Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I'm still infected with 'Cutwail.F' Virus


  • This topic is locked This topic is locked
4 replies to this topic

#1 Simon.l

Simon.l

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 21 January 2010 - 11:36 AM

First off thanks a million to all the dedicated guy and agirls out there that can take the time to assist us lesser mortals with these problems. You're all amazing clapping.gif

This PC got hit by a virus last week, the virus did it's thing then opened up the 'internet security 2010' program so i could remove it. How convienient! right away I knew it was a problem and started googling for solutions and came across you guys.

in a nutshell this machine is sending out spam all the time, approx 8000 emails a day and of course we are now blacklisted by everyone. I keep the PC off of our LAN when I can but it's a 'working PC' and I have to use it too.

I've checked the 'sent' mail folder on this PC it's pretty much empty, but if I check the exchange server logs then they are full of the same user sending multiple emails, mostly with the same subject line, to what i can gather are all the email addresses known to this users (kathyp) outlook profile.

We use MSExchange server 2003 as part off our SBS2003 installation. the SMTP connector is now queuing up with legitimate business email that can't be delivered because of our RBL status. strangley enough I don't see any of the emails seen in the exchange log in the SMTP queues.

At the time of writing I have already run combofix a few days ago, yes, I now know that probably wasn't a good idea but I've got to get this machine back onto our LAN asap. Combo fix found the cutwail.f virus and the Microsoft malious removal tool still keeps finding infected files.

Please help, and also let me know it it's safe to use combofix on my SBS2003 server just in case the infection has spread.


DDS (Ver_09-12-01.01) - NTFSx86
Run by kathyp at 18:01:04.50 on 21/01/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1683 [GMT 2:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrvNT.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\GCardSrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Gemplus\GemSafe Libraries User\BIN\RegTool.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\explorer.exe
D:\windows-kb890830-v3.3.exe
e:\831f7dfaab58aa20d30a38a5\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\KathyP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\documents and settings\kathyp\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [AtiPTA] Atiptaxx.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [RegTool] "c:\program files\gemplus\gemsafe libraries user\bin\RegTool.exe"
mRun: [gemstrmw] c:\windows\system32\gemstrmw.exe /r
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
dPolicies-explorer: HideClock = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 GemSAFE Card Server;GemSAFE Card Server;c:\program files\gemplus\gemsafe libraries user\bin\GCardSrvNT.exe [2005-6-1 118784]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R3 ati2mpad;ati2mpad;c:\windows\system32\drivers\ati2mpad.sys [2001-12-21 303232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100120.005\naveng.sys [2010-1-21 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100120.005\navex15.sys [2010-1-21 1323568]
S3 GemSealP;GemSealP;c:\windows\system32\drivers\GemSealP.sys [2008-10-31 71936]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]

=============== Created Last 30 ================

2010-01-21 15:19:02 0 d-----w- C:\ComboFix
2010-01-19 13:44:02 0 d-sha-r- C:\cmdcons
2010-01-19 13:30:54 98816 ----a-w- c:\windows\sed.exe
2010-01-19 13:30:54 77312 ----a-w- c:\windows\MBR.exe
2010-01-19 13:30:54 261632 ----a-w- c:\windows\PEV.exe
2010-01-19 13:30:54 161792 ----a-w- c:\windows\SWREG.exe
2010-01-19 07:16:11 0 d-----w- c:\windows\pss
2010-01-15 07:50:36 0 d-----w- c:\docume~1\kathyp\applic~1\Malwarebytes
2010-01-15 07:50:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-15 07:50:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-15 07:50:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-15 07:50:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-10-29 07:46:59 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ------w- c:\windows\system32\corpol.dll

============= FINISH: 18:01:56.09 ===============




The 'RootRepeal' report was only run on my system drive as requested although I do have 2 physical drives in this PC. Do you need the report from this drive as well?

Thanks again

Simon

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:15 PM

Posted 27 January 2010 - 01:59 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 Simon.l

Simon.l
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 28 January 2010 - 02:11 AM

Hi Schrauber,

Thanks for the response. I'm not in my office for the next couple of days, but will repost the logs next week.

I'm not sure if i have fixed the problem or not but here's what i have done so far:

i ran some scans using the microsoft 'live' scanning tools, this did pick up 5 problems with the PC, one of which was the cutwail.f virus. the subsequent clean-up operation that these tools does afterwards plus a reboot and rescan using the same tools would make me think that the virus is now gone, although i did also change the users password so if the virus was authentication to our SMTP connector using a password it had leached then the virus may still be on the PC just unable to launch it's payload!

We are no longer blacklisted and our exchange server logs have returned to thier normal size so if the virus is still present then it is contained.

I will post the DDS logs for you early next week so you can confirm if the virus is dead or not.

Thanks again.

Simon

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:15 PM

Posted 28 January 2010 - 02:01 PM

Ok smile.gif
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:04:15 PM

Posted 02 February 2010 - 01:13 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users