Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware From Executable Attached to Fake American Greetings E-Card


  • This topic is locked This topic is locked
2 replies to this topic

#1 birchrunville

birchrunville

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 28 February 2009 - 06:22 AM

Mistakenly ran executable file sent in an email posing as an E-Card from American Greetings. [Executable came up clean when scanned by Norton AntiVirus 2006.] My machine is now randomly displaying ads whenever I run Internet Explorer and connect to the Internet. Machine runs XP Pro with SP 3. IBM T41. Getting AnitVirus 360 and REgistry Defender ads as part of the process but not only these ads. Windows OneCare claims to have cleaned up Trojans but infection still here. Use Norton AntiVirus 2006 with up to date definitions and it can't clean it fully either. Data backed up so no problem there.

Here is the log from DDS. I'm also attaching the attach.txt file (unzipped as it appears to be quite small).


DDS (Ver_09-02-01.01) - NTFSx86
Run by mgordon at 6:04:52.78 on Sat 02/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.406 [GMT -5:00]

AV: Norton AntiVirus 2006 *On-access scanning enabled* (Updated)
AV: Windows Live OneCare *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *enabled*
FW: Windows Live OneCare Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
E:\Norton\AntiVirus2006\navapsvc.exe
E:\Norton\AntiVirus2006\IWP\NPFMntor.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RunDll32.exe
E:\Adobe\Acrobat_8\Acrobat\Acrotray.exe
E:\apple\itunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Windows OneCare Live\WinSSUI.exe
C:\Documents and Settings\mgordon\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://192.168.3.1/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {cbcd0fe4-644d-9e4a-f6b4-ee97428ff580}: {085ff824-79ee-4b6f-a4e9-d4464ef0dcbc} - c:\windows\system32\ghfpqy.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - e:\norton\antivirus2006\NavShExt.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\adobe\acrobat_8\acrobat\AcroIEFavClient.dll
BHO: {ec3319da-5d22-4a0c-964a-9de9adb20417} - c:\windows\system32\pmnnKDwt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\adobe\acrobat_8\acrobat\AcroIEFavClient.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - e:\norton\antivirus2006\NavShExt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\adobe\acrobat_8\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [IBM RecordNow!]
uRun: [tgcmd]
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [UC_Start] c:\ibmtools\updater\ucstartup.exe
mRun: [TpShocks] TpShocks.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [tgcmd]
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [S3TRAY2] S3Tray2.exe
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] c:\program files\thinkpad\utilities\BMMLREF.EXE
mRun: [BMMMONWND] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatInfEx.dll,BMMAutonomicMonitor
mRun: [BLOG] rundll32.exe c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [Acrobat Assistant 8.0] "e:\adobe\acrobat_8\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "e:\apple\itunes\iTunesHelper.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Bluhifijor] rundll32.exe "c:\windows\exutages.dll",e
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: Append to existing PDF - e:\adobe\acrobat_8\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\adobe\acrobat_8\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\adobe\acrobat_8\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\adobe\acrobat_8\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\adobe\acrobat_8\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\adobe\acrobat_8\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\adobe\acrobat_8\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\adobe\acrobat_8\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {74FFE28D-2378-11D5-990C-006094235084} - file:///C:/Program%20Files/Support.com/Bin/IBMAccessSupport/common/install/ibmegath.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnnKDwt

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2004-10-12 52136]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2004-10-12 9728]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2004-10-12 2295]
R1 SAVRT;SAVRT;e:\norton\antivirus2006\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;e:\norton\antivirus2006\Savrtpel.sys [2005-8-26 53896]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2004-10-12 16384]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-17 192112]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-17 169584]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;e:\norton\antivirus2006\NAVAPSVC.EXE [2005-9-23 139888]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2008-11-5 25968]
R2 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2004-10-12 4225]
R2 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2007-6-3 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090226.055\NAVENG.Sys [2009-2-27 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090226.055\NavEx15.Sys [2009-2-27 876144]
S2 FLEXlm License Manager;FLEXlm License Manager;e:\telelogic\doors 6\flex\lmgrd95.exe [2002-9-21 15360]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [2004-10-12 12288]
S3 SAVScan;Symantec AVScan;e:\norton\antivirus2006\SAVScan.exe [2005-8-26 198368]

=============== Created Last 30 ================

2009-02-27 10:18 1,664,319 ---sh--- c:\windows\system32\qdsolrim.ini
2009-02-27 10:18 81,408 a------- c:\windows\system32\mirlosdq.dll
2009-02-27 10:18 125,440 a------- c:\windows\system32\ghfpqy.dll
2009-02-27 10:18 125,440 a------- c:\windows\system32\tdqoqrav.dll
2009-02-26 16:40 1,598,553 ---sh--- c:\windows\system32\lhamkodh.ini
2009-02-26 12:27 5,248 a------- c:\windows\system32\OEMINFO.PNF
2009-02-26 09:48 91,328 a------- c:\windows\system32\drivers\msfwdrv.sys
2009-02-26 09:47 116,416 a------- c:\windows\system32\drivers\msfwhlpr.sys
2009-02-26 09:45 53,168 a------- c:\windows\system32\drivers\MpFilter.sys
2009-02-26 09:38 <DIR> --d----- c:\program files\Microsoft Windows OneCare Live
2009-02-25 20:54 134,144 a------- c:\windows\exutages.dll
2009-02-25 18:33 108,168 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-25 18:33 87,768 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-25 16:25 1,598,553 ---sh--- c:\windows\system32\aumwxjjr.ini
2009-02-25 16:24 7,301 a--sh--- c:\windows\system32\twDKnnmp.ini2
2009-02-25 16:24 7,301 a--sh--- c:\windows\system32\twDKnnmp.ini
2009-02-25 16:24 303,616 a------- c:\windows\system32\pmnnKDwt.dll

==================== Find3M ====================

2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 04:10 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 a------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-10-02 18:42 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100220081003\index.dat

============= FINISH: 6:05:54.35 ===============


Thanks for your help.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:39 PM

Posted 07 March 2009 - 10:55 PM

Hello birchrunville,

Sorry for the delay. We have over 500 logs backed up on only a few helpers.

If you still need help, then please post a fresh DDS log and we will take it from there.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:39 PM

Posted 17 March 2009 - 10:22 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users