Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SMTP SPAM by Services.exe


  • This topic is locked This topic is locked
3 replies to this topic

#1 creatorul

creatorul

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 16 May 2010 - 05:51 AM

Hello,

I posted here because I can't find any solution for the virus I have anymore. I have tried all possible ways:
- nod32 scan
- malware bytes scan
- SUPERantiSpyware scan
- Panda ActiveScan2 Online scan
- used WhatsRunning to stop suspect services and loaded modules/drivers
- HijackThis where I removed unknown file entries
and finally
- combofix which seems to have found a rootkit with its Stealth Gmer scanner. The spam has stopped for that moment but after restarting the machine got back.

I have found this virus by mistake while I was playing with Ethereal Network Analyzer and seen how the email were flying via smtp from my machine. I receive daily nod32 warnings from the network and is possible to have got the virus from the local network.
I have attached HijackThis log created 30 mins ago as well as the combofix log I did last night which found that rootkit.


CODE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:40 PM, on 5/16/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
C:WINDOWSsystem32inetsrvinetinfo.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesEsetnod32krn.exe
C:WINDOWSsystem32HPZipm12.exe
C:WINDOWSsystem32tcpsvcs.exe
C:WINDOWSSystem32snmp.exe
c:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32mqsvc.exe
C:WINDOWSsystem32mqtgsvc.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:Program FilesEsetnod32kui.exe
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:WINDOWSSOUNDMAN.EXE
C:Program FilesYahoo!MessengerYahooMessenger.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesEtherealethereal.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = about:blank
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=374
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:Program FilesIEProiepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:Program FilesStumbleUponStumbleUponIEBar.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:Program FilesStumbleUponStumbleUponIEBar.dll
O4 - HKLM..Run: [nod32kui] "C:Program FilesEsetnod32kui.exe" /WAITSERVICE
O4 - HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 - HKLM..Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM..Run: [WinFast Schedule] C:Program FilesWinFastWFTVFMWFWIZ.exe
O4 - HKCU..Run: [MsnMsgr] "C:Program FilesWindows LiveMessengerMsnMsgr.Exe" /background
O4 - HKCU..Run: [Yahoo! Pager] "C:Program FilesYahoo!MessengerYahooMessenger.exe" -quiet
O4 - HKCU..Run: [googletalk] C:Program FilesGoogleGoogle Talkgoogletalk.exe /autostart
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')
O4 - Startup: CreatorRSS.exe.lnk = C:Documents and SettingsCreatorMy DocumentsVisual Studio 2005ProjectsCreatorRSSCreatorRSSbinDebugCreatorRSS.exe
O4 - Startup: ?Torrent (2).lnk = C:Program FilesuTorrentuTorrent.exe
O4 - Global Startup: Privoxy.lnk = C:Program FilesVidalia BundlePrivoxyprivoxy.exe
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:Program FilesIEProiepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:Program FilesIEProiepro.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program FilesWindows LiveWriterWriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:Program FilesWindows LiveWriterWriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:Program FilesICQLiteICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:Program FilesICQLiteICQLite.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:Program FilesWIDCOMMBluetooth Softwarebtsendto_ie.htm
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:Program FilesFiddler2Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:Program FilesFiddler2Fiddler.exe" (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O10 - Unknown file in Winsock LSP: c:windowssystem32nwprovau.dll
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0C89E27C-DD69-44BB-A32E-4D093E859FB2} (strprint.trprints) - https://mcp.microsoft.com/mcp/tools/MCPTranscriptPrint.CAB
O16 - DPF: {25336921-03F9-11CF-8FD0-00AA00686F13} (Microsoft HTML Document 6.0) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} - https://vpn.dal01.softlayer.com/prx/000/http/localhost/arr_x.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLMSystemCCSServicesTcpip..{BED303DA-F69D-43F6-8401-E3B3122C64F0}: NameServer = 192.168.0.3,193.231.100.130
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:Program FilesWIDCOMMBluetooth Softwarebinbtwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1150Intel 32IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: MySQL - Unknown owner - D:mySQLbinmysqld (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:Program FilesEsetnod32krn.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - D:PostgreSqlbinpg_ctl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:Program FilesWinPcaprpcapd.exe
O23 - Service: Apache Tomcat (Tomcat6) - Apache Software Foundation - C:Program FilesTomcat 6.0bintomcat6.exe

--
End of file - 8456 bytes



Combofix yesterday log

CODE
ComboFix 10-05-15.01 - Creator 05/16/2010   3:54.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1250.40.1033.18.2047.1584 [GMT 3:00]
Running from: c:documents and settingsCreatorDesktopComboFix.exe
AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:documents and settingsCreatorApplication DataACD SystemsACDSeeImageDB.ddf
c:documents and settingsCreatorg2mdlhlpx.exe
c:documents and settingsCreatorLocal SettingsTemporary Internet FilesRawFile.htm
C:LOGEE4.tmp
c:windowssystem32AdmDll.dll
c:windowssystem32Cache
c:windowssystem32driversetclmhosts
c:windowssystem32gotomon.log
c:windowssystem32raddrv.dll
c:windowswinhelp.ini

Infected copy of c:windowssystem32driversatapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------Legacy_IPRIP
-------Legacy_NPF
-------Legacy_RUNDLL32
-------Legacy_R_SERVER
-------Service_Iprip
-------Service_r_server


(((((((((((((((((((((((((   Files Created from 2010-04-16 to 2010-05-16  )))))))))))))))))))))))))))))))
.

2010-05-15 19:21 . 2009-06-30 06:37    28552    ----a-w-    c:windowssystem32driverspavboot.sys
2010-05-15 19:20 . 2010-05-15 19:20    --------    d-----w-    c:program filesPanda Security
2010-05-15 18:34 . 2010-05-15 18:34    --------    d-----w-    c:program filesTrend Micro
2010-05-15 15:01 . 2010-05-15 15:01    --------    d-----w-    c:documents and settingsAll UsersApplication DataSUPERAntiSpyware.com
2010-05-15 13:52 . 2010-05-15 14:16    --------    d-----w-    c:program filesWhatsRunning
2010-04-29 13:03 . 2010-04-29 13:03    --------    d-----w-    c:program filesCommon FilesJava
2010-04-29 13:02 . 2010-04-29 13:02    411368    ----a-w-    c:windowssystem32deployJava1.dll
2010-04-20 20:28 . 2010-04-20 20:28    --------    d-----w-    c:program filesFaceWizardCom

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 01:15 . 2009-12-24 17:20    802304    ----a-w-    c:windowssystem32driverstwiiqv.sys
2010-05-16 01:12 . 2007-10-22 21:12    --------    d-----w-    c:documents and settingsCreatorApplication DatauTorrent
2010-05-16 00:07 . 2009-07-11 23:00    --------    d-----w-    c:program filesCitrix
2010-05-15 20:33 . 2010-03-17 09:53    --------    d-----w-    c:documents and settingsCreatorApplication DataVidalia
2010-05-15 20:33 . 2010-03-17 09:54    --------    d-----w-    c:documents and settingsCreatorApplication Datator
2010-05-15 19:09 . 2006-10-29 11:02    --------    d-----w-    c:program filesCommon FilesInstallShield
2010-05-15 19:08 . 2006-10-29 11:37    --------    d--h--w-    c:program filesInstallShield Installation Information
2010-05-15 19:05 . 2007-03-25 17:15    --------    d-----w-    c:documents and settingsCreatorApplication DataDev-Cpp
2010-05-15 17:59 . 2007-08-09 11:09    --------    d-----w-    c:program filesCommon FilesWise Installation Wizard
2010-05-15 14:42 . 2009-12-25 11:16    --------    d-----w-    c:program filesMalwarebytes' Anti-Malware
2010-05-13 22:31 . 2009-11-06 18:17    --------    d-----w-    c:documents and settingsCreatorApplication DataMySQL
2010-04-30 07:17 . 2007-05-22 14:08    --------    d-----w-    c:documents and settingsCreatorApplication DataImage Zone Express
2010-04-29 13:02 . 2006-10-29 19:14    --------    d-----w-    c:program filesJava
2010-04-29 12:39 . 2009-12-25 11:16    38224    ----a-w-    c:windowssystem32driversmbamswissarmy.sys
2010-04-29 12:39 . 2009-12-25 11:16    20952    ----a-w-    c:windowssystem32driversmbam.sys
2010-04-27 11:12 . 2006-10-30 22:37    --------    d-----w-    c:documents and settingsAll UsersApplication DataMicrosoft Help
2010-04-20 21:29 . 2010-03-24 11:22    --------    d-----w-    c:documents and settingsCreatorApplication DataFaceWizard
2010-04-20 12:01 . 2007-12-25 16:01    --------    d-----w-    c:documents and settingsCreatorApplication DataCreatorCo
2010-04-18 23:12 . 2006-10-31 13:38    --------    d-----w-    c:documents and settingsCreatorApplication DataSkype
2010-04-18 22:35 . 2008-05-22 14:06    --------    d-----w-    c:documents and settingsCreatorApplication DataskypePM
2010-04-12 21:25 . 2008-08-09 21:44    9910    ----a-w-    c:windowshh.dat
2010-04-07 21:10 . 2009-09-19 08:34    --------    d-----w-    c:documents and settingsCreatorApplication Datavlc
2010-04-03 13:48 . 2006-10-29 10:31    64264    ----a-w-    c:documents and settingsCreatorLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-03-17 09:54 . 2010-03-17 09:53    --------    d-----w-    c:program filesVidalia Bundle
2007-06-21 10:19 . 2007-06-21 10:19    0    ----a-w-    c:program filesizWrTe32846.tmp
2008-03-24 14:09 . 2007-08-09 11:09    80    --sh--r-    c:windowssystem322BD4C87FAC.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"MsnMsgr"="c:program filesWindows LiveMessengerMsnMsgr.Exe" [2009-07-26 3883856]
"Yahoo! Pager"="c:program filesYahoo!MessengerYahooMessenger.exe" [2007-08-30 4670704]
"googletalk"="c:program filesGoogleGoogle Talkgoogletalk.exe" [2007-01-01 3739648]
"ctfmon.exe"="c:windowssystem32ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"nod32kui"="c:program filesEsetnod32kui.exe" [2006-10-29 917504]
"ATIPTA"="c:program filesATI TechnologiesATI Control Panelatiptaxx.exe" [2005-03-17 339968]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 77824]
"MsmqIntCert"="mqrt.dll" [2004-08-04 177152]
"WinFast Schedule"="c:program filesWinFastWFTVFMWFWIZ.exe" [2004-11-22 180224]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"CTFMON.EXE"="c:windowssystem32CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionwinlogonnotifyLMIinit]
2008-10-16 18:35    87352    ----a-w-    c:windowssystem32LMIinit.dll

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:documents and settingsAll UsersStart MenuProgramsStartupAdobe Reader Speed Launch.lnk
backup=c:windowspssAdobe Reader Speed Launch.lnkCommon Startup

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=c:documents and settingsAll UsersStart MenuProgramsStartupBTTray.lnk
backup=c:windowspssBTTray.lnkCommon Startup

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^Continue Setup.lnk]
path=c:documents and settingsAll UsersStart MenuProgramsStartupContinue Setup.lnk
backup=c:windowspssContinue Setup.lnkCommon Startup

[HKLM~startupfolderC:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:documents and settingsAll UsersStart MenuProgramsStartupHP Digital Imaging Monitor.lnk
backup=c:windowspssHP Digital Imaging Monitor.lnkCommon Startup

[HKLM~startupfolderC:^Documents and Settings^Creator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:documents and settingsCreatorStart MenuProgramsStartupAdobe Gamma.lnk
backup=c:windowspssAdobe Gamma.lnkStartup

[HKLM~startupfolderC:^Documents and Settings^Creator^Start Menu^Programs^Startup^siszyd32.exe]
path=c:documents and settingsCreatorStart MenuProgramsStartupsiszyd32.exe
backup=c:windowspsssiszyd32.exeStartup

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAdobe Reader Speed Launcher]
2007-05-11 00:06    40048    ----a-w-    c:program filesAdobeReader 8.0Readerreader_sl.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregAdobeCS4ServiceManager]
2008-08-14 05:58    611712    ----a-w-    c:program filesCommon FilesAdobeCS4ServiceManagerCS4ServiceManager.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupreggoogletalk]
2007-01-01 21:22    3739648    ----a-w-    c:program filesGoogleGoogle Talkgoogletalk.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregHP Software Update]
2005-05-11 21:12    49152    ----a-w-    c:program filesHPHP Software UpdatehpwuSchd2.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregNeroFilterCheck]
2006-01-12 13:40    155648    ----a-w-    c:windowssystem32NeroCheck.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregQuickTime Task]
2008-03-15 16:41    385024    ----a-w-    c:program filesQuickTimeqttask.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregSunJavaUpdateSched]
2010-02-18 08:43    248040    ----a-w-    c:program filesCommon FilesJavaJava Updatejusched.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregWinFast Schedule]
2004-11-22 07:16    180224    ----a-w-    c:program filesWinFastWFTVFMWFWIZ.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"rundll32"=2 (0x2)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%system32sessmgr.exe"=
"c:Program FilesYahoo!MessengerYahooMessenger.exe"=
"c:Program FilesYahoo!MessengerYServer.exe"=
"c:WINDOWSsystem32mqsvc.exe"=
"c:Program FilesuTorrentuTorrent.exe"=
"c:Program FilesGoogleGoogle Talkgoogletalk.exe"=
"c:Program FilesIEProMiniDM.exe"=
"c:Program FilesWindows LiveMessengerwlcsdk.exe"=
"c:Program FilesWindows LiveMessengermsnmsgr.exe"=
"c:Program FilesCommon FilesAdobeCS4ServiceManagerCS4ServiceManager.exe"=
"c:Program FilesSkypePhoneSkype.exe"=
"c:Program FilesAutodeskBackburnermanager.exe"=
"c:Program FilesAutodeskBackburnermonitor.exe"=
"c:Program FilesAutodeskBackburnerserver.exe"=
"c:Program FilesHPDigital Imagingbinhpfccopy.exe"=
"c:Program FilesHPDigital Imagingbinhpoews01.exe"=
"c:Program FilesHPDigital Imagingbinhpofxm08.exe"=
"c:Program FilesHPDigital Imagingbinhposfx08.exe"=
"c:Program FilesHPDigital Imagingbinhposid01.exe"=
"c:Program FilesHPDigital ImagingbinhpqCopy.exe"=
"c:Program FilesHPDigital ImagingUnloadHpqDIA.exe"=
"c:Program FilesHPDigital Imagingbinhpqkygrp.exe"=
"c:Program FilesHPDigital ImagingUnloadHpqPhUnl.exe"=
"c:Program FilesHPDigital Imagingbinhpqscnvw.exe"=
"c:Program FilesHPDigital Imagingbinhpqste08.exe"=
"c:Program FilesHPDigital Imagingbinhpqtra08.exe"=
"c:Program FilesHPDigital Imagingbinhpzwiz01.exe"=

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileGloballyOpenPortsList]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"5353:TCP"= 5353:TCP:Adobe CSI CS4

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileIcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 d347bus;d347bus;c:windowssystem32driversd347bus.sys [10/29/2006 2:26 PM 155136]
R0 d347prt;d347prt;c:windowssystem32driversd347prt.sys [10/29/2006 2:26 PM 5248]
R0 pavboot;pavboot;c:windowssystem32driverspavboot.sys [5/15/2010 10:21 PM 28552]
R1 Ext2fs;Ext2fs;c:windowssystem32driversext2fs.sys [6/9/2007 4:18 PM 132736]
R1 IfsDrives;IfsDrives;c:windowssystem32driversIfsDrives.sys [6/9/2007 4:18 PM 4608]
R2 WF23880;WinFast TV2000/DV2000 WDM Video Capture.;c:windowssystem32driverswf88vcap.sys [2/18/2007 4:27 PM 208851]
R2 WF88XBAR;WinFast TV2000/DV2000 WDM Crossbar.;c:windowssystem32driversWF88XBAR.sys [2/18/2007 4:27 PM 10324]
R2 WFTUNE;WinFast TV2000/DV2000 WDM Tuner.;c:windowssystem32driverswf88tune.sys [2/18/2007 4:27 PM 34789]
R3 WFIOCTL;WFIOCTL;c:program filesWinFastWFTVFMWFIOCTL.sys [2/18/2007 4:33 PM 9510]
S2 LMIInfo;LogMeIn Kernel Information Provider;??c:program filesLogMeInx86RaInfo.sys --> c:program filesLogMeInx86RaInfo.sys [?]
S3 ATP;ArrayNetworks SSL VPN Miniport Driver;c:windowssystem32DRIVERSatpdrvr.sys --> c:windowssystem32DRIVERSatpdrvr.sys [?]
S3 MsDtsServer;SQL Server Integration Services;c:program filesMicrosoft SQL Server90DTSBinnMsDtsSrvr.exe [10/14/2005 4:45 AM 199384]
S3 pgsql-8.3;PostgreSQL Database Server 8.3;d:postgresqlbinpg_ctl.exe runservice -w -N "pgsql-8.3" -D "d:postgresqldata" --> d:postgresqlbinpg_ctl.exe runservice -w -N pgsql-8.3 [?]
S3 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:program filesMicrosoft SQL ServerMSSQL.4Reporting ServicesReportServerbinReportingServicesService.exe [10/14/2005 4:44 AM 14552]
S3 Tomcat6;Apache Tomcat;c:program filesTomcat 6.0bintomcat6.exe [5/5/2007 4:42 AM 57344]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:program filesMicrosoft Visual Studio 8Common7IDERemote Debuggerx86msvsmon.exe [9/23/2005 8:01 AM 2799808]

--- Other Services/Drivers In Memory ---

*Deregistered* - twiiqv

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
p2psvc    REG_MULTI_SZ       p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-16 c:windowsTasksUser_Feed_Synchronization-{DA6BC4FA-D8FD-4DAE-A46F-95CB739E0389}.job
- c:windowssystem32msfeedssync.exe [2006-10-29 10:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
LSP: imon.dll
TCP: {BED303DA-F69D-43F6-8401-E3B3122C64F0} = 192.168.0.3,193.231.100.130
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {B6648EB8-2460-484F-9255-9654454C4C70} - hxxps://vpn.dal01.softlayer.com/prx/000/http/localhost/arr_x.cab
FF - ProfilePath - c:documents and settingsCreatorApplication DataMozillaFirefoxProfilesuj1o3f5y.default
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:program filesJavajre6binnew_pluginnpdeployJava1.dll
FF - plugin: c:program filesMicrosoft Silverlight3.0.40624.0npctrl.1.0.20816.0.dll
FF - plugin: c:program filesMozilla FirefoxpluginsnpdeployJava1.dll
FF - plugin: c:program filesMozilla Firefoxpluginsnpyaxmpb.dll
FF - plugin: c:program filesViewpointViewpoint Experience TechnologynpViewpoint.dll

---- FIREFOX POLICIES ----
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pre
f", true);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AdvancedVirtualComPortBoot - c:program filesAdvanced Virtual COM PortAvcp.exe
MSConfigStartUp-ccApp - c:program filesCommon FilesSymantec SharedccApp.exe
MSConfigStartUp-explorer - c:windowssystem32explorer.exe
MSConfigStartUp-LogMeIn GUI - c:program filesLogMeInx86LogMeInSystray.exe
MSConfigStartUp-Norton Ghost 10 - c:program filesNorton GhostAgentGhostTray.exe
MSConfigStartUp-RealTray - c:program filesRealRealPlayerRealPlay.exe
MSConfigStartUp-sysgif32 - c:windowsTEMP~TME.tmp
MSConfigStartUp-WinampAgent - c:program filesWinamp5winampa.exe
ActiveSetup-{E5940400-6BA4-A3DF-9337-2F8AE684AE0D} - c:program filesmessengerserver2.exe
AddRemove-HTML Help Workshop - c:program filesHTML Help Workshopsetup.exe
AddRemove-PacSteamT - c:gamesPacSteamTPacSteamT-Uninstall.exe
AddRemove-Steam App 10 - c:gamesPacSteamTsteam.exe
AddRemove-V - c:documents and settingsCreatorDesktopv8v.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-16 04:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89D53008]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
DriverDisk -> CLASSPNP.SYS @ 0xf763bfc3
DriverACPI -> ACPI.sys @ 0xf7588cb8
Driveratapi -> 0x89d53008
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
DeviceHarddisk0DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a1afe
ParseProcedure -> ntoskrnl.exe @ 0x80570a6e
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xbad73bc3
PacketIndicateHandler -> NDIS.sys @ 0xbad7fb21
SendHandler -> NDIS.sys @ 0xbad73d33
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINESystemControlSet001Servicesmsftesql]
"ImagePath"=""c:program filesMicrosoft SQL ServerMSSQL.2MSSQLBinnmsftesql.exe" -s:MSSQL.2 -f:MSSQLSERVER"

[HKEY_LOCAL_MACHINESystemControlSet001ServicesMySQL]
"ImagePath"=""d:mysqlbinmysqld" --defaults-file="d:mysqlmy.ini" MySQL"

[HKEY_LOCAL_MACHINESystemControlSet001Servicestwiiqv]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINEsoftwareClassesCLSID{EC13CBAD-65F7-89B7-208D-44E6A7B2C43D}InProcServer32*]
"pajlpodbnlnacfmdfpbnjdkenmgnaajd"=hex:6b,61,69,65,64,6e,70,70,6c,63,6b,70,6c,
   6d,6b,6d,61,67,64,6d,64,6b,00,00
"oajlfofdpjbkdncimnklcmcpdngagn"=hex:69,61,62,65,70,6e,66,6c,64,67,67,62,69,6f,
   6f,70,6a,67,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:windowssystem32Ati2evxx.dll
c:windowssystem32LMIinit.dll

- - - - - - - > 'lsass.exe'(724)
c:windowssystem32imon.dll

- - - - - - - > 'explorer.exe'(2000)
c:windowssystem32msi.dll
c:windowssystem32imon.dll
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32btncopy.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
c:windowssystem32LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:windowssystem32Ati2evxx.exe
c:windowssystem32Ati2evxx.exe
c:windowssystem32msdtc.exe
c:program filesWIDCOMMBluetooth Softwarebinbtwdins.exe
c:windowssystem32inetsrvinetinfo.exe
c:program filesJavajre6binjqs.exe
c:program filesEsetnod32krn.exe
c:windowssystem32HPZipm12.exe
c:windowssystem32tcpsvcs.exe
c:windowsSystem32snmp.exe
c:program filesMicrosoft SQL Server90Sharedsqlwriter.exe
c:windowssystem32mqsvc.exe
c:windowsSOUNDMAN.EXE
c:program filesVidalia BundlePrivoxyprivoxy.exe
c:program filesuTorrentuTorrent.exe
c:windowssystem32mqtgsvc.exe
c:windowssystem32wscntfy.exe
c:program filesWinFastWFTVFMWFTV.exe
.
**************************************************************************
.
Completion time: 2010-05-16  04:22:57 - machine was rebooted
ComboFix-quarantined-files.txt  2010-05-16 01:22

Pre-Run: 7,750,479,872 bytes free
Post-Run: 7,886,061,568 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 47B4C24BFB39010430FB02A3412DC586


I'm going to scan again with combofix and see if the same rootkit is detected which would mean it gets installed again on restart.

Any help is appreciated
Thanks

It seems that this is a new version of Rustock botnet rootkit:

http://www.m86security.com/labs/i/Rustock-...trace.1243~.asp

Similar issue:

http://forums.malwarebytes.org/index.php?showtopic=45150

It gets its settings from a site like muza-flowers.biz (I got that from Ethereal analyzer).

Do you know any good remover for this new version of botnet (http://www.rootkit.com/blog.php?newsid=994)?

Thanks

Edited by boopme, 16 May 2010 - 09:18 AM.


BC AdBot (Login to Remove)

 


#2 creatorul

creatorul
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 17 May 2010 - 05:57 AM

Any solution to rustock malware?

Thx

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:10 PM

Posted 17 May 2010 - 08:29 PM

Hi creatorul,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please don't put the logs in the code box and just copy and paste it, it reads easier.
Since you have already run Combofix let's try it once more:


Close any open browsers. Make sure your antivirus is disabled and will not run after reboot. On the previous run of ComboFix it was enabled.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

CODE
TDL::
c:\windows\system32\drivers\atapi.sys


Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,706 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:10 PM

Posted 22 May 2010 - 06:58 PM

This thread will now be closed due to lack of activity.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users