Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Possible Torpig infection/ebanking logger

38 replies to this topic

#1 djnaughtynick

djnaughtynick

• Members
• 21 posts
• OFFLINE
•
• Local time:05:20 AM

Posted 11 February 2010 - 07:52 PM

The user boopme instructed that I begin a thread here. Comments on my original thread can be viewed here: http://www.bleepingcomputer.com/forums/t/271188/rootkit/ starting at post 11. ~ OB

This infection was first brought to our attention when our ISP informed us that a machine in our network was displaying symptoms similar to that of a torpig infection. I researched the infection and could not find a solution that resolved the computer issues. The system will freeze randomly, blue screen, and shutdown. I have ran the typical of scanning with available rootkit/virus/malware/adware removal tools. A review of active TCP/UDP/Port connections shows nothing suspicious. I have most recently ran a fixmbr and fixboot. I have booted to a live disk and attempted to delete two suspicious files in the windows temp directory: $67ne.$ & $dg3e. The files repopulated on reboot. Below is my DDS log and attached are the attach.txt file and a gmer log. Thanks in advance for your efforts. --Nick --------------------------------------------------- DDS (Ver_09-12-01.01) - NTFSx86 Run by Administrator at 7:55:05.89 on Wed 02/10/2010 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.350 [GMT -6:00] FW: Trend Micro Client-Server Security Agent Firewall *disabled* {DBA52E05-4ED9-4910-A51A-4C95A2397031} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Google\Update\GoogleUpdate.exe c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe C:\WINDOWS\system32\tcpsvcs.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe C:\Program Files\Common Files\Sage\LS1\ServiceHost\1.0\Sage.LS1.ServiceHost.exe C:\Program Files\Common Files\Sage\ServiceHost\Sage.ServiceHost.Host.exe C:\WINDOWS\TEMP\JMD66A.EXE C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe C:\WINDOWS\system32\ctfmon.exe C:\PVSW\bin\w3dbsmgr.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Documents and Settings\Administrator.WSDOND\Desktop\dds.scr ============== Pseudo HJT Report =============== uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz uStart Page = hxxp://msn.com/ uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html mDefault_Page_URL = hxxp://companyweb mDefault_Search_URL = hxxp://www.google.com/ie mSearchAssistant = hxxp://www.google.com/ie uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\1.bin\deSrcAs.dll BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: : {4d25f921-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\1.bin\deSrcAs.dll BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0311.0\msneshellx.dll BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0311.0\msneshellx.dll TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pervas~1.lnk - c:\pvsw\bin\w3dbsmgr.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi05e6~1\office11\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxp://server/officescan/ClientInstall/WinNTChk.cab DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - hxxp://server/officescan/clientinstall/setupini.cab DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxp://server/officescan/clientinstall/setup.cab DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://sbsserver/ConnectComputer/nshelp.dll DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxp://server/officescan/clientinstall/RemoveCtrl.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Notify: igfxcui - igfxdev.dll AppInit_DLLs: c:\windows\system32\winuid.dll ============= SERVICES / DRIVERS =============== R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336] R2 MSSQL$SAGECRE;SQL Server (SAGECRE);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-9-6 29180768]
R2 OfcPfwSvc;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\trend micro\client server security agent\OfcPfwSvc.exe [2006-3-30 278608]
R2 Sage.LS1.ServiceHost.1.0;Sage Service Host (v1.0);c:\program files\common files\sage\ls1\servicehost\1.0\Sage.LS1.ServiceHost.exe [2008-7-11 99624]
R2 Sage.ServiceHost.Host;Sage Service Host;c:\program files\common files\sage\servicehost\Sage.ServiceHost.Host.exe [2007-5-30 86016]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2007-4-27 316992]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\tmxpflt.sys [2007-3-1 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2007-3-1 36368]
S1 ycsvgd;NDIS OSI;\??\c:\windows\system32\ycsvgd.sys --> c:\windows\system32\ycsvgd.sys [?]

=============== Created Last 30 ================

2010-02-08 16:17:26 77312 ----a-w- C:\mbr.exe
2010-02-02 16:32:45 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-02 14:58:28 0 d-----w- C:\rootkit
2010-01-25 16:29:35 0 d-----w- c:\program files\ShowMyPCService
2010-01-15 17:42:36 5346 ----a-w- c:\windows\system32\work2.info

==================== Find3M ====================

2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-10-06 16:49:32 190 ----a-w- c:\program files\common files\psasetup.log

============= FINISH: 7:55:39.07 ===============

Attached Files

Edited by Orange Blossom, 11 February 2010 - 09:17 PM.

#2 DocSatan

DocSatan

Bleepin' Wanna-Be

• Members
• 2,156 posts
• OFFLINE
•
• Gender:Male
• Location:Boston, Ma.
• Local time:07:20 AM

Posted 17 February 2010 - 02:04 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

#3 djnaughtynick

djnaughtynick
• Topic Starter

• Members
• 21 posts
• OFFLINE
•
• Local time:05:20 AM

Posted 18 February 2010 - 12:06 AM

Everything from the original post is current since the computer was shutdown immediately after posting the logs. Please let me know if you need additional information.

Thanks,
Nick

#4 DocSatan

DocSatan

Bleepin' Wanna-Be

• Members
• 2,156 posts
• OFFLINE
•
• Gender:Male
• Location:Boston, Ma.
• Local time:07:20 AM

Posted 19 February 2010 - 04:44 PM

Hello djnaughtynick and Welcome to BleepingComputer.

I'm DocSatan and I will be helping you with your "Malware" related computer problems. Please give me some time to research your Log and I will get back to you ASAP.

In the meantime:

• At the top-right of this thread, click on the button.
• In the list that drops down, click on
• Place a tick-mark next to Immediate E-Mail Notification
• Then click on
• You will now receive an e-mail as soon as a Reply is made to this Topic.
2. Do Not Make Any Changes to the "Infected" Computer.
• Once you have posted a NEW DDS Log, Do Not make any changes to the computer. I will be researching the DDS Log that you post and any changes made to the system might interfere with the FIX that I prepare for you. Examples of "Changes":
• Deleting Files/Folders
• Installing/Uninstalling Programs
• Running Anti-Virus, Anti-Malware, Anti-Spyware, etc., Programs
3. Please do not seek Help with this issue at another Computer Help Forum
• While we are working together I must insist that you do not seek help with this matter at any other Help Forum.
• Having multiple (more than one) Forums provide help for the same computer issue will result in confusion with preparing a Fix.
• It is also not fair to the Volunteer who is helping you, as her/his time will be wasted trying to fix a computer that someone else is also trying to fix.
• So, if you have posted at another Computer Help Forum for this same issue I would ask that you choose which Forum that you wish to stay with and inform the other Forum(s) that you no longer require their assistance.
4. Throughout the course of us working together, I will be posting step-by-step procedures for you to follow on your computer.
• If at any time you do not fully understand what I have said, or you are not exactly sure what you are supposed to do, then please stop there and Post back to this topic and ask your questions. That way I will be able to more clearly explain the step/procedure and we won't have to worry about any steps being done incorrectly.

Doc.

#5 DocSatan

DocSatan

Bleepin' Wanna-Be

• Members
• 2,156 posts
• OFFLINE
•
• Gender:Male
• Location:Boston, Ma.
• Local time:07:20 AM

Posted 20 February 2010 - 02:21 PM

Hello djnaughtynick,

One of the files in your Log was identified as a Backdoor/IRCBot Trojan.
Important Note: Backdoor/IRCBot Trojans are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms. Remote attackers use Backdoor Trojans as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. When infected by one of them you should disconnect the computer from the Internet until your system is cleaned. If your computer was used for online banking or has credit card information on it, ALL passwords should be changed immediately, including those used for email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.
Though the Trojan has been identified and can be killed, because of it's Backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

We can attempt to clean this machine but we CANNOT guarantee that it will be 100% secure afterwards. Please post a Reply to this Topic informing me of your decision as to whether or not you will be Reformatting.

Doc.

#6 djnaughtynick

djnaughtynick
• Topic Starter

• Members
• 21 posts
• OFFLINE
•
• Local time:05:20 AM

Posted 20 February 2010 - 11:39 PM

As I mentioned the reinstall fixed the first computer with this infection. My interest at this point is to learn more about this type of infection and to gain the tools to remove it. If you are willing and have the time I would like to begin the cleaning process knowing that there are no guarantees. Data is not a factor as this system was backed up appropriately.

Thanks,
Nick

#7 DocSatan

DocSatan

Bleepin' Wanna-Be

• Members
• 2,156 posts
• OFFLINE
•
• Gender:Male
• Location:Boston, Ma.
• Local time:07:20 AM

Posted 21 February 2010 - 01:19 PM

Hello djnaughtynick,

It's not a matter of "Cleaning" the computer. The infection can be removed. The issue is that the integrity of the security of the computer has been compromised, and there is no sure way of fixing the holes that the Backdoor made without a reformat and reinstall.

But I would be happy to do all that I can do here.

Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
• Save it to your Desktop
• Do NOT run ComboFix yet
• Here is an alternative link to download ComboFix, if the above one is not working for you:

2. Disable Your AntiVirus and AntiSpyware Programs
• You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
• These programs may interfere with our fix. We will re-enable them when we are done.

3. Double click on ComboFix.exe that you just saved to your Desktop
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
• When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

4. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.

• ComboFix.txt

#8 djnaughtynick

djnaughtynick
• Topic Starter

• Members
• 21 posts
• OFFLINE
•
• Local time:05:20 AM

Posted 22 February 2010 - 10:01 AM

ComboFix log is attached.

Regards,
Nick

#9 DocSatan

DocSatan

Bleepin' Wanna-Be

• Members
• 2,156 posts
• OFFLINE
•
• Gender:Male
• Location:Boston, Ma.
• Local time:07:20 AM

Posted 22 February 2010 - 06:21 PM

Hello djnaughtynick,

• Be aware that the file name will be randomly generated (i.e. sys95769.exe) to deceive malware which may attempt to disabled it.
• Double-click on sys*****.exe to start the tool.
• A read before proceeding disclaimer will appear.
• Uncheck <- Unflag the checkbox to disable updates! next to the version number at the top.
• After reading, check the box I have read and agree. Please let me...proceed!, then click the Proceed button.
• When SystemScan opens, click the "Unselect all" button.
• Important: Under "Make your choice and than click...", check the boxes next to:
• PC accounts
• Everything else should be unchecked.
• Click "Scan Now".
• Another warning box will appear. Please follow the instructions and click Ok.
• Please be patient while the scan is in progress.
• Systemscan will scan your computer and create a folder named suspectfile on the Desktop to save its report.
• When the scan is complete, Notepad will automatically open a log file named report.txt with the results.
• Copy and paste the contents of report.txt in your next reply.

#10 DocSatan

DocSatan

Bleepin' Wanna-Be

• Members
• 2,156 posts
• OFFLINE
•
• Gender:Male
• Location:Boston, Ma.
• Local time:07:20 AM

Posted 23 February 2010 - 12:40 PM

Hi djnaughtynick,

I understand your concern regarding the user information in the logs. Please let me know of any information that you would like removed from the existing logs that you have posted. I will make sure that they are edited appropriately.

However, I must ask you not to edit any logs that I ask for. Depending on the issue, the "fix" I put together may depend on using the correct path to a file, including a user's profile. I can edit that information out afterward. Let me know if this is acceptable.

• Double click to run the tool.
• A Blue Dos Window will open and close
• No log will be generated

2. Navigate to C:\mbr.log
• Re-name it to mbr.old2

3. Run mbr.exe -f
• Go to Start > Run and type: cmd
• Click Ok
• At the command prompt, type: cd \
• Press Enter key
• At the command prompt, type: mbr.exe -f
(make sure you have a space before the e and the -f)
• Press Enter key
• At the command prompt, type: exit
• Press Enter key

4. Reboot the computer

5. Run ComboFix
• Double-clcik on the ComboFix icon
• It will produce a new log located here: C:\ComboFix.txt

6. Post the new mbr.log
• Located here: C:\mbr.log

#11 djnaughtynick

djnaughtynick
• Topic Starter

• Members
• 21 posts
• OFFLINE
•
• Local time:05:20 AM

Posted 24 February 2010 - 09:22 AM

I am fine with the data that has been posted so far. New logs are attached.

Regards,
Nick

#12 DocSatan

DocSatan

Bleepin' Wanna-Be

• Members
• 2,156 posts
• OFFLINE
•
• Gender:Male
• Location:Boston, Ma.
• Local time:07:20 AM

Posted 25 February 2010 - 04:56 PM

Hi djnaughtynick,

Do you purposefully use the Remote Desktop on this computer?

#13 DocSatan

DocSatan

Bleepin' Wanna-Be

• Members
• 2,156 posts
• OFFLINE
•
• Gender:Male
• Location:Boston, Ma.
• Local time:07:20 AM

Posted 26 February 2010 - 03:32 PM

Hello djnaughtynick,

1. No AntiVirus Program Installed
• Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
• Two good antivirus programs free for non-commercial home use are Avast! and Antivir
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
2. Run this CFScirpt
Warning: This CFScript has been tailored to this User's particular system and should not be run on any other system.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
http://www.bleepingcomputer.com/forums/ind...p;#entry1645806

Collect::
c:\windows\system32\ycsvgd.sys

Driver::
ycsvgd

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000000

• Save this as CFScript.txt, in the same location as ComboFix.exe

• Refering to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by DocSatan, 26 February 2010 - 03:33 PM.

#14 djnaughtynick

djnaughtynick
• Topic Starter

• Members
• 21 posts
• OFFLINE
•
• Local time:05:20 AM

Posted 26 February 2010 - 05:58 PM

1) Remote desktop is used for remote administration purposes on this system.
2) I attached the log files in an attempted to keep the thread clean. I will however paste requested logs in future replies.
3) Currently installed Anti-virus client information:

Trend Micro Client/Server Security Agent for Windows 2003/XP/2000/NT
Program version: 7.2
Engine version: 9.100.1001
Virus pattern file number 6.203.00

I ran the script as described and the resulting log file is posted below.

Regards,
Nick

--------------------------------------------------------------------

ComboFix 10-02-21.02 - Administrator 02/26/2010 16:29:52.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.649 [GMT -6:00]
Command switches used :: c:\documents and settings\Administrator.WSDOND\Desktop\CFScript.txt
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {DBA52E05-4ED9-4910-A51A-4C95A2397031}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_YCSVGD
-------\Service_ycsvgd

((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-08 16:17 . 2010-01-26 18:16 77312 ----a-w- C:\mbr.exe
2010-02-03 15:18 . 2010-02-07 05:18 -------- d-----w- c:\documents and settings\Administrator.WSDOND\Local Settings\Application Data\Temp
2010-02-02 16:32 . 2010-02-02 16:32 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-02 16:32 . 2010-02-02 16:32 -------- d-----w- c:\documents and settings\administrator.MAPETERSON\Local Settings\Application Data\Google
2010-02-02 14:58 . 2010-02-10 13:54 -------- d-----w- C:\rootkit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 05:20 . 2008-06-16 20:18 -------- d-----w- c:\program files\Google
2010-01-25 16:29 . 2010-01-25 16:29 -------- d-----w- c:\program files\ShowMyPCService
2010-01-06 15:45 . 2010-01-06 15:45 -------- d-----w- c:\documents and settings\chris.elliott\Application Data\AdobeUM
2010-01-05 18:41 . 2010-01-05 18:41 175088 ----a-w- c:\documents and settings\chris.elliott\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-22 05:21 . 2004-08-04 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-10-06 16:49 . 2008-10-14 19:05 190 ----a-w- c:\program files\Common Files\psasetup.log
.

.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-03-01 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2005-11-03 372813]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

Pervasive.SQL Workgroup Engine.lnk - c:\pvsw\bin\w3dbsmgr.exe [2007-8-2 111960]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-7-13 106560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3295088875-248328284-3335385229-1142\Scripts\Logoff\0\0]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3295088875-248328284-3335385229-1142\Scripts\Logon\0\0]
"Script"=design.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3295088875-248328284-3335385229-1144\Scripts\Logon\0\0]
"Script"=nettime.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3295088875-248328284-3335385229-1159\Scripts\Logoff\0\0]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3295088875-248328284-3335385229-1159\Scripts\Logon\0\0]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3295088875-248328284-3335385229-1160\Scripts\Logoff\0\0]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3295088875-248328284-3335385229-1160\Scripts\Logon\0\0]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3295088875-248328284-3335385229-1163\Scripts\Logoff\0\0]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3295088875-248328284-3335385229-1163\Scripts\Logon\0\0]
"Script"=design.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3295088875-248328284-3335385229-1198\Scripts\Logoff\0\0]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3295088875-248328284-3335385229-1198\Scripts\Logon\0\0]
"Script"=design.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3295088875-248328284-3335385229-1426\Scripts\Logon\0\0]
"Script"=nettime.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe"
"igfxtray"=c:\windows\system32\igfxtray.exe
"MMTray"=c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
"Synchronization Manager"=%SystemRoot%\system32\mobsync.exe /logon
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"6074:TCP"= 6074:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"9050:TCP"= 9050:TCP:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 MSSQL\$SAGECRE;SQL Server (SAGECRE);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [9/6/2009 3:19 AM 29180768]
R2 Sage.LS1.ServiceHost.1.0;Sage Service Host (v1.0);c:\program files\Common Files\Sage\LS1\ServiceHost\1.0\Sage.LS1.ServiceHost.exe [7/11/2008 12:44 AM 99624]
R2 Sage.ServiceHost.Host;Sage Service Host;c:\program files\Common Files\Sage\ServiceHost\Sage.ServiceHost.Host.exe [5/30/2007 11:55 AM 86016]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [4/27/2007 12:00 AM 316992]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\tmxpflt.sys [3/1/2007 10:54 AM 225808]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [3/1/2007 10:54 AM 36368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-26 16:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Trend Micro\Client Server Security Agent\ntrtscan.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Trend Micro\Client Server Security Agent\tmlisten.exe
c:\windows\system32\fxssvc.exe
c:\program files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
c:\windows\system32\dllhost.exe
c:\windows\TEMP\CNEC48.EXE
c:\windows\system32\msdtc.exe
.
**************************************************************************
.
Completion time: 2010-02-26 16:43:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-26 22:43
ComboFix2.txt 2010-02-24 14:13
ComboFix3.txt 2010-02-22 14:43

Pre-Run: 41,762,050,048 bytes free
Post-Run: 41,733,410,816 bytes free

- - End Of File - - 5E667B041FACF1D7C7BC842516F29A51

#15 DocSatan

DocSatan

Bleepin' Wanna-Be

• Members
• 2,156 posts
• OFFLINE
•
• Gender:Male
• Location:Boston, Ma.
• Local time:07:20 AM

Posted 27 February 2010 - 07:12 AM

Hi djnaughtynick,

QUOTE
Remote desktop is used for remote administration purposes on this system.
• Thank you. I ask because there is a nasty Rootkit out that uses the Remote Desktop. But if you have it enabled on purpose, then you are fine.

QUOTE
I attached the log files in an attempted to keep the thread clean. I will however paste requested logs in future replies.
• Some logs are easier to access for me if they are pasted in to the Reply box, others are better if they are attached.
• I usually include direction on Paste vs. Attach in my instructions.

QUOTE
Currently installed Anti-virus client information:
Trend Micro Client/Server Security Agent for Windows 2003/XP/2000/NT
• Yes, that's showing up in your logs as a Firewall.
• Apparently this is a Firewall/Antivirus program for Businesses, which brings me to my next question...

Is this a business/work computer that you are asking me to help "clean"?

Doc.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users