Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible PoisonIvy Thread...Help needed!


  • This topic is locked This topic is locked
2 replies to this topic

#1 s0m30ne

s0m30ne

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 01 January 2010 - 05:40 AM

Hello all..



Ok. Here is my issue briefed out.



1. I see multiple instances of "firefox.exe" running in Task Manager.



Posted Image



2. Even if I close them, they restart.

3. I also see multiple instances of "server.exe". It was not earlier there.

4. I have scanned my PC, particularly Mozilla Firefox folder, but the trojan seems of be untraceable.



Here are my scans:

DDS.txt
DDS (Ver_09-12-01.01) - FAT32x86
Run by KARAN at 15:42:47.51 on Fri 01/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1215.784 [GMT 5.5:30]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
C:\Documents and Settings\KARAN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://in.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://in.search.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = 208.98.45.25:51499
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://in.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://in.search.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {12F02779-6D88-4958-8AD3-83C12D86ADC7} - No File
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: {68f17a93-fc78-4565-8bb4-04105d1725cc} - No File
TB: {4fe8e2eb-f905-45a9-8de9-9ad2f228ccc9} - No File
TB: {4E7BD74F-2B8D-469E-84BA-B830E8D4E122} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [HKCU] c:\windows\system32\install\server.exe
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [HKLM] c:\windows\system32\install\server.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [<NO NAME>]
uExplorerRun: [Policies] c:\windows\system32\install\server.exe
mExplorerRun: [<NO NAME>] 1 (0x1)
mExplorerRun: [Policies] c:\windows\system32\install\server.exe
uPolicies-explorer: Hidden = 1 (0x1)
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZCYYYYYYYYIN
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPAGER.EXE
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC}
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {6AC1D629-AB9D-48FF-92E2-351C936F2A3B} = 59.179.243.70,203.94.243.70
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: xxyyvVnM - xxyyvVnM.dll
AppInit_DLLs: c:\windows\system32\cssdll32.dll
SSODL: PrxMon - {3c03bc94-0c6c-4c90-b362-c7d531dd32d5} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {e1adb94e-0dc6-487c-b274-981bee6301a1} - No File
SEH: {84C53226-C282-41FE-A4B4-8F05CC5EC24B} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\mlJCVmjI
mASetup: {08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} - c:\windows\system32\install\server.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\karan\applic~1\mozilla\firefox\profiles\fgn6hp3n.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\karan\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\documents and settings\karan\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM1.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM2.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM4.dll
FF - plugin: c:\program files\opera\program\plugins\NP_IDM5.dll
FF - plugin: c:\program files\opera\program\plugins\nppdf32.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 RemoveAny;RemoveAny driver;c:\windows\system32\drivers\RemoveAny.sys [2008-6-9 11008]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-8-25 149352]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-8-25 149352]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-8-25 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-15 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091231.041\NAVENG.SYS [2010-1-1 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091231.041\NAVEX15.SYS [2010-1-1 1323568]
R3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-9-7 1251720]
S2 PowerManager;Power Manager;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\karan\locals~1\temp\cdrmkaun.sys --> c:\docume~1\karan\locals~1\temp\cdrmkaun.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-30 23888]
S3 spvads;SoundPlane Audio Device (S);c:\windows\system32\drivers\spvads.sys [2009-12-16 48128]

=============== Created Last 30 ================

2009-12-31 08:08:11 0 d-sh--w- c:\docume~1\karan\applic~1\.#
2009-12-31 08:08:05 0 d-----w- c:\program files\The Action Machine
2009-12-31 08:04:36 0 d-----w- c:\program files\Keyword Expert
2009-12-31 07:45:25 0 d-----w- c:\program files\Blog Warrior
2009-12-26 13:52:14 0 d-----w- c:\program files\Siber Systems
2009-12-24 11:43:21 0 d-sh--w- c:\documents and settings\karan\PrivacIE
2009-12-23 09:05:52 0 d-sh--w- c:\documents and settings\karan\IETldCache
2009-12-23 08:24:54 0 d--h--w- c:\windows\ie8
2009-12-22 14:31:52 0 d-----w- c:\program files\SENuke
2009-12-22 1400 0 d-----w- c:\docume~1\karan\applic~1\Launchy
2009-12-22 14:03:00 0 d-----w- c:\documents and settings\karan\.freemind
2009-12-22 14:02:51 0 d-----w- c:\program files\FreeMind
2009-12-20 12:43:42 0 d-----w- c:\program files\TBS Cover Editor
2009-12-18 07:20:18 0 d-----w- c:\program files\Power Article Rewriter
2009-12-16 04:03:28 77824 ----a-w- c:\windows\system32\xvid.ax
2009-12-16 04:03:27 0 d-----w- c:\program files\Xvid
2009-12-16 04:03:08 48128 ----a-w- c:\windows\system32\drivers\spvads.sys
2009-12-15 14:57:02 0 d-----w- c:\docume~1\karan\applic~1\GetRightToGo
2009-12-15 10:34:36 107864 ----a-w- c:\windows\system32\tsccvid.dll
2009-12-15 10:34:34 0 d-----w- c:\windows\system32\QuickTime
2009-12-15 10:33:52 0 d-----w- c:\program files\common files\TechSmith Shared
2009-12-15 10:24:08 0 d-----w- c:\docume~1\karan\applic~1\Artisteer
2009-12-15 07:41:34 0 d-----w- c:\program files\Micro Niche Finder
2009-12-13 12:17:24 360320 ----a-w- c:\windows\system32\drivers\tcpip.copy
2009-12-13 01:53:16 0 d-sh--w- C:\FOUND.026
2009-12-12 12:55:56 0 d-----w- c:\docume~1\karan\applic~1\mIRC
2009-12-12 10:18:56 152 ----a-w- c:\documents and settings\karan\act13F8.tmp
2009-12-11 10:49:51 73728 ----a-w- c:\windows\system32\GkSui18.EXE
2009-12-11 10:49:50 0 d-----w- c:\program files\RankEnhancer
2009-12-11 10:40:35 0 d-----w- c:\program files\Accessdiver
2009-12-10 10:03:42 58 ----a-w- c:\windows\system32\DonationCoder_ScreenshotCaptor_InstallInfo.dat
2009-12-10 10:03:42 0 d-----w- c:\docume~1\karan\applic~1\DonationCoder
2009-12-10 10:03:20 0 d-----w- c:\docume~1\alluse~1\applic~1\DonationCoder
2009-12-10 10:03:19 0 d-----w- c:\program files\ScreenshotCaptor
2009-12-06 11:14:21 0 d-----w- c:\documents and settings\all users\Micro Niche Finder Service
2009-12-06 11:14:21 0 d-----w- c:\documents and settings\all users\Micro Niche Finder
2009-12-06 11:14:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Micro Niche Finder

==================== Find3M ====================

2010-01-01 10:13:02 80681990 ----a-w- c:\windows\system32\drivers\RemoveAny.log
2010-01-01 10:12:58 169880 ---ha-w- c:\docume~1\karan\applic~1\logs.dat
2009-12-18 03:34:44 11690 ----a-w- c:\windows\system32\KGyGaAvL.sys
2009-12-13 12:17:48 360320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-12-07 07:13:24 279560 ----a-w- c:\docume~1\karan\applic~1\GDIPFONTCACHEV1.DAT
2009-11-30 06:28:04 279560 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-11-10 11:38:54 336 ----a-w- c:\docume~1\karan\applic~1\settings.dat
2009-11-09 09:21:24 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-20 15:14:14 2320128 ----a-w- c:\windows\system32\TUKernel.exe
2009-10-20 15:11:24 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2009-10-20 15:11:22 362240 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2008-08-26 12:51:50 106 --sha-w- c:\program files\desktop.ini
2008-08-09 10:46:26 774144 ----a-w- c:\program files\RngInterstitial.dll
2008-03-13 11:12:48 381012 ----a-w- c:\program files\Uninstall Fun Web Products.dll
2008-01-07 06:50:48 4456448 ----a-w- c:\program files\data2.cab
2003-05-26 09:51:00 469568 ----a-w- c:\program files\data1.cab
2003-05-26 09:51:00 11961 ----a-w- c:\program files\data1.hdr
2008-06-18 07:25:48 56 --sh--r- c:\windows\system32\4D941EEF2F.sys
2006-02-12 15:21:34 494116 --sh--r- c:\windows\system32\install\server.exe
2006-03-11 19:50:12 1 --sha-r- c:\windows\directx\plugin.dat

============= FINISH: 15:43:45.67 ===============

Please help me!

Attached Files



BC AdBot (Login to Remove)

 


#2 TheJoker

TheJoker

  • Security Colleague
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:00 AM

Posted 05 January 2010 - 05:54 AM

s0m30ne is already receiving help at SWI.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:00 PM

Posted 05 January 2010 - 06:57 AM

You are receiving already help at SWI [url="http://"http://www.spywareinfoforum.com/index.php?showtopic=127014?quot;"]link[/url]

In order to avoid confusion, and make the best use of the limited amount of malware removal helpers and their own limited amount of time, this topic is closed. Please do not post in more than one forum, and if you have more topics open elsewhere, please ask that they be closed. Thank you for your cooperation and understanding.

Bleeping Computer Staff

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users