Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Recurrant Trojan infections?


  • This topic is locked This topic is locked
2 replies to this topic

#1 whwiii

whwiii

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 13 May 2009 - 01:37 AM

Background (windows XP SP3):
having never had a virus or trojan infection
i've been getting numerous trojan/virus alerts for the past year
started around 9/08 when i got pop ups prompting me for virus software while browsing.
trendmicro antivirus/antispyware detected nothing, so i in installed super antispyware which detected several trojans which were removed (see log below).
since that time, i've had several other trojan detections with both programs, although i haven't noticed any problems with function. but i'm suspicious that something hasn't been removed.

I posted to the “am I infected forum” several days ago http://www.bleepingcomputer.com/forums/t/225899/msconfig-start-up-items-with-no-name-or-command/ and ran MBAM which seems to have detected several Trojans despite clean Trend micro and SAS scans (log excerpts below). Two days later MBAM detected 2 infected files. At this point a post to this forum was recommended.

Are the MBAM detections overcalls or am I getting recurrent Trojans?

Thanks
-bill w
various security logs posted after DDS log below:


DDS (Ver_09-03-16.01) - NTFSx86
Run by William Warden at 23:14:06.69 on Tue 05/12/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1361 [GMT -7:00]

AV: Trend Micro AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Datacolor\Spyder3Pro\Utility\Spyder3Utility.exe
svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Citrix\Secure Access Client\nsverctl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
D:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\My Documents\Security\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://sra5.memorialcare.org/vpn/index.html
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Start WingMan Profiler]
uRun: [SUPERAntiSpyware] d:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [JMB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NWEReboot]
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [Trend Micro AntiVirus 2007] d:\program files\trend micro\antivirus 2007\tavui.exe -1 --delay 15
mRun: [QuickTime Task] "d:\documents and settings\william warden\local settings\temp\i1179037812\windows\qttask.exe" -atboottime
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [MaxtorOneTouch] d:\progra~1\maxtor\onetouch\utils\OneTouch.exe
mRun: [MXO Auto Loader] c:\windows\MXOALDR.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - d:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spyder~1.lnk - d:\program files\datacolor\spyder3pro\utility\Spyder3Utility.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: memorialcare.org\*
Trusted Zone: memorialcare.org\*
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178646780984
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
DPF: {FD7C00A9-E676-11D6-A08E-00E09878F0CF} - hxxps://sra5.memorialcare.org/vpns/scripts/nsload.ocx
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\willia~1\applic~1\mozilla\firefox\profiles\ij6n0ff5.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
FF - plugin: d:\documents and settings\william warden\local settings\temp\i1179037812\windows\plugins\npqtplugin.dll
FF - plugin: d:\documents and settings\william warden\local settings\temp\i1179037812\windows\plugins\npqtplugin2.dll
FF - plugin: d:\documents and settings\william warden\local settings\temp\i1179037812\windows\plugins\npqtplugin3.dll
FF - plugin: d:\documents and settings\william warden\local settings\temp\i1179037812\windows\plugins\npqtplugin4.dll
FF - plugin: d:\documents and settings\william warden\local settings\temp\i1179037812\windows\plugins\npqtplugin5.dll
FF - plugin: d:\documents and settings\william warden\local settings\temp\i1179037812\windows\plugins\npqtplugin6.dll
FF - plugin: d:\documents and settings\william warden\local settings\temp\i1179037812\windows\plugins\npqtplugin7.dll
FF - plugin: d:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\SASDIFSV.SYS [2008-8-19 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2008-8-19 55024]
R2 ApogeeIO;Apogee Port I/O;c:\windows\system32\drivers\apogeeio.sys [2004-12-10 5314]
R2 MaxImIO;MaxIm Port I/O;c:\windows\system32\drivers\maximio.sys [2004-12-10 7610]
R2 nsverctl;Citrix Secure Access Client Service;c:\program files\citrix\secure access client\nsverctl.exe [2008-9-26 135168]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-6-12 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-2-16 36368]
R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [2008-9-26 48280]
R3 SASENUM;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2008-8-19 7408]
R3 Spyder3;Datacolor Spyder3;c:\windows\system32\drivers\Spyder3.sys [2008-3-19 12288]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-6-12 648456]
S2 gupdate1c9862f396e2738;Google Update Service (gupdate1c9862f396e2738);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S3 SXVIO;SXVIO;c:\windows\system32\drivers\Sxvio.sys [2004-12-10 170020]

=============== Created Last 30 ================

2009-05-10 23:50 --d----- c:\docume~1\willia~1\applic~1\Malwarebytes
2009-05-10 23:50 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-10 23:50 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-10 23:50 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-27 00:04 --d----- c:\docume~1\willia~1\applic~1\AstroPlanner
2009-04-26 22:35 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-26 21:52 --d----- c:\windows\SxsCaPendDel
2009-04-26 20:49 --d----- c:\program files\CCDWare
2009-04-19 09:13 --d----- c:\docume~1\willia~1\applic~1\EQMOD
2009-04-17 23:09 --d----- c:\windows\system32\AGEIA
2009-04-15 21:38 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 21:38 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 21:38 2,560 -------- c:\windows\system32\xpsp4res.dll

==================== Find3M ====================

2009-04-02 16:00 52,752 a------- c:\windows\system32\drivers\tmactmon.sys
2009-04-02 16:00 52,624 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 16:00 142,864 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2006-06-22 23:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe
2003-07-06 15:55 170,088 a------- c:\windows\inf\Sxvio.sys
2000-09-29 07:33 218,472 a------- c:\windows\inf\Generic.sys
2008-07-21 21:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072120080722\index.dat
2007-05-24 23:14 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2007-05-24 23:14 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2007-05-24 23:14 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 23:14:47.13 ===============

9/08 superantispyware log:
Trojan.Dropper/Gen-NV
C:\WINDOWS\SYSTEM32\__C002C34C.DAT
C:\WINDOWS\SYSTEM32\__C002C34C.DAT
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\__c002C34C

Trojan.Unclassified/C00-WL
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C002C34C
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C002C34C#Asynchronous
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C002C34C#DllName
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C002C34C#Impersonate
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C002C34C#Startup
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C002C34C#Logon

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\(username redacted)\LOCAL SETTINGS\TEMP\_A00F10C0D46.EXE
C:\DOCUMENTS AND SETTINGS\(username redacted)\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\ARZ5W502\I1[1].EXE

5/9/09 trendmicro antivirus log:
TROJ_TIBS.IW

5/11/09 MBAM log:
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bd4f7a6d-0107-4bdf-b72b-021b717b06ce} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

5/12/09 MBAM log:
Memory Modules Infected:
C:\Documents and Settings\(name redacted)\Application Data\RBXML550.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\(name redacted)\Application Data\RBMD5550.dll (Trojan.Agent) -> No action taken.
C:\Documents and Settings\(name redacted)\Application Data\RBXML550.dll (Trojan.Agent) -> No action taken.

Attached Files


Edited by Orange Blossom, 13 May 2009 - 06:12 PM.
Activate link. ~ OB


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:21 AM

Posted 26 May 2009 - 06:05 PM

Hi whwiii,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will get back to you with your first instructions. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:21 AM

Posted 31 May 2009 - 03:28 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users