Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected: Trojan:Win32/Alureon.BT, Win32:Jifas-CY, Backdoor.Win32.Kbot.al, Net-Worm.Win32.Mytob.t


  • This topic is locked This topic is locked
5 replies to this topic

#1 eckoman

eckoman

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 17 January 2010 - 09:25 PM

Hello,

My computer became infected last night, and It's pretty bad. I became infected with Infected: Trojan:Win32/Alureon.BT, Win32:Jifas-CY, and the others listed (maybe more).

Long story short, I'd just watched Harry Potter on dvd, and logged onto the computer to see who he married in the end. I ended up at a Harry Potter encyclipdiea website, and looked it up. Avast went nuts after a few minutes, and showed 4 different virus alerts, and Windows Defender showed 1 as well after I shut down.

The virus listed by Defender was Trojan:Win32/Alureon.BT.
Avast listed Win32:Jifas-CY, I didn't get the others in time.

The last 2 I listed in the title, a "security center alert" claimed it detected these programs trying to acess the internet. It listed one more, but I didn't get it's name in time.

I know Alureon is a downloader and backdoor for other viruses, and it basically shuts down security systems, which it's trying to do since windows now thinks I have no anti-virus installed.

All of these trojans are listed as "server" and "high risk." I'm not sure a root kit didn't try to make it's way in too.

EDIT: I wanted to add a few things in. First, I have XP SP3 set up with multiple accouts, one admin "owner" account and then 1 limited access "user" account. The Viruses came in while the user account was logged on (I am not dumb enough to connect to the internet with an admin account). It seems the Viruses were only able to infect the User side, due to it's limited access. When I log into the Owner side, everything is fine, XP knows I have anti virus installed, and nothing is trying to access the internet and subsequently blocked by my firewall.

I ran DDS from the "User" side. I was NOT able to run the Rootkit program from that side. It kept crashing. My "Ark.txt" file was ran from the non-infected owner side, so I am not sure if it's any good. I can reboot into "Administrator" in safe mode and try and run it. I will likely try and run Windows Defender and Avast in Safe Mode from the Admin Account tonight, to try and remove the Virus. I think that if I do this, then transfer the "My Document" Folder to the S Drive (or a different place on the C Drive) from Safe Mode or a PE environment like BartPE or Ubuntu Live CD, and delete the "User account, it should wipe all the registry entries and any remaining parts of the virus (since it only seems to be infecting the User account). Am I correct on this?


Here is my DDS.txt report



DDS (Ver_09-12-01.01) - NTFSx86

Run by User at 6:14:21.18 on Sun 01/17/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1369 [GMT -8:00]



AV: avast! antivirus 4.8.1368 [VPS 100117-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}



============== Running Processes ===============



svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\ASUS\Six Engine\SixEngine.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\DOCUME~1\User\LOCALS~1\Temp\winhlp64.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\User\Desktop\dds.scr



============== Pseudo HJT Report ===============



BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [SVCHOST.EXE] c:\windows\system32\drivers\svchost.exe

uRun: [cls_pack.exe] c:\docume~1\user\locals~1\temp\cls_pack.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [Six Engine] "c:\program files\asus\six engine\SixEngine.exe" -r

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [QFan Help] "c:\program files\asus\ai suite\qfan3\QFanHelp.exe"

mRun: [Cpu Level Up help] c:\program files\asus\ai suite\CpuLevelUpHelp.exe

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"



================= FIREFOX ===================



FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\9dvxgx4n.default\

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}



============= SERVICES / DRIVERS ===============



R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-6-10 150568]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-23 114768]

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]

R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2008-10-23 10872]

R2 57xx SteelVine Manager;57xx SteelVine;c:\program files\asus\drive xpert\SteelVine.exe [2008-5-29 1286144]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-23 20560]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-10-23 138680]

R2 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2007-5-30 312880]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-10-23 254040]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-10-23 352920]



=============== Created Last 30 ================



2010-01-12 03:32:24 7611 ----a-w- c:\documents and settings\user\.recently-used.xbel

2010-01-07 09:26:31 0 d-----w- c:\program files\DVDFab 6

2010-01-05 01:52:45 0 d-----w- c:\program files\AviSynth 2.5

2010-01-05 00:40:43 0 d-----w- C:\.multiTH

2010-01-05 00:37:55 0 d-----w- c:\program files\multiAVCHD

2010-01-03 09:57:05 0 d-----w- c:\program files\Ifoedit0971

2010-01-02 08:52:27 0 d-----w- c:\program files\MediaInfo

2009-12-31 11:58:44 0 d-----w- c:\program files\Team MediaPortal

2009-12-31 10:49:16 0 d-----w- c:\windows\system32\wbem\Repository

2009-12-31 09:10:49 0 d-----w- C:\eog

2009-12-31 09:10:03 0 d-----w- C:\xmltv.org

2009-12-30 23:45:31 0 d-----w- c:\program files\Devnz

2009-12-30 09:07:08 15232 ----a-w- c:\windows\system32\drivers\MPE.sys

2009-12-30 09:07:03 10880 ----a-w- c:\windows\system32\drivers\NdisIP.sys

2009-12-30 09:07:02 15232 ----a-w- c:\windows\system32\drivers\StreamIP.sys

2009-12-30 09:07:01 16384 ----a-w- c:\windows\system32\ipsink.ax

2009-12-30 09:06:20 0 d-----w- c:\program files\ATI

2009-12-30 09:05:56 0 d-----w- c:\program files\ATI Technologies

2009-12-30 08:54:37 1571115 ----a-w- c:\windows\system32\drivers\CTRLT511.s3

2009-12-30 08:24:58 0 d-----w- c:\program files\MSXML 6.0

2009-12-30 08:23:31 0 d-----w- c:\program files\Microsoft SQL Server

2009-12-30 08:22:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Team MediaPortal

2009-12-30 08:11:13 0 d-----w- c:\windows\system32\NtmsData

2009-12-29 05:32:02 0 d-----w- c:\temp\Office FrontPage 2003 (English)

2009-12-29 04:01:57 0 d-----w- c:\temp\MapPoint 2004 North America - Setup Disc (English)

2009-12-29 03:40:10 0 d-----w- c:\temp\MapPoint 2004 North America - Run Disc (English)

2009-12-29 03:07:07 0 d-----w- c:\temp\Windows 7 Professional (x64) - DVD (English)

2009-12-23 06:30:49 0 d-----w- c:\program files\DVD Shrink



==================== Find3M ====================



2010-01-07 09:26:40 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2009-11-07 16:59:43 70984 ----a-w- c:\documents and settings\user\g2mdlhlpx.exe

2009-11-03 04:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2006-06-24 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe



============= FINISH: 6:14:38.20 ===============

I didn't run a kasperky online scan, as I am reluctant to go online for anything at all with this infection. I only went online to download the 2 programs mentioned in the prep guide. I am online for this post here via a Ubuntu 9.10 live cd.

I figured I'd come here and see if you guys could help clear it out or offer advice.

I thought about cleaning it out, transferring files to the S Drive, and using something like DBAN to nuke the C drive, and then do a fresh re-install with Windows 7 Pro 64 Bit or XP Pro 32 Bit instead of keeping XP Home (I have fully licensed copies of both, and like the added control pro offers).

I have 2 drives, the C:/ drive and an internal drive for storage. The storage drive has no boot sections or anything, it was formatted so it can only be storage. I had that drive connected when the infection came in. I think that drive should still be clean. However, I didn't get all my video, pictures, word, access, and excel files transferred before the computer got infected. I am under the impression that if I clean it up as stated above (and with the help of you guys), and I then transfer those files to the internal sata storage drive, then disconnect it and wipe the C Drive, those files should be clean.

Also, though the Microsoft Student Discount Network at the college, I recently downloaded an iso of windows 7 and a product key. I never got to burn the disc .ISO before a virus infected the computer (I got lazy). Is it possible the .ISO is infected? I don't think it is, but wanted to ask.

I talked to a computer security buddy in the air force, and he thought the .ISO files, word, access, excel, .pdf, pictures, music and videos in the my document folder should be clean, and I should drag them to the s drive from a pre-install cd like BartPE or Ubuntu (live cd), then un-plug the interal storage drive and wipe the c drive and re-install a clean Pro Verison of the OS.

Even if I end up wiping and installing XP Pro or 7 Pro, I'd rather clean the infect out first, so I can back up the rest of the files from a clean system.


Thanks

Attached Files

  • Attached File  ark.txt   4.1KB   8 downloads

Edited by eckoman, 17 January 2010 - 11:46 PM.


BC AdBot (Login to Remove)

 


#2 eckoman

eckoman
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 20 January 2010 - 06:41 AM

Hello again.

I booted into Safe Mode and ran an Avast scan (which took forever) and it was a waste of time. The stupid thing found nothing wrong, and said the system was clean (which is the opposite it says when you log into the limited user account). The computer (and specially that account at least) is definitely infected. Could the viruses be hiding themselves when in safe mode?

Should I scan from a Pre-install environment like BartPE? Or from the Regular "Owner" Admin account? I waited 2 days for the stupid program to scan 700gb (painfully slow for a qaud core, though to be excepted in safe mode), and it was useless.

Other than running windows defender (which I'm doing now), and maybe trying MBAM, I'm not sure what to do. I'm not expect enough to dive into programs like OTViewIT and Combofix, so I'll need help here. Please, ANY HELP is appreciated. I would rather NOT wipe the drive and reinstall the whole system, but I need to get this figured out.

Does no one have any ideas???



#3 eckoman

eckoman
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 20 January 2010 - 01:49 PM

Update:

Well, the Windows Defender scan in Safe Mode decided nothing is wrong also...

However, log into the "User" limited user account, and both Windows Defender and Avast go nuts with Virus warnings, and my Windows Firewall warns of attempted outbound connections, so something IS there. When you click remove though, they don't remove anything...it's there with the same warnings and issues next time you log into that account.

Another problem, they are not telling me where the infection is hiding (file path wise), so I'm not sure when go look to manually sniff it down. I tried to look into up on the names and where it likes to hide, but I came up empty handed.

I'm not sure if I should run defender and Avast! in the limited account mode, since it won't be able to delete what it finds (especially since it's running). That computer is at a crippled standstill untin I figure this out.

Could it be a rootkit, that is only able to run under that account? I'm reluctant to even back up the music, video, picture, and document files on that side of the computer until I get some advice and have an idea of what's going on.

Any help and advice is appreciated!

UPDATE

PLEASE CLOSE THIS THREAD!! The real culprit has been found, and a new thread has been created.

Here is a link to the new thread: cls_pack.exe and winhlp64.exe trojan + possible TDSS/HRSRT8 rootkit

Merged topics. ~ OB

Edited by Orange Blossom, 20 January 2010 - 07:15 PM.


#4 eckoman

eckoman
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:43 PM

Posted 20 January 2010 - 03:30 PM

Title was: cls_pack.exe and winhlp64.exe trojan + possible TDSS/HRSRT8 rootkit ~ OB

Hello all,

I have another thread in here, but disregard it, as I now know the exact problem. Merged topics for the sake of continuity and to avoid confusion. ~ OB

Some further research revealed the real culprits. I am infected with the cls_pack.exe and winhlp64.exe trojan + possibly the TDSS rootkit (related to it) late Saturday night or early Sunday Morning. The infection seems to be limited to the "limited user" account that was running when it happened, but I can't be sure. It seems to hide itself very well. Safe Mode came up empty, which was my clue it was bad. I suspect the rootkit too, as this would explain why nothing shows up.

I sniffed it out using a Linux Live CD so the OS never loaded, after even safe mode was coming up empty. I found the 2 suspect files in the documents and settings/user/local/temp folder, and a quick search revealed my suspicion was correct. These files are the virus that has been infecting the system, and everything that's been happening is exactly what it says they will do.

The complete file paths to the infected files are
c:/documentsandsettings/user/local/temp/cls_pack.exe
c:/documentsandsettings/user/local/temp/winhlp64.exe

It appears most anti virus programs miss it, as a report I read while reserching it stated out of F-Secure, Kaspersky, McAfee, Microsoft, NOD32 and Symantec, only F-Secure even thought there was a virus (which it labeled " Suspicious:W32/Malware!Gemini")

I looked back over the rootkit report and the dds report attached to my other thread, and they aren't much help, which is no surprised based on what I read.

Here is info I found on this virus

Installation
When the program is executed, it creates the following registry subkeys and values:

€”€”€”€”€”€”€”€”€”€”€”-
Keys deleted:1
€”€”€”€”€”€”€”€”€”€”€”-
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew

€”€”€”€”€”€”€”€”€”€”€”-
Keys added:2
€”€”€”€”€”€”€”€”€”€”€”-
HKLM\SOFTWARE\Malware Defense
HKCU\Software\Mozilla

€”€”€”€”€”€”€”€”€”€”€”-
Values added:4
€”€”€”€”€”€”€”€”€”€”€”-
HKCU\Software\eee0bd2f-ff2e-46ef-83fb-d4fda84462a3: €œ€
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\cls_pack.exe: €œC:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cls_pack.exe€
HKCU\Software\Mozilla\itime: 50 81 C1 9F 05 97 CA 01
HKCU\Software\Mozilla\ver: €œ2.0€

€”€”€”€”€”€”€”€”€”€”€”-
Values modified:4
€”€”€”€”€”€”€”€”€”€”€”-
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 000000001
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 000000000
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 000000002
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 000000004

€”€”€”€”€”€”€”€”€”€”€”-
Files added:3
€”€”€”€”€”€”€”€”€”€”€”-
C:\Documents and Settings\Administrator\Local Settings\Temp\cls_pack.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Installer.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\winhlp64.exe

€”€”€”€”€”€”€”€”€”€”€”-
Files deleted:1
€”€”€”€”€”€”€”€”€”€”€”-
C:\sand-box\setup.exe

€”€”€”€”€”€”€”€”€”€”€”-
Total changes:15
€”€”€”€”€”€”€”€”€”€”€”-

€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”-
Internet activity:

HTTP GET hxxp://thrownout.cn/readdatagateway.php?type=stats&affid=139&subid=1&version=2.0&adwareok

€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”€”-
Detected by UnHackMe:

Item Name: cls_pack.exe
Author: Microsoft Corporation
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cls_pack.exe
Type: Registry Run

Item Name: cls_pack.exe
Author: Microsoft Corporation
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\CLS_PACK.EXE
Type: Running Processes

Item Name: winhlp64.exe
Author: Microsoft Corporation
Related File: C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMP\WINHLP64.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

The following website mentions that this virus downloads H8SRT trojan (a new version of TDSS trojan, also known as Rootkit.TDSS). While reading, it stated this specific trojan blocks anti-virus programs from running, including MBAM. I tried looking for the listed entries manually while running from a Live CD, and I didn't see them. However, I DID see two H8SRT files in the c:/documentsandsettings/user/local/temp folder, so it at the very least DID try to install and run (whether it succeeded or filed, I am not sure at this point).

The two files are H8SRT7c6a.tmp and H8SRT7d25.tmp

I could not find the drivers or services assosiated with this Rootkit when I manually searched for them in the System32 folder using a Live CD, so I am not sure if this Rootkit installed, or if the fact it came in under a "limited user" account limited it to that account only by denying system access.

Maybe it's possible, as I just said, this rootkit was not installed, since I'm guessing the system drivers are not accessible under a limited user account (and since all the other accounts on the computer work fine).

I realize this clean-up is severe, and will likely require me to either clean it up manually from a Live CD, or to remove the HDD, hook it up to a second computer, and then clean it up from there. Once we seem to sniffed everything out and it's gone, I would like help confirming this virus and rootkit (if it even installed) are gone, and that the registry is clean.

A website talking about the cls_pack.exe and winhlp64.exe trojan mentioned this software to remove:

Recommended software:
UnHackMe anti-rootkit and anti-malware
hxxp://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
hxxp://www.regrun.com

Are these legit, or am I better off just continuing to hunt everything down manually (the manual method is the only reason I am this far).

If you want to view the DDS report, click this link for the other thread, but it's pretty useless. The Ark.txt file was pretty useless to, but it's there also. Please note, the DDS report was run under the infected account, but the anti rootkit program which generated the Ark report would NOT run under the limited user "User" account that was infected, so that report was ran from the clean "owner" admin account.

If you need anything else or any more info, let me know, as I'll have to continue to sniff this out by either installing the HDD in another computer or a Live CD

http://www.bleepingcomputer.com/forums/ind...t&p=1587169

Help at this point is appreciated. I'll run, search and hard delete what you ask.

Thanks!!

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 20 January 2010 - 07:18 PM.
Deactivate links. ~ OB


#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:43 AM

Posted 24 January 2010 - 09:10 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:43 AM

Posted 29 January 2010 - 12:14 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users