Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool has installed a trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 epeeist04

epeeist04

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 26 December 2009 - 05:18 PM

Security Tool downloaded and installed itself from a hijacked site I visited. I have mostly gotten rid of it and the other things it downloaded, but there is still something lingering and I can't get rid of it, and so if I connect to the internet Security Tool downloads itself again.

The worst thing is a file called zwfge.sys that installs very early in the boot process (even in safe mode) and cannot be removed. A google search gives zero results for that file so I assume it is a randomly generated name. I can see where it is called out in the registry but I can't modify or delete the key since it always says they are in use. The CDROM drive on this system is broken, and it is too old to allow a USB boot drive, so I can't boot an Ubuntu Live CD or anything else that might prevent zwfge.sys from starting. I have the infected PC removed from the network and I am moving files to and from it with a thumbdrive (to a linux system so it can't be infected from the thumbdrive).

Here are my logs: (I also attached GMER.log since it is so short and shows the zwfge.sys tagged as a rootkit)



DDS (Ver_09-12-01.01) - NTFSx86 NETWORK

Run by Administrator at 16:57:54.95 on Thu 12/24/2009

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.751 [GMT -8:00]



AV: avast! antivirus 4.8.1368 [VPS 091222-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}



============== Running Processes ===============



C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Administrator.ANGELA-PC\Local Settings\Temporary Internet Files\Content.IE5\K6IB4MG4\dds[1].scr



============== Pseudo HJT Report ===============



uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser

uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop&parm1=seconduser

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mDefault_Page_URL = hxxp://www.yahoo.com/

mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [TranscodingService] "c:\program files\tivo\desktop\TranscodingService.exe" /auto

uRun: [TivoTransfer] "c:\program files\common files\tivo shared\transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer

uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /service /registry /auto:TivoServer

uRun: [TivoNotify] "c:\program files\tivo\desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

uRunOnce: [NeroHomeFirstStart] c:\program files\common files\ahead\lib\NMFirstStart.exe

mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [nwiz] nwiz.exe /install

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html

IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab

DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

LSA: Notification Packages = scecli kbcmc10.dll

Hosts: 78.159.110.53 www.google.com

Hosts: 78.159.110.53 www.google.de

Hosts: 78.159.110.53 www.google.fr

Hosts: 78.159.110.53 www.google.co.uk

Hosts: 78.159.110.53 www.google.com.br



Note: multiple HOSTS entries found. Please refer to Attach.txt



================= FIREFOX ===================



FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}



============= SERVICES / DRIVERS ===============



S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-12-22 114768]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-12-22 20560]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-22 138680]

S2 drhard;drhard;c:\windows\system32\drivers\drhard.sys [2009-10-20 23600]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-22 254040]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-22 352920]



=============== Created Last 30 ================



2009-12-24 22:47:38 0 d-----w- c:\docume~1\admini~1.ang\applic~1\Malwarebytes

2009-12-22 05:51:07 0 d-----w- c:\program files\Trend Micro

2009-12-21 18:31:16 704512 ----a-w- c:\windows\system32\drivers\zwfge.sys

2009-12-21 18:31:08 142 ----a-w- c:\windows\system32\fjhdyfhsn.bat

2009-12-19 08:44:08 446464 ----a-w- c:\windows\system32\nvudisp.exe

2009-12-19 08:44:08 186407 ----a-w- c:\windows\system32\nvapps.xml

2009-12-19 08:44:08 18070 ----a-w- c:\windows\system32\nvdisp.nvu

2009-12-19 08:43:47 446464 ----a-w- c:\windows\system32\NVUNINST.EXE

2009-12-19 08:43:34 0 d-----w- C:\NVIDIA

2009-12-19 08:39:16 0 d-----w- c:\program files\Driver Cleaner Pro

2009-12-19 08:33:25 0 d-----w- c:\docume~1\admini~1.ang\applic~1\Symantec

2009-12-19 07:58:08 0 d-----w- c:\windows\NV40204032.TMP

2009-12-19 07:24:59 21533 ----a-w- c:\windows\system32\dllcache\cpqndis5.sys

2009-12-19 07:23:50 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys

2009-12-19 07:22:55 97354 ----a-w- c:\windows\system32\dllcache\aspndis3.sys

2009-12-19 06:39:23 0 d-----w- c:\program files\sisagp

2009-12-19 05:57:41 10 ----a-w- c:\windows\WININIT.INI

2009-12-02 17:49:37 0 d-----w- c:\program files\MediaMonkey

2009-12-02 05:05:32 0 d-----w- c:\program files\JRE

2009-12-02 05:05:02 0 d-----w- c:\program files\OpenOffice.org 3



==================== Find3M ====================



2009-12-04 00:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-04 00:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-02 05:00:47 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-10-28 14:36:11 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe

2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2009-10-28 06:54:16 634632 ----a-w- c:\windows\system32\dllcache\iexplore.exe

2009-10-28 06:52:46 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll

2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll

2005-12-02 06:48:12 22 --sha-w- c:\windows\sminst\HPCD.sys



============= FINISH: 16:58:57.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 epeeist04

epeeist04
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 30 December 2009 - 03:03 PM

This was nasty. In the end I got a new CD drive and used an Ubuntu LiveCD to delete the zwfge.sys file. I am still trying to get the computer fully clean, but the worst is gone. You can close this topic.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:53 PM

Posted 06 January 2010 - 04:03 PM

Closed upon users request.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users