Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malware Ftp Password Hijack?

  • Please log in to reply
2 replies to this topic

#1 RayFar


  • Members
  • 2 posts
  • Local time:04:36 PM

Posted 22 April 2009 - 08:50 PM

I'm lost on this one and I'm hoping someone can throw some light on it please.

I had reason to believe that my ftp password etc was being hijacked when I was using Ipswich ftp utility to fiddle around with my website. So I have spent the last fewdays looking for the probable malware and I'm just getting conflicting results.

I got setup_u.exe show up in Zone Alarm which I denied. It was supposed to be in my Windows\System32 folder - not there but when I searched my C: drive but I found a pf version of it in the Windows\Prefetch folder. I deleted all histories etc and my C: drive is now clear of any reference to it. Although I've still left it firmly denied in Zone Alarm. Also, at the same time, I found two files in the C: root - one, I think was u_.bat and the other u_ ? - sorry but I just deleted them without making a note - they returned once - got deleted again but have not appeared since.

Also, my machine kept slowing and jerking - and Firefox (when I used that) kept crashing on start up. The system seems to be running fine now and Firefox is OK.

Other points that might be related - up until yesterday, my system would not allow regedit to run - it does today. Also, I had to manually up-date AVG as it wouldn't up-date online and some other antispyware programs wouldn't update either - but today they all do.

I'm confused as apart from deleting the bat and the other file (plus histories etc) and denying setup_u.exe - I haven't knowingly deleted any file unless one of the scanners deleted things without showing it.

Since all that - when I run a full scan on AVG 8.5 it shows my machine as being clean -
Zone Alarm scan - clean
Spybot S&D - clean

I then put some more specific stuff on -
Trend Micro RootkitBuster - clean
CWShredder - clean
Malwarebytes Anti-Malware - clean

I then scanned using Sophos Anti-Rootkit and it came up with -
Area: Windows registry
Description: Hidden registry key

Removable: No
Notes: (no more detail available)

Then I used PC Tools Spyware Doctor which came up with -
Adware.Component.WindUpdates (6 infections)
Reg Value
HKEY_USERS\S-1-5-21-2025429265-1960408961-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}iexplore, Type
HKEY_USERS\S-1-5-21-2025429265-1960408961-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}iexplore, Count
HKEY_USERS\S-1-5-21-2025429265-1960408961-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}iexplore, Time
HKEY_USERS\S-1-5-21-2025429265-1960408961-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}iexplore, Blocked

Reg Key

Adware.Transponder_Ahexe (6 infections)
Reg Value
HKEY_USERS\S-1-5-21-2025429265-1960408961-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740}iexplore, Type
HKEY_USERS\S-1-5-21-2025429265-1960408961-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740}iexplore, Count
HKEY_USERS\S-1-5-21-2025429265-1960408961-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740}iexplore, Time
HKEY_USERS\S-1-5-21-2025429265-1960408961-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740}iexplore, Blocked

Reg Key

The Spyware Doctor is the free version and won't remove anything.

While I was doing the checking, I tried the on-line Panda scan which showed -

spyware/better... Spyware

adware/wupd Adware

These agree with the Spyware Doctor results. Although I've checked the keys are actually there - I haven't deleted any registry keys as I'm not certain if they link back to a file which will be missed by doing that.

I also tried Housecall but I have never been able to get it to run on my machine - ever!

Hopefully, DDS.txt will flag up what's going on.

Regarding DDS.txt, in SERVICES / DRIVERS -

No files on my machine to match these anywhere on the C: drive -

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\21.tmp --> c:\windows\system32\21.tmp [?]
S4 BWO;BWO;c:\docume~1\ray\locals~1\temp\bwo.exe --> c:\docume~1\ray\locals~1\temp\BWO.exe [?]
S4 RFJRCXRE;RFJRCXRE;c:\docume~1\ray\locals~1\temp\rfjrcxre.exe --> c:\docume~1\ray\locals~1\temp\RFJRCXRE.exe [?]
S4 ZPFLPHFVYHNEJOJA;ZPFLPHFVYHNEJOJA;c:\docume~1\ray\locals~1\temp\zpflphfvyhnejoja.exe --> c:\docume~1\ray\locals~1\temp\ZPFLPHFVYHNEJOJA.exe [?]

DDS (Ver_09-03-16.01) - NTFSx86
Run by Ray at 1:34:32.28 on 23/04/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.415 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Pro Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ray\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.tiscali.co.uk/index.html
uInternet Connection Wizard,ShellNext = iexplore
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {92A40B0A-740A-4A11-9DDB-70460C6DA383} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CARPService] carpserv.exe
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RegistryMechanic]
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dslmon.lnk - c:\program files\sagem\sagem f@st 800-840\dslmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189602538328
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
TCP: {B9E46604-A820-4F05-B7D4-40E08EBF9E22} =
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ray\applic~1\mozilla\firefox\profiles\y2rlktg8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.perception9.com/

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-22 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-4-21 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-19 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-19 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-19 108552]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-3-28 353672]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-19 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-19 298264]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\21.tmp --> c:\windows\system32\21.tmp [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-4-21 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-4-21 1095560]
S4 BWO;BWO;c:\docume~1\ray\locals~1\temp\bwo.exe --> c:\docume~1\ray\locals~1\temp\BWO.exe [?]
S4 RFJRCXRE;RFJRCXRE;c:\docume~1\ray\locals~1\temp\rfjrcxre.exe --> c:\docume~1\ray\locals~1\temp\RFJRCXRE.exe [?]
S4 ZPFLPHFVYHNEJOJA;ZPFLPHFVYHNEJOJA;c:\docume~1\ray\locals~1\temp\zpflphfvyhnejoja.exe --> c:\docume~1\ray\locals~1\temp\ZPFLPHFVYHNEJOJA.exe [?]

=============== Created Last 30 ================

2009-04-22 22:20 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-22 22:20 <DIR> --d----- c:\program files\Panda Security
2009-04-21 18:23 552 a------- c:\windows\system32\d3d8caps.dat
2009-04-21 01:49 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-04-21 01:49 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-04-21 01:49 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-21 01:49 <DIR> --d----- c:\program files\common files\PC Tools
2009-04-21 01:49 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-04-21 01:49 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-21 01:49 <DIR> --d----- c:\docume~1\ray\applic~1\PC Tools
2009-04-21 01:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-21 00:03 <DIR> --d----- c:\docume~1\ray\applic~1\Malwarebytes
2009-04-21 00:02 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-21 00:02 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-21 00:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-21 00:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-20 20:03 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-20 18:34 <DIR> --d----- c:\program files\Sophos
2009-04-20 17:46 29 a------- c:\windows\DEBUGSM.INI
2009-04-20 17:45 <DIR> --d----- c:\docume~1\ray\applic~1\Smart Panel
2009-04-20 12:04 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-19 23:01 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-19 23:01 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-19 23:01 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-19 23:01 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-19 23:01 <DIR> --d----- c:\program files\AVG
2009-04-19 23:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-15 12:39 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 12:39 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 12:39 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 12:39 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 12:39 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 12:39 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 12:39 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 12:39 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 12:39 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 12:37 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 12:37 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 12:37 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-03-25 23:39 <DIR> --d----- c:\program files\EmEditor

==================== Find3M ====================

2009-04-21 21:29 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-09 13:05 27,296 a------- c:\docume~1\ray\applic~1\GDIPFONTCACHEV1.DAT
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 19:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-15 23:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-02-09 13:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 13:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 13:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 13:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 12:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 11:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 20:59 56,832 a------- c:\windows\system32\secur32.dll
2008-05-13 14:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051320080514\index.dat

============= FINISH: 1:34:57.82 ===============

Many thanks for looking through this.

Attached Files

BC AdBot (Login to Remove)


#2 KoanYorel


    Bleepin' Conundrum

  • Members
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:11:36 AM

Posted 05 May 2009 - 10:49 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 RayFar

  • Topic Starter

  • Members
  • 2 posts
  • Local time:04:36 PM

Posted 05 May 2009 - 04:19 PM

Hi KoanYorel,

Many thanks for getting back to me - I certainly understand the delay, it's very busy on here.

I think that the panic is over - nothing odd now seems to be happening and when I've run various scans with various A/V, malware and rootkit software, it comes up clean - all updates are happening OK and I can access all webpages and the registry with regedit.

If I have any further doubts, I'll come straight back on. Although it would be great to go through the BleepingComputer processes to be totally sure, looking through the posts there are far more urgent cases needing attention, so I'll say this one is resolved so you can move on to somebody in much more desperate need.

Once again, many thanks.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users