Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Norton AV found Win32.fakeav, removed, then more turned up


  • This topic is locked This topic is locked
6 replies to this topic

#1 JEberlin

JEberlin

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 12 January 2009 - 08:41 PM

Original symptoms were a popup ad everytime IE6 opened a new page. Ran Spybot SD 1.6, Adaware 2008 and Norton AV 2008 all of which found some form of virus or malware. The system seemed to be clean over the weekend. Today (Monday) popups showed up that were using an inordinate amount of memory and may have been downloading something else. Ran Norton again and it found a variety of trojans and other malware again. Ran Spybot, Adaware again before the following Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:40 PM, on 1/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Documents and Settings\dankarim\Application Data\cogad\cogad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\CyberTrader\CyberTraderPro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\logon.scr
C:\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {0972B05C-1A97-48DC-89F8-2CDFB7214F6C} - C:\WINDOWS\system32\rqRLFxYp.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [vinclock] "C:\Documents and Settings\dankarim\Application Data\Google\ocboo1892823.exe" 2
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\dankarim\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Enterprise Messenger.lnk = C:\Program Files\Akeni\Akeni Enterprise Messenger\run.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User 'Default user')
O4 - .DEFAULT Startup: Enterprise Messenger.lnk = C:\Program Files\Akeni\Akeni Enterprise Messenger\run.exe (User 'Default user')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Startup: Enterprise Messenger.lnk = C:\Program Files\Akeni\Akeni Enterprise Messenger\run.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.bearstearns.com
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://bfl-svr-01/connectcomputer/nshelp.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BerlinFinancialLtd.lan
O17 - HKLM\Software\..\Telephony: DomainName = BerlinFinancialLtd.lan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BerlinFinancialLtd.lan
O20 - AppInit_DLLs: pvbsjd.dll
O20 - Winlogon Notify: ssqrpqQh - ssqrpqQh.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7339 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:08 PM

Posted 13 January 2009 - 06:11 AM

Hi,

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BerlinFinancialLtd.lan
O17 - HKLM\Software\..\Telephony: DomainName = BerlinFinancialLtd.lan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BerlinFinancialLtd.lan

Is this a company owned computer related with Financial stuff? If so, there are a few things that need attention first before we proceed with this.. ESPECIALLY in this case.

* You must inform your Supervisor immediately.

This because of:
  • Most company machines are connected into a network at some time or other, and your infection may compromise the security of that network.
  • If sensitive material is compromised by an infection, your company could be held liable.
* Your Company must give permission for us to give you assistance.

This because of:
  • We are not here to replace your company's IT Department. If there's an IT Department, then they are responsible to deal with this.
  • There may be sensitive material on your computer that your company would not want revealed in an open forum.
Also, since this is a computer used at work - the first thing I always advise is to back up important files you don't want to lose, this since malware causes a system unstable and it may happen that it suddenly won't boot anymore, because of the damage already present.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 JEberlin

JEberlin
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 13 January 2009 - 06:16 PM

Don't worry about the company permission - I am the IT support. As to networking, this is the only machine that exhibits any abmormal behavior. BTW, Combofix did not reset the clock format to AM/PM. Combofix log follows:

ComboFix 09-01-13.03 - dankarim 2009-01-13 17:47:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.787 [GMT -5:00]
Running from: c:\documents and settings\dankarim\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\dankarim\Application Data\SpeedRunner
c:\documents and settings\dankarim\Application Data\SpeedRunner\config.cfg
c:\documents and settings\dankarim\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\dankarim\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\dDsqRlkK.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekajlkbwupt.sys
c:\windows\system32\Drivers\TDSSpqlt.sys
c:\windows\system32\drivers\TDSSserv.sys
c:\windows\system32\iqghecyr.dll
c:\windows\system32\knwtpdod.ini
c:\windows\system32\pvbsjd.dll
c:\windows\system32\rqRLFxYp.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekaewqvrniq.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekaxniogkos.dll
c:\windows\system32\yayvuTlI.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Service_SENEKA
-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-13 17:28 . 2009-01-13 17:28 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-01-12 17:16 . 2009-01-12 17:16 95 --a------ c:\windows\wininit.ini
2009-01-10 10:31 . 2009-01-10 10:31 <DIR> d-------- c:\windows\omwm
2009-01-10 10:31 . 2009-01-12 16:18 <DIR> d-------- c:\program files\Common Files\omwm
2009-01-10 09:25 . 2009-01-12 16:18 <DIR> d-------- c:\program files\Webtools
2009-01-09 11:32 . 2004-08-04 07:00 107,882 --a------ c:\windows\system32\mib_ii.mib
2009-01-09 11:30 . 2004-08-04 07:00 18,944 --a------ c:\windows\system32\simptcp.dll
2009-01-09 11:30 . 2004-08-04 07:00 18,944 --a--c--- c:\windows\system32\dllcache\simptcp.dll
2009-01-09 10:56 . 2009-01-09 10:58 <DIR> d-------- C:\4bad477f84d7b0af5afab00b
2009-01-09 10:51 . 2009-01-09 11:31 <DIR> d-------- c:\windows\system32\msmq
2009-01-09 10:34 . 2009-01-09 10:35 807 --a------ c:\windows\Active Setup Log.BAK
2009-01-09 09:10 . 2009-01-09 09:10 <DIR> d-------- c:\documents and settings\dankarim\Application Data\cogad
2009-01-08 17:27 . 2009-01-08 17:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-08 17:26 . 2009-01-08 17:26 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-08 13:29 . 2009-01-08 13:29 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-08 13:29 . 2009-01-08 13:29 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-08 13:29 . 2009-01-08 13:29 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-08 13:29 . 2009-01-08 13:29 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-30 14:37 . 2008-12-30 14:37 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Roxio
2008-12-30 14:37 . 2008-12-30 14:43 <DIR> d-------- c:\documents and settings\dankarim\Application Data\Roxio
2008-12-25 03:00 . 2008-12-25 03:00 <DIR> d-------- c:\program files\MSXML 6.0
2008-12-25 03:00 . 2008-12-25 03:00 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-24 12:49 . 2009-01-13 17:56 256 --a------ c:\windows\system32\pool.bin
2008-12-24 12:44 . 2008-12-24 12:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2008-12-24 12:44 . 2008-12-24 12:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-12-24 12:41 . 2008-12-24 12:44 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-12-24 12:41 . 2008-12-24 12:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2008-12-24 12:40 . 2008-12-24 12:42 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2008-12-24 12:15 . 2008-12-24 12:15 <DIR> d--hs---- c:\windows\ftpcache
2008-12-24 12:05 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-24 12:05 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 16:32 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-08 22:27 --------- d-----w c:\program files\Lavasoft
2009-01-08 22:27 --------- d-----w c:\documents and settings\User1\Application Data\Lavasoft
2009-01-08 22:04 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-08 22:04 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 22:04 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 22:04 --------- d-----w c:\program files\Symantec
2009-01-08 21:34 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-08 17:01 --------- d-----w c:\documents and settings\dankarim\Application Data\Lavasoft
2009-01-08 17:01 --------- d-----w c:\documents and settings\dankarim\Application Data\Blackberry Desktop
2009-01-08 17:01 --------- d-----w c:\documents and settings\dankarim\Application Data\Akeni
2009-01-08 17:01 --------- d-----w c:\documents and settings\dankarim\Application Data\AdobeUM
2008-12-24 17:43 --------- d-----w c:\program files\Roxio
2008-12-24 17:41 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-24 17:30 --------- d-----w c:\program files\Common Files\Research In Motion
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cogad"="c:\documents and settings\dankarim\Application Data\cogad\cogad.exe" [2009-01-09 56832]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_06\bin\jusched.exe" [2004-09-28 32881]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2008-02-07 718704]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"MsmqIntCert"="mqrt.dll" [2007-07-06 c:\windows\system32\mqrt.dll]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Enterprise Messenger.lnk - c:\program files\Akeni\Akeni Enterprise Messenger\run.exe [2005-07-12 20480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-11-12 1447184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=pvbsjd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Akeni\\Akeni Enterprise Messenger\\run.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-08 99376]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-01-25 149352]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-13 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Administrator.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 09:05]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0972B05C-1A97-48DC-89F8-2CDFB7214F6C} - c:\windows\system32\rqRLFxYp.dll
HKLM-Run-vinclock - c:\documents and settings\dankarim\Application Data\Google\ocboo1892823.exe
Notify-ssqrpqQh - ssqrpqQh.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.bearstearns.com
Trusted Zone: *.clearco.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 17:55:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\mqtgsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-13 17:59:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 22:58:43

Pre-Run: 63,078,064,128 bytes free
Post-Run: 64,102,412,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

186 --- E O F --- 2009-01-08 22:19:18

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:08 PM

Posted 14 January 2009 - 03:22 AM

Hi,

Whoever is responsible for this computer and responsible for infecting it - he/she has put the entire company at risk since important info / passwords etc may be known (malware collected them). So once we are done here, please change ALL passwords.
Also, I don't know who is responsible for updating the computer, but for a company owned computer especially into financial stuff, it really suprises me that it is still running SP2 and IE6.
Imho, for work computers which became severly infected, the best solution (since it's the safest) is to format and reinstall. After all, you cannot afford to use compromised computers especially in financial institutions.

Anyway..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Folder::
c:\documents and settings\dankarim\Application Data\cogad
c:\windows\omwm
c:\program files\Common Files\omwm
c:\program files\Webtools
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cogad"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Edited by miekiemoes, 14 January 2009 - 03:58 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 JEberlin

JEberlin
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:12:08 PM

Posted 14 January 2009 - 10:19 PM

User reported that no sysmptoms occured today.
Is Qoobox folder created by Combofix? Norton AV is finding Trojan.Vundo in C:\Qoobox\Quarantine.

ComboFix 09-01-13.04 - dankarim 2009-01-14 20:55:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.608 [GMT -5:00]
Running from: c:\documents and settings\dankarim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\dankarim\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\dankarim\Application Data\cogad
c:\documents and settings\dankarim\Application Data\cogad\cogad.exe
c:\documents and settings\dankarim\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\Common Files\omwm
c:\program files\Common Files\omwm\omwma.lck
c:\program files\Common Files\omwm\omwmd\class-barrel
c:\program files\Common Files\omwm\omwmd\vocabulary
c:\program files\Common Files\omwm\omwmh
c:\program files\Common Files\omwm\omwml.lck
c:\program files\Common Files\omwm\omwmm.lck
c:\program files\Webtools
c:\windows\omwm
c:\windows\omwm\omwm.dat
c:\windows\omwm\wu

.
((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-13 17:28 . 2009-01-13 17:28 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-01-12 17:16 . 2009-01-12 17:16 95 --a------ c:\windows\wininit.ini
2009-01-09 11:32 . 2004-08-04 07:00 107,882 --a------ c:\windows\system32\mib_ii.mib
2009-01-09 11:30 . 2004-08-04 07:00 18,944 --a------ c:\windows\system32\simptcp.dll
2009-01-09 11:30 . 2004-08-04 07:00 18,944 --a--c--- c:\windows\system32\dllcache\simptcp.dll
2009-01-09 10:56 . 2009-01-09 10:58 <DIR> d-------- C:\4bad477f84d7b0af5afab00b
2009-01-09 10:51 . 2009-01-09 11:31 <DIR> d-------- c:\windows\system32\msmq
2009-01-09 10:34 . 2009-01-09 10:35 807 --a------ c:\windows\Active Setup Log.BAK
2009-01-08 17:27 . 2009-01-08 17:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-08 17:26 . 2009-01-08 17:26 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-08 13:29 . 2009-01-08 13:29 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-08 13:29 . 2009-01-08 13:29 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-08 13:29 . 2009-01-08 13:29 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-08 13:29 . 2009-01-08 13:29 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-30 14:37 . 2008-12-30 14:37 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Roxio
2008-12-30 14:37 . 2008-12-30 14:43 <DIR> d-------- c:\documents and settings\dankarim\Application Data\Roxio
2008-12-25 03:00 . 2008-12-25 03:00 <DIR> d-------- c:\program files\MSXML 6.0
2008-12-25 03:00 . 2008-12-25 03:00 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-24 12:49 . 2009-01-14 08:23 256 --a------ c:\windows\system32\pool.bin
2008-12-24 12:44 . 2008-12-24 12:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2008-12-24 12:44 . 2008-12-24 12:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-12-24 12:41 . 2008-12-24 12:44 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2008-12-24 12:41 . 2008-12-24 12:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2008-12-24 12:40 . 2008-12-24 12:42 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2008-12-24 12:15 . 2008-12-24 12:15 <DIR> d--hs---- c:\windows\ftpcache
2008-12-24 12:05 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-24 12:05 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 16:32 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-08 22:27 --------- d-----w c:\program files\Lavasoft
2009-01-08 22:27 --------- d-----w c:\documents and settings\User1\Application Data\Lavasoft
2009-01-08 22:04 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-08 22:04 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-01-08 22:04 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-08 22:04 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-08 22:04 --------- d-----w c:\program files\Symantec
2009-01-08 21:34 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-08 17:01 --------- d-----w c:\documents and settings\dankarim\Application Data\Lavasoft
2009-01-08 17:01 --------- d-----w c:\documents and settings\dankarim\Application Data\Blackberry Desktop
2009-01-08 17:01 --------- d-----w c:\documents and settings\dankarim\Application Data\Akeni
2009-01-08 17:01 --------- d-----w c:\documents and settings\dankarim\Application Data\AdobeUM
2008-12-24 17:43 --------- d-----w c:\program files\Roxio
2008-12-24 17:41 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-24 17:30 --------- d-----w c:\program files\Common Files\Research In Motion
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:37 659,456 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-13_17.57.53.80 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-20 10:17:52 33,280 ----a-w c:\windows\$hf_mig$\KB926247\SP2QFE\snmp.exe
+ 2005-10-12 23:12:25 14,048 ----a-w c:\windows\$hf_mig$\KB926247\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w c:\windows\$hf_mig$\KB926247\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w c:\windows\$hf_mig$\KB926247\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w c:\windows\$hf_mig$\KB926247\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w c:\windows\$hf_mig$\KB926247\update\updspapi.dll
- 2004-08-04 05:56:58 32,768 -c--a-w c:\windows\system32\dllcache\snmp.exe
+ 2006-11-20 08:42:45 33,280 -c--a-w c:\windows\system32\dllcache\snmp.exe
- 2008-08-28 10:04:17 333,056 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 11:57:21 333,184 -c----w c:\windows\system32\dllcache\srv.sys
- 2008-12-09 20:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2004-08-04 05:56:58 32,768 ----a-w c:\windows\system32\snmp.exe
+ 2006-11-20 08:42:45 33,280 ----a-w c:\windows\system32\snmp.exe
+ 2009-01-14 08:09:33 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_378.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_06\bin\jusched.exe" [2004-09-28 32881]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2008-02-07 718704]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"MsmqIntCert"="mqrt.dll" [2007-07-06 c:\windows\system32\mqrt.dll]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Enterprise Messenger.lnk - c:\program files\Akeni\Akeni Enterprise Messenger\run.exe [2005-07-12 20480]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-11-12 1447184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Akeni\\Akeni Enterprise Messenger\\run.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-08 99376]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-01-25 149352]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-13 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Administrator.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 09:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://finance.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: *.bearstearns.com
Trusted Zone: *.clearco.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 20:58:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-14 20:59:58
ComboFix-quarantined-files.txt 2009-01-15 01:59:40
ComboFix2.txt 2009-01-13 22:59:14

Pre-Run: 63,815,307,264 bytes free
Post-Run: 63,880,720,384 bytes free

177 --- E O F --- 2009-01-14 08:02:32

Edited by JEberlin, 14 January 2009 - 10:35 PM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:08 PM

Posted 15 January 2009 - 03:14 AM

Hi,

Is Qoobox folder created by Combofix? Norton AV is finding Trojan.Vundo in C:\Qoobox\Quarantine.

Yes, it is.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Then, change ALL passwords, because they may be known.

Also...

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:08 PM

Posted 21 January 2009 - 09:24 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users