlSet\Services\Sparrow SUCCESS
1074372 11:54:34.8913690 AM services.exe 1044 RegOpenKey HKLM\System\CurrentControlSet\Services SUCCESS Desired Access: Read
1074373 11:54:34.8913894 AM services.exe 1044 RegOpenKey HKLM\System\CurrentControlSet\Services\splitter SUCCESS Desired Access: Read
1074374 11:54:34.8914056 AM services.exe 1044 RegCloseKey HKLM\System\CurrentControlSet\Services SUCCESS
1074375 11:54:34.8914148 AM services.exe 1044 RegQueryValue HKLM\System\CurrentControlSet\Services\splitter\ObjectName NAME NOT FOUND Length: 12
1074376 11:54:34.8914258 AM services.exe 1044 RegCloseKey HKLM\System\CurrentControlSet\Services\splitter SUCCESS


Continuously down an alphabetical list of services!

#3 jhsu

jhsu
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 12 September 2008 - 11:09 AM

Topic title was: Help, I Think I'm Being Attacked!, Worm/Feebs.BK ~ OB

I originally posted here:
http://www.bleepingcomputer.com/forums/ind...mp;#entry942270

Topics have been merged. ~ OB

But watching my process monitor I was seeing a lot of failed processes by service.exe. I looked up this one:
HKLM\System\CurrentControlSet\Services\TDTCP

And found this link:
http://www.avira.com/en/threats/section/fu...m_feebs.bk.html

The list of registry values matches the ones being accessed in the process monitor exactly.

Please help!

Thank you...

Edited by Orange Blossom, 12 September 2008 - 03:50 PM.
Merge topics. ~ OB


#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:12 PM

Posted 27 September 2008 - 04:08 PM

:thumbsup: to BleepingComputer.com

I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered.

If you would still like help, please post a new HiJack This log below, as things may have changed on your system.

If you do not still need help, please let me know, so that I can move on to other users who still need help.

Please take note of the following:
  • While a HJT Team member is working with you, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Please reply using the Posted Image button in the lower left hand corner of your screen.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" :).
Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • Kaspersky's Log
  • A New HiJack This log

Billy3

Edited by Billy O'Neal, 27 September 2008 - 04:09 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:12 PM

Posted 29 September 2008 - 09:43 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users