Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Digital Protection" Rogue Antivirus


  • This topic is locked This topic is locked
3 replies to this topic

#1 curchunk

curchunk

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 16 April 2010 - 05:09 PM

My boss installed this nasty rogue antivirus on his computer. I managed to get it semi-controlled by cleaning it with combofix and malwarebytes. I initially had to boot into safe mode command prompt to get combofix to run. An additional scan by Norton quarantined trojan.fakeav!gen25, trojan.vundo, packed.mystic!gen3, ave.exe.vir, trjan.gen, and coreguardantivirus2009. The annoying popups are now gone.

However, Norton 360 continues to report blocking intrusion attempts. They are listed as "HTTPS Tidserv Request 2" from \DEVICE\HARDDISKVOLUME2\SYSTEM32\SVCHOST.EXE and \DEVICE\HARDDISKVOLUME2\PROGRAMFILES\INTERNET EXPLORER\IEXPLORE.EXE . I ran tdsskiller, and it reported that iastor.sys and 1 memory process were infected. However, it didn't succeed in fixing them after rebooting. I booted into recovery console off of an xp disk and replaced the infected iastor.sys with a clean one from a different computer. Unfortunately, I'm still seeing the same intrusion attempts in Norton.

Gmer crashed the computer. Here's the dds log and attachment:


DDS (Ver_10-03-17.01) - NTFSx86
Run by sysadmin at 16:26:19.70 on Fri 04/16/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3037.2463 [GMT -5:00]

AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\RamSoft\PowerReader4\CacheServers\LocalCache20071206986\prcacheservice.exe
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\RamSoft\PowerReader4\UpdateService\RSUpdateServiceApplication.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Fuji Medical System\Synapse\Workstation\SynapseUpdateManager.exe
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\sysadmin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uURLSearchHooks: Synapse UrlSearchHook Class: {3d31a26e-04d4-4b45-afd4-da4e1ae4af1b} - c:\program files\fuji medical system\synapse\workstation\FujiFld.dll
mURLSearchHooks: Synapse UrlSearchHook Class: {3d31a26e-04d4-4b45-afd4-da4e1ae4af1b} - c:\program files\fuji medical system\synapse\workstation\FujiFld.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.1.0.32\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Synapse URLSearchHook Configuration] RUNDLL32.EXE c:\progra~1\fujime~1\synapse\workst~1\FujiFld.dll,ConfigureSynapseUrlSearchHook
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office 2000\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {1FBD11EF-1260-11D1-87A7-444553540001} - hxxps://magellan-w.ausrad.com/osd/SynapseWorkstationInf.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9554D93D-C653-4AFD-854C-AF61F7BF7F42} - hxxps://magellan-w.ausrad.com/osd/synapseWorkstationInf.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CD372BF2-87E4-4291-9F49-E0A09A9FDF11} - hxxps://pacs.capitalimg.com/powerreader4/PRInstall.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F88E6FA9-579E-4AE9-8DDA-C48BB36B0A32} - hxxps://magellan-w.ausrad.com/osd/x86/win95/FujiInst.cab
TCP: {E20881A4-EDA4-4CBD-8AA6-41D68DDC8DF9} = 24.93.41.125,24.93.41.126
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0401000.020\symds.sys [2010-4-14 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0401000.020\symefa.sys [2010-4-14 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100324.001\BHDrvx86.sys [2010-3-24 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0401000.020\cchpx86.sys [2010-4-14 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0401000.020\ironx86.sys [2010-4-14 116784]
R2 LocalCache20071206986;RamSoft PACS 4 Cache (LocalCache20071206986);c:\program files\ramsoft\powerreader4\cacheservers\localcache20071206986\prcacheservice.exe localcache20071206986 --> c:\program files\ramsoft\powerreader4\cacheservers\localcache20071206986\prcacheservice.exe LocalCache20071206986 [?]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.1.0.32\ccsvchst.exe [2010-4-14 126392]
R2 RSUpdateService;RamSoft PACS4 Update Service;c:\program files\ramsoft\powerreader4\updateservice\RSUpdateServiceApplication.exe [2009-12-10 564960]
R2 SynapseUpdateSvc;Synapse Update Manager;c:\program files\fuji medical system\synapse\workstation\SynapseUpdateManager.exe [2009-5-21 167424]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-4-15 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100409.001\IDSXpx86.sys [2010-4-14 329592]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-8-18 110080]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100416.003\NAVENG.SYS [2010-4-16 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100416.003\NAVEX15.SYS [2010-4-16 1324720]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys --> c:\windows\system32\drivers\Diag69xp.sys [?]
S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]

=============== Created Last 30 ================

2010-04-16 20:19:38 324120 ----a-w- c:\windows\system32\drivers\tsk4.tmp
2010-04-16 20:12:03 324120 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-04-15 13:52:16 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-04-15 01:35:45 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-15 01:35:45 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-15 01:35:45 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-04-15 01:35:45 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-15 01:35:22 0 d-----w- c:\windows\system32\drivers\N360
2010-04-15 01:35:21 0 d-----w- c:\program files\Norton 360
2010-04-15 01:32:15 0 d-----w- c:\program files\NortonInstaller
2010-04-15 01:32:15 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-04-15 01:25:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-04-15 00:41:45 0 d-----w- C:\cfz
2010-04-14 22:24:12 262144 ---ha-w- c:\documents and settings\sysadmin\ntuser.dat.LOG1
2010-04-14 22:24:12 0 ---ha-w- c:\documents and settings\sysadmin\ntuser.dat.LOG2
2010-04-13 16:29:26 0 d-----w- c:\docume~1\sysadmin\applic~1\Malwarebytes
2010-04-13 16:09:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-13 16:09:14 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 16:09:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-13 16:09:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-13 15:21:45 98816 ----a-w- c:\windows\sed.exe
2010-04-13 15:21:45 77312 ----a-w- c:\windows\MBR.exe
2010-04-13 15:21:45 261632 ----a-w- c:\windows\PEV.exe
2010-04-13 15:21:45 161792 ----a-w- c:\windows\SWREG.exe
2010-04-13 14:55:56 0 d-----w- C:\spoolerlogs
2010-04-05 17:10:14 0 d-----w- c:\program files\iPod
2010-04-05 17:10:08 0 d-----w- c:\program files\iTunes
2010-04-05 17:10:08 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-05 17:04:47 0 d-----w- c:\program files\Bonjour
2010-03-18 02:53:42 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-03-18 02:53:42 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2010-04-16 20:03:42 329752 ----a-w- c:\windows\system32\drivers\iastor.old
2010-04-14 05:17:06 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-03-11 12:38:54 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-02-12 16:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-10-28 18:11:02 28868320 ----a-w- c:\program files\FileFormatConverters.exe
2009-09-07 18:22:17 25740144 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe

============= FINISH: 16:27:18.51 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 curchunk

curchunk
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 19 April 2010 - 12:16 PM

I should have named this topic TDL4 Rootkit. This is a lot more serious than the regular Digital Protection Rogue. Unless I get a response soon, I'm going to nuke the hard drive and reinstall everything.

Edited by curchunk, 19 April 2010 - 01:03 PM.


#3 curchunk

curchunk
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 21 April 2010 - 10:45 AM

Alright, thanks for being no help at all. I fixed it myself.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:10 AM

Posted 21 April 2010 - 07:05 PM

Thanks for letting us know. smile.gif

---------------------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users