Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan producing massive outgoing traffic on port 25


  • This topic is locked This topic is locked
13 replies to this topic

#1 erdgeist

erdgeist

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 25 December 2009 - 08:57 AM

Hi,
I discovered massive outgoing traffic on remote port 25 on my machine. The traffic is caused by svchost.
It was easy to discover which process it was (used a lot more memory than the usual svchost processes). As soon as I kill the process a window pops up, that windows is going to shutdown in 1 minute.
shutdown -a fixed that.
When doing a full system scan with F-Secure Internet Security 2009 it finds nothing.

I ran HJT, but found nothing suspicious:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 16:46:49, on 24.12.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\RegCure\RegCure.exe
C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\emaudsv.exe
C:\Programme\Gemeinsame Dateien\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe
C:\Programme\Gemeinsame Dateien\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe
C:\Programme\Internet Security\Anti-Virus\fsgk32st.exe
C:\Programme\Internet Security\Common\FSMA32.EXE
C:\Programme\Internet Security\Anti-Virus\FSGK32.EXE
C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\Programme\Internet Security\Common\FSHDLL32.EXE
C:\Programme\Contour Shuttle\ShuttleEngine.exe
C:\Programme\DellTPad\Apoint.exe
C:\Programme\Internet Security\Common\FSM32.EXE
C:\Programme\Contour Shuttle\ShuttleHelper.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\Programme\Java_ME_platform_SDK_3.0\bin\device-manager.exe
C:\Programme\SpeedswitchXP\SpeedswitchXP.exe
C:\Programme\Ashampoo\Ashampoo UnInstaller 2010\UIWatcher.exe
C:\Programme\Java\jdk1.6.0_17\bin\javaw.exe
C:\Programme\DellTPad\ApMsgFwd.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\DellTPad\HidFind.exe
C:\Programme\DellTPad\Apntex.exe
C:\Programme\PeerBlock\peerblock.exe
C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE
C:\Programme\Internet Security\Anti-Virus\fssm32.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Internet Security\FWES\Program\fsdfwd.exe
C:\Programme\Internet Security\Anti-Virus\fsav32.exe
C:\Programme\Internet Security\FSGUI\fscuif.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\netstat.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\svchost.exe
C:\hjt\Google.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Programme\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Programme\Internet Security\NRS\iescript\baselitmus.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Programme\Internet Security\NRS\iescript\baselitmus.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Programme\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [Apoint] C:\Programme\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Contour Shuttle Device Helper] C:\Programme\Contour Shuttle\ShuttleHelper.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [Java(TM) ME Platform SDK 3.0] "C:\Programme\Java_ME_platform_SDK_3.0\bin\device-manager.exe"
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Programme\SpeedswitchXP\SpeedswitchXP.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Programme\Ashampoo\Ashampoo UnInstaller 2010\UIWatcher.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: PeerBlock.lnk = C:\Programme\PeerBlock\peerblock.exe
O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programme\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix: 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258060225234
O17 - HKLM\System\CCS\Services\Tcpip\..\{644EF1B1-ABB1-4DF3-85B0-2D684C1A7A93}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC8342CA-B1A6-48E6-8BC1-355842E0C230}: NameServer = 195.186.1.111,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{644EF1B1-ABB1-4DF3-85B0-2D684C1A7A93}: NameServer = 208.67.222.222,208.67.220.220
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Programme\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: E-MU Audio Service (emaudsv) - E-MU Systems - C:\WINDOWS\system32\emaudsv.exe
O23 - Service: Emma Device Management (EmmaDevMgmtSvc) - Sony Ericsson Mobile Communications - C:\Programme\Gemeinsame Dateien\Sony Ericsson\Emma Core\Services\EmmaDeviceMgmt.exe
O23 - Service: Emma Update Management (EmmaUpdMgmtSvc) - Sony Ericsson Mobile Communications - C:\Programme\Gemeinsame Dateien\Sony Ericsson\Emma Core\Services\EmmaUpdateMgmt.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Programme\Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Programme\Internet Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Programme\Internet Security\ORSP Client\fsorsp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Programme\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Programme\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Programme\Macrium\Reflect\ReflectService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: Contour Shuttle Device Engine (ShuttleEngine) - Contour Design, Inc. - C:\Programme\Contour Shuttle\ShuttleEngine.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software - C:\Programme\TuneUp Utilities 2010\TuneUpDefragService.exe

--
End of file - 8729 bytes

I also found the process to listen on port 1553 so I blocked outgoing traffic to port 25 and incoming to 1553.
Any help how to track down the trojan and to remove it would be very appreciated.

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 AM

Posted 05 January 2010 - 07:33 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 AM

Posted 11 January 2010 - 05:16 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 AM

Posted 01 February 2010 - 05:32 PM

Reopened at user's request

--------------------------------------------------

Please carry out the scans for DDS and RootRepeal as above.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 erdgeist

erdgeist
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 01 February 2010 - 05:55 PM

Thanks for reopening the thread m0le. I'm glad someone is here to help me.

Looking at the logfiles I suspect
C:\WINDOWS\system32\svchost -k DcomLaunch
to be the malicious thread, but I still don't understand how it's getting started.
When I kill the process the traffic stops and I get an error message saying that DCom process was finished and the system needs to be shutdown in 1 minute. As stated before I can easily fix this problem.
What irritates me is that, after overwriting my system partition with an image I made after a clean installation of windows and the necessary software I usually need, the troyan seemed to be gone. The image was made before the computer was connected to the internet and I did a full scan of it without any detections with Clam Antivirus running from a Ubuntu partition.
A few hours ago I noticed the same traffic on port 25 as before. So it either was a malicious installation file I still have somewhere on my harddisk and which I ran after loading the image or it's something that is on the image but which didn't get detected and got activated somehow later on.
I hope there is no need to reinstall windows and all the software from scratch again. Tracking down this nasty little thing should be so much more fun :(

Anyway, here are the logfiles as requested. Thanks again for your help m0le, I really appreciate it.

DDS (Ver_09-12-01.01) - NTFSx86
Run by rdg at 20:26:29,67 on 01.02.2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.2046.1470 [GMT 1:00]

AV: Internet Security 9.01 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: Internet Security 9.01 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\emaudsv.exe
C:\Programme\Internet Security\Anti-Virus\fsgk32st.exe
C:\Programme\Internet Security\Common\FSMA32.EXE
C:\Programme\Internet Security\Anti-Virus\FSGK32.EXE
C:\Programme\Contour Shuttle\ShuttleEngine.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\DellTPad\Apoint.exe
C:\Programme\Contour Shuttle\ShuttleHelper.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\Programme\SpeedswitchXP\SpeedswitchXP.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE
C:\Programme\DellTPad\ApMsgFwd.exe
C:\Programme\DellTPad\HidFind.exe
C:\Programme\DellTPad\Apntex.exe
C:\Programme\Internet Security\Anti-Virus\fssm32.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Programme\Internet Security\Common\FSLAUNCH.EXE
C:\Dokumente und Einstellungen\rdg\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.mini20.com
uInternet Settings,ProxyOverride = *.local
BHO: Browsing Protection Class: {c6867eb7-8350-4856-877f-93cf8ae3dc9c} - c:\programme\internet security\nrs\iescript\baselitmus.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\programme\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Browsing Protection Toolbar: {265eee8e-3228-44d3-aea5-f7fdf5860049} - c:\programme\internet security\nrs\iescript\baselitmus.dll
uRun: [SpeedswitchXP] c:\programme\speedswitchxp\SpeedswitchXP.exe
mRun: [Apoint] c:\programme\delltpad\Apoint.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [F-Secure Manager] "c:\programme\internet security\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\programme\internet security\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [Contour Shuttle Device Helper] c:\programme\contour shuttle\ShuttleHelper.exe
mRun: [MAFWTaskbarApp] c:\windows\system32\MAFWTray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\logite~1.lnk - c:\programme\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: NoInternetIcon = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMMyDocs = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: NoNetConnectDisconnect = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoInternetIcon = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: Senden an &Bluetooth-Gerät... - c:\programme\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\programme\bonjour\ExplorerPlugin.dll
LSP: c:\programme\internet security\fsps\program\FSLSP.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1258060225234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: {644EF1B1-ABB1-4DF3-85B0-2D684C1A7A93} = 208.67.222.222,208.67.220.220
TCP: {FC8342CA-B1A6-48E6-8BC1-355842E0C230} = 195.186.1.111,208.67.220.220
Notify: LBTWlgn - c:\programme\gemeinsame dateien\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: schannel.dll, digest.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\rdg\anwend~1\mozilla\firefox\profiles\kyogc4pn.default\
FF - component: c:\dokumente und einstellungen\rdg\anwendungsdaten\mozilla\firefox\profiles\kyogc4pn.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\programme\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\programme\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\programme\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-11-11 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-11-11 80000]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\programme\internet security\hips\drivers\fshs.sys [2009-11-11 68064]
R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-4-23 82200]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-11-13 116368]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-11-13 41424]
R2 emaudsv;E-MU Audio Service;c:\windows\system32\emaudsv.exe [2007-11-26 20992]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\programme\internet security\anti-virus\fsgk32st.exe [2009-11-11 215648]
R2 serwvdrv32;Unimodem Serial Wave driver;c:\windows\system32\rundll32.exe serwvdrv32.dll,aqef --> c:\windows\system32\rundll32.exe serwvdrv32.dll,aqef [?]
R3 automap;Automap MIDI Driver Service;c:\windows\system32\drivers\automap.sys [2009-11-29 7168]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\programme\internet security\anti-virus\minifilter\fsgk.sys [2009-11-11 107104]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-11-13 95376]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-10-29 103888]
S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-11-11 10384]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\drivers\emusba10.sys [2007-11-26 163352]
S3 FSORSPClient;F-Secure ORSP Client;c:\programme\internet security\orsp client\fsorsp.exe [2009-11-11 56000]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows;c:\windows\system32\drivers\KORGUMDS.SYS [2008-10-29 21720]
S3 MAFW;MAFW;c:\windows\system32\drivers\mafw.sys [2009-11-11 193032]
S3 MAFWDICE;Service for M-Audio ProFire Driver (WDM);c:\windows\system32\drivers\mafwdi.sys --> c:\windows\system32\drivers\mafwdi.sys [?]
S3 NvnUsbAudio;Novation USB Audio Driver;c:\windows\system32\drivers\nvnusbaudio.sys [2009-11-14 29184]
S3 pbfilter;pbfilter;c:\programme\peerblock\pbfilter.sys [2009-12-3 14424]
S3 ReflectService;Macrium Reflect Image Mounting Service;c:\programme\macrium\reflect\ReflectService.exe [2009-11-12 220128]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2009-11-12 23288]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [2006-8-30 25856]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\programme\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S4 F-Secure Filter;F-Secure File System Filter;c:\programme\internet security\anti-virus\win2k\fsfilter.sys [2009-11-11 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\programme\internet security\anti-virus\win2k\fsrec.sys [2009-11-11 25184]
S4 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\programme\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2010-02-01 16:26:28 0 d--h--w- c:\windows\PIF
2010-01-27 19:51:34 0 d-----w- c:\dokume~1\rdg\anwend~1\Celemony Software GmbH
2010-01-27 19:51:13 0 d-----w- c:\programme\Celemony
2010-01-27 19:51:12 0 d-----w- c:\programme\gemeinsame dateien\Celemony
2010-01-26 00:59:53 0 dc-h--w- c:\dokume~1\alluse~1\anwend~1\{DFE2E7B1-6B2C-4104-9C65-82A52ECA8CB8}
2010-01-26 00:43:00 0 dc-h--w- c:\dokume~1\alluse~1\anwend~1\{8BFD9D89-5EBF-4CAE-AA58-6AE68629BA0B}
2010-01-23 22:13:42 754 ----a-w- c:\windows\CamelCrusher.dll.lnk
2010-01-23 22:13:42 739 ----a-w- c:\windows\TesslaPRO.dll.lnk
2010-01-23 22:13:42 734 ----a-w- c:\windows\TesslaSE.dll.lnk
2010-01-23 22:13:42 734 ----a-w- c:\windows\TAL-Tube.dll.lnk
2010-01-23 22:11:46 854 ----a-w- c:\windows\Virus_z3ta+.dll.lnk
2010-01-23 22:06:02 658 ----a-w- c:\windows\IL Love Philter.dll.lnk
2010-01-23 22:02:37 0 d-----w- C:\VstSelected
2010-01-14 11:42:43 68640 ----a-w- c:\windows\unTMV.exe
2010-01-14 11:42:42 0 d-----w- c:\programme\SoftMaker Viewer
2010-01-14 11:30:20 0 d-----w- c:\programme\MSECache
2010-01-13 02:32:10 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-03 16:46:58 0 d-----w- c:\dokume~1\rdg\anwend~1\InfraRecorder
2010-01-03 16:44:50 0 d-----w- c:\programme\InfraRecorder
2010-01-03 15:26:17 0 d-----w- c:\dokume~1\rdg\anwend~1\Renoise ReWire Engine
2010-01-03 15:20:21 0 d-----w- c:\dokume~1\rdg\anwend~1\Renoise

==================== Find3M ====================

2010-01-09 04:43:03 81248 ----a-w- c:\windows\system32\perfc007.dat
2010-01-09 04:43:03 449314 ----a-w- c:\windows\system32\perfh007.dat
2009-12-21 19:05:02 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-12 07:09:55 833002 ----a-w- c:\windows\PhaseTwo VST plug-in Uninstaller.exe
2009-12-12 07:07:11 833003 ----a-w- c:\windows\BigSeq VST plug-in Uninstaller.exe
2009-12-12 04:21:09 368640 ----a-w- c:\windows\system32\ReWire.dll
2009-12-11 18:55:51 12140 ----a-w- c:\dokumente und einstellungen\rdg\ntuserdirect_MyManager.dat
2009-12-09 13:51:00 69632 ----a-w- c:\windows\system32\FxShared.dll
2009-12-09 13:51:00 69632 ----a-w- c:\windows\system32\com.fxpansion.fxshared.dll
2009-12-09 13:41:40 25 ----a-w- c:\dokume~1\rdg\anwend~1\iasna_C92E1371-3DF5-4322-9729-82CC0DD90EC6.dll
2009-12-08 22:45:03 833056 ----a-w- c:\windows\Replicant VST plug-in Uninstaller.exe
2009-12-03 13:46:10 178 ----a-w- c:\programme\gemeinsame dateien\083.part.met
2009-11-29 18:44:56 106557 ----a-w- c:\windows\system32\btw_ci.dll
2009-11-19 01:57:10 233472 ----a-w- c:\windows\system32\REX Shared Library.dll
2009-11-12 21:38:38 2892 ----a-w- c:\windows\system32\audcon.sys
2009-11-11 19:43:14 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-11-11 14:05:31 27649 ----a-w- c:\windows\system32\nvModes.dat
2009-11-11 13:56:12 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2009-11-11 13:56:12 21361 ----a-w- c:\windows\AegisP.sys
2009-11-11 13:45:53 21740 ----a-w- c:\windows\system32\emptyregdb.dat
2009-11-09 18:00:00 85504 ----a-w- c:\windows\system32\ff_vfw.dll

============= FINISH: 20:26:45,21 ===============


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/02/01 20:28
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xAFD67000 Size: 778240 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB023000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb2196cd6

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb2196cf0

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb2195e8c

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb21961bc

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb2195bcc

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb21965ee

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb219788c

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb219643e

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb2195a4c

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb2195ec0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb2196042

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb21959a6

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb2195b06

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb2195f86

Shadow SSDT
-------------------
#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Programme\Internet Security\HIPS\drivers\fshs.sys" at address 0xb2198646

==EOF==

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 AM

Posted 01 February 2010 - 06:06 PM

Hi erdgeist,

The svchost process you are singling out is a legitimate process but it may be being used by something malicious.

The RootRepeal log is flagging a system file known to be used by a rootkit so let's see if this is the case here.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#7 erdgeist

erdgeist
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 01 February 2010 - 08:03 PM

ComboFix finished successfully. Unfortunately it uninstalled my F-Secure Internet Security :(
I attached the logfile here.

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 AM

Posted 01 February 2010 - 08:16 PM

Not sure why it did that. Did you disable it before running Combofix?

It didn't remove anything major and there's certainly no evidence of anything such as a rootkit here.


Let's double check rootkits with Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


Then please run MBAM

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Let me know if port 25 suddenly kicks in again. :(
Posted Image
m0le is a proud member of UNITE

#9 erdgeist

erdgeist
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 01 February 2010 - 10:13 PM

OK, I don't know why, but the traffic on port 25 seems to be gone.
Now the malware starts to show a different behaviour:
I opened the task manager and recognized 2 processes each consuming nearly 50% CPU:
"wuauctl.exe" and "rundll32.exe" which produces a lot of I/O (write) activity.
The system crashed several times after not killing rundll32.exe for too long. After 2 reboots the high CPU consumption of wuauctl.exe was gone.
As soon as I kill the rundll32.exe process CPU consumption of lsass.exe and helper.exe go up to 50%.

I inspected the rundll32.exe further with Sysinternals Process Explorer and found it to be serwvdrv32.dll which gets loaded as a windows service.

Running Malwarebytes Anti-Malware was able to detect and delete it successfully. It also deleted Malware from an old system restore point.


GMER found no rootkit as far as I can see:
GMER 1.0.15.15281 - [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2010-02-02 03:06:35Windows 5.1.2600 Service Pack 3Running: d7tnkw0x.exe; Driver: C:\DOKUME~1\rdg\LOKALE~1\Temp\pgtdapow.sys---- System - GMER 1.0.15 ----Code            fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)                                                   IoCreateDevice---- Kernel code sections - GMER 1.0.15 ----PAGE            ntkrnlpa.exe!IoCreateDevice                                                                                        805758EE 5 Bytes  JMP B7D50FFA fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)PAGENPNP        NDIS.SYS!NdisRegisterProtocol                                                                                      B7D2117F 5 Bytes  JMP B7D50E0C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)PAGENPNP        NDIS.SYS!NdisOpenAdapter                                                                                           B7D21399 5 Bytes  JMP B7D51394 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)PAGENPNP        NDIS.SYS!NdisCloseAdapter                                                                                          B7D2B642 5 Bytes  JMP B7D50F18 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)PAGENPNP        NDIS.SYS!NdisDeregisterProtocol                                                                                    B7D2B821 5 Bytes  JMP B7D511B0 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)PAGENDSP        NDIS.SYS!NdisReturnPackets                                                                                         B7D2E810 5 Bytes  JMP B7D51C0C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)PAGENDSP        NDIS.SYS!NdisRequest                                                                                               B7D2E97B 5 Bytes  JMP B7D515AC fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)PAGENDSP        NDIS.SYS!NdisSend                                                                                                  B7D31986 5 Bytes  JMP B7D5258C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)PAGENDSP        NDIS.SYS!NdisSendPackets                                                                                           B7D319A3 5 Bytes  JMP B7D5265E fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)PAGENDSP        NDIS.SYS!NdisTransferData                                                                                          B7D319BE 5 Bytes  JMP B7D51D0A fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)PAGENDCO        NDIS.SYS!NdisCoCreateVc                                                                                            B7D38186 5 Bytes  JMP B7D50E76 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)PAGENDCO        NDIS.SYS!NdisCoDeleteVc                                                                                            B7D39557 5 Bytes  JMP B7D50EE4 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)PAGENDCO        NDIS.SYS!NdisCoSendPackets                                                                                         B7D39AF1 5 Bytes  JMP B7D52376 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation).text           C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                                                           section is writeable [0xB7000380, 0x3CDF45, 0xE8000020]---- Devices - GMER 1.0.15 ----Device          \Driver\Tcpip \Device\Ip                                                                                           fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                           nltdi.sys (NetLimiter Driver/Locktime Software)Device          \Driver\Tcpip \Device\Tcp                                                                                          fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                          nltdi.sys (NetLimiter Driver/Locktime Software)Device          \Driver\Tcpip \Device\Udp                                                                                          fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                          nltdi.sys (NetLimiter Driver/Locktime Software)Device          \Driver\Tcpip \Device\RawIp                                                                                        fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                        nltdi.sys (NetLimiter Driver/Locktime Software)Device          \Driver\Tcpip \Device\IPMULTICAST                                                                                  fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)---- Registry - GMER 1.0.15 ----Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@C:\VstPlugins\\xb0sorted\Dynamik\Flux BitterSweetII.dll  1Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@ScheduledInstallDate                      2010-02-02 02:00:00

Datenbank Version _linenums:3675'>Malwarebytes' Anti-Malware 1.44Datenbank Version: 3675Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870202.02.2010 04:08:57mbam-log-2010-02-02 (04-08-57).txtScan-Methode: Vollständiger Scan (C:\|D:\|E:\|F:\|)Durchsuchte Objekte: 262321Laufzeit: 55 minute(s), 11 second(s)Infizierte Speicherprozesse: 0Infizierte Speichermodule: 1Infizierte Registrierungsschlüssel: 0Infizierte Registrierungswerte: 0Infizierte Dateiobjekte der Registrierung: 0Infizierte Verzeichnisse: 0Infizierte Dateien: 5Infizierte Speicherprozesse:(Keine bösartigen Objekte gefunden)Infizierte Speichermodule:C:\WINDOWS\system32\serwvdrv32.dll (Trojan.Agent) -> Delete on reboot.Infizierte Registrierungsschlüssel:(Keine bösartigen Objekte gefunden)Infizierte Registrierungswerte:(Keine bösartigen Objekte gefunden)Infizierte Dateiobjekte der Registrierung:(Keine bösartigen Objekte gefunden)Infizierte Verzeichnisse:(Keine bösartigen Objekte gefunden)Infizierte Dateien:C:\System Volume Information\_restore{342CE59A-5166-41D1-81CE-16D1F87E7502}\RP1\A0000019.sys (Malware.Trace) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{342CE59A-5166-41D1-81CE-16D1F87E7502}\RP1\A0000056.com (Adware.Swizzor) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{342CE59A-5166-41D1-81CE-16D1F87E7502}\RP1\A0000672.sys (Malware.Trace) -> Quarantined and deleted successfully.C:\System Volume Information\_restore{342CE59A-5166-41D1-81CE-16D1F87E7502}\RP1\A0000700.com (Adware.Swizzor) -> Quarantined and deleted successfully.C:\WINDOWS\system32\serwvdrv32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Thank you very much for the help m0le! I think the problem is solved now.
Now I'll just need to find out what installed the trojan :(

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 AM

Posted 02 February 2010 - 04:58 PM

Now I'll just need to find out what installed the trojan



That's the next step... :(

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
The infector is usually a disguised file and usually gets rooted out by a scan such as this.
Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 AM

Posted 04 February 2010 - 08:27 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#12 erdgeist

erdgeist
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 05 February 2010 - 07:58 PM

Hi m0le,
please excuse the delayed answer. I had no free minute to finish this the last days.
Thanks to your support I think the problem solved now.

I finished the online scan but unfortunately was unable to save the results. It didn't detect any additional threats so it seems like I no longer have the source of the infection on my harddisk. I forwarded the detected sample to F-Secure and they released an update some hours ago which added it as Trojan:W32/Agent.NGH to their database. A 2nd complete system scan still didn't find anything. My firewall logs didn't show any unwanted connections in the past days and there was no additional sign of malware on my computer.

Thanks again for all your efforts.
Have a great time,
rdg

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 AM

Posted 05 February 2010 - 09:08 PM

I hope you haven't gone just yet because you still need to clean up and permanently remove anything that is quarantined or dormant.


You're clean. Good stuff! :(

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it erdgeist, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:24 AM

Posted 11 February 2010 - 04:27 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users