Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reoccurring Torpig Infection


  • This topic is locked This topic is locked
8 replies to this topic

#1 tauran

tauran

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 10 November 2010 - 08:35 AM

Hello,

we have a small network of Windows Computers (XP & 7) and had an infection with Torpig. We ran serveral
security programs, which found and cleaned infected executables.
However today we got an email from our ISP ...
All computers are reported clean.

So I just ran ComboFix on an unimportant machine of which I know it was (or is) infected.
Log file:

ComboFix 10-11-09.02 - slave 11/10/2010 13:50:33.1.2 - x86

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.1838 [GMT 1:00]

Running from: c:\users\slave\Desktop\ComboFix.exe

.



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.



c:\windows\system32\images

c:\windows\system32\images\toolbar\calendar.gif

c:\windows\system32\images\toolbar\crlogo.gif

c:\windows\system32\images\toolbar\export.gif

c:\windows\system32\images\toolbar\export_over.gif

c:\windows\system32\images\toolbar\exportd.gif

c:\windows\system32\images\toolbar\First.gif

c:\windows\system32\images\toolbar\first_over.gif

c:\windows\system32\images\toolbar\Firstd.gif

c:\windows\system32\images\toolbar\gotopage.gif

c:\windows\system32\images\toolbar\gotopage_over.gif

c:\windows\system32\images\toolbar\gotopaged.gif

c:\windows\system32\images\toolbar\grouptree.gif

c:\windows\system32\images\toolbar\grouptree_over.gif

c:\windows\system32\images\toolbar\grouptreed.gif

c:\windows\system32\images\toolbar\grouptreepressed.gif

c:\windows\system32\images\toolbar\Last.gif

c:\windows\system32\images\toolbar\last_over.gif

c:\windows\system32\images\toolbar\Lastd.gif

c:\windows\system32\images\toolbar\Next.gif

c:\windows\system32\images\toolbar\next_over.gif

c:\windows\system32\images\toolbar\Nextd.gif

c:\windows\system32\images\toolbar\Prev.gif

c:\windows\system32\images\toolbar\prev_over.gif

c:\windows\system32\images\toolbar\Prevd.gif

c:\windows\system32\images\toolbar\print.gif

c:\windows\system32\images\toolbar\print_over.gif

c:\windows\system32\images\toolbar\printd.gif

c:\windows\system32\images\toolbar\Refresh.gif

c:\windows\system32\images\toolbar\refresh_over.gif

c:\windows\system32\images\toolbar\refreshd.gif

c:\windows\system32\images\toolbar\Search.gif

c:\windows\system32\images\toolbar\search_over.gif

c:\windows\system32\images\toolbar\searchd.gif

c:\windows\system32\images\toolbar\up.gif

c:\windows\system32\images\toolbar\up_over.gif

c:\windows\system32\images\toolbar\upd.gif

c:\windows\system32\images\tree\begindots.gif

c:\windows\system32\images\tree\beginminus.gif

c:\windows\system32\images\tree\beginplus.gif

c:\windows\system32\images\tree\blank.gif

c:\windows\system32\images\tree\blankdots.gif

c:\windows\system32\images\tree\dots.gif

c:\windows\system32\images\tree\lastdots.gif

c:\windows\system32\images\tree\lastminus.gif

c:\windows\system32\images\tree\lastplus.gif

c:\windows\system32\images\tree\Magnify.gif

c:\windows\system32\images\tree\minus.gif

c:\windows\system32\images\tree\minusbox.gif

c:\windows\system32\images\tree\plus.gif

c:\windows\system32\images\tree\plusbox.gif

c:\windows\system32\images\tree\singleminus.gif

c:\windows\system32\images\tree\singleplus.gif



----- File Replicators -----



c:\program files\Git\libexec\git-core\git-add.exe

c:\program files\Git\libexec\git-core\git-annotate.exe

c:\program files\Git\libexec\git-core\git-apply.exe

c:\program files\Git\libexec\git-core\git-archive.exe

c:\program files\Git\libexec\git-core\git-bisect--helper.exe

c:\program files\Git\libexec\git-core\git-blame.exe

c:\program files\Git\libexec\git-core\git-branch.exe

c:\program files\Git\libexec\git-core\git-bundle.exe

c:\program files\Git\libexec\git-core\git-cat-file.exe

c:\program files\Git\libexec\git-core\git-check-attr.exe

c:\program files\Git\libexec\git-core\git-check-ref-format.exe

c:\program files\Git\libexec\git-core\git-checkout-index.exe

c:\program files\Git\libexec\git-core\git-checkout.exe

c:\program files\Git\libexec\git-core\git-cherry-pick.exe

c:\program files\Git\libexec\git-core\git-cherry.exe

c:\program files\Git\libexec\git-core\git-clean.exe

c:\program files\Git\libexec\git-core\git-clone.exe

c:\program files\Git\libexec\git-core\git-commit-tree.exe

c:\program files\Git\libexec\git-core\git-commit.exe

c:\program files\Git\libexec\git-core\git-config.exe

c:\program files\Git\libexec\git-core\git-count-objects.exe

c:\program files\Git\libexec\git-core\git-describe.exe

c:\program files\Git\libexec\git-core\git-diff-files.exe

c:\program files\Git\libexec\git-core\git-diff-index.exe

c:\program files\Git\libexec\git-core\git-diff-tree.exe

c:\program files\Git\libexec\git-core\git-diff.exe

c:\program files\Git\libexec\git-core\git-fast-export.exe

c:\program files\Git\libexec\git-core\git-fetch-pack.exe

c:\program files\Git\libexec\git-core\git-fetch.exe

c:\program files\Git\libexec\git-core\git-fmt-merge-msg.exe

c:\program files\Git\libexec\git-core\git-for-each-ref.exe

c:\program files\Git\libexec\git-core\git-format-patch.exe

c:\program files\Git\libexec\git-core\git-fsck-objects.exe

c:\program files\Git\libexec\git-core\git-fsck.exe

c:\program files\Git\libexec\git-core\git-gc.exe

c:\program files\Git\libexec\git-core\git-get-tar-commit-id.exe

c:\program files\Git\libexec\git-core\git-grep.exe

c:\program files\Git\libexec\git-core\git-hash-object.exe

c:\program files\Git\libexec\git-core\git-help.exe

c:\program files\Git\libexec\git-core\git-index-pack.exe

c:\program files\Git\libexec\git-core\git-init-db.exe

c:\program files\Git\libexec\git-core\git-init.exe

c:\program files\Git\libexec\git-core\git-log.exe

c:\program files\Git\libexec\git-core\git-ls-files.exe

c:\program files\Git\libexec\git-core\git-ls-remote.exe

c:\program files\Git\libexec\git-core\git-ls-tree.exe

c:\program files\Git\libexec\git-core\git-mailinfo.exe

c:\program files\Git\libexec\git-core\git-mailsplit.exe

c:\program files\Git\libexec\git-core\git-merge-base.exe

c:\program files\Git\libexec\git-core\git-merge-file.exe

c:\program files\Git\libexec\git-core\git-merge-index.exe

c:\program files\Git\libexec\git-core\git-merge-ours.exe

c:\program files\Git\libexec\git-core\git-merge-recursive.exe

c:\program files\Git\libexec\git-core\git-merge-subtree.exe

c:\program files\Git\libexec\git-core\git-merge-tree.exe

c:\program files\Git\libexec\git-core\git-merge.exe

c:\program files\Git\libexec\git-core\git-mktag.exe

c:\program files\Git\libexec\git-core\git-mktree.exe

c:\program files\Git\libexec\git-core\git-mv.exe

c:\program files\Git\libexec\git-core\git-name-rev.exe

c:\program files\Git\libexec\git-core\git-notes.exe

c:\program files\Git\libexec\git-core\git-pack-objects.exe

c:\program files\Git\libexec\git-core\git-pack-redundant.exe

c:\program files\Git\libexec\git-core\git-pack-refs.exe

c:\program files\Git\libexec\git-core\git-patch-id.exe

c:\program files\Git\libexec\git-core\git-peek-remote.exe

c:\program files\Git\libexec\git-core\git-prune-packed.exe

c:\program files\Git\libexec\git-core\git-prune.exe

c:\program files\Git\libexec\git-core\git-push.exe

c:\program files\Git\libexec\git-core\git-read-tree.exe

c:\program files\Git\libexec\git-core\git-receive-pack.exe

c:\program files\Git\libexec\git-core\git-reflog.exe

c:\program files\Git\libexec\git-core\git-remote.exe

c:\program files\Git\libexec\git-core\git-replace.exe

c:\program files\Git\libexec\git-core\git-repo-config.exe

c:\program files\Git\libexec\git-core\git-rerere.exe

c:\program files\Git\libexec\git-core\git-reset.exe

c:\program files\Git\libexec\git-core\git-rev-list.exe

c:\program files\Git\libexec\git-core\git-rev-parse.exe

c:\program files\Git\libexec\git-core\git-revert.exe

c:\program files\Git\libexec\git-core\git-rm.exe

c:\program files\Git\libexec\git-core\git-send-pack.exe

c:\program files\Git\libexec\git-core\git-shortlog.exe

c:\program files\Git\libexec\git-core\git-show-branch.exe

c:\program files\Git\libexec\git-core\git-show-ref.exe

c:\program files\Git\libexec\git-core\git-show.exe

c:\program files\Git\libexec\git-core\git-stage.exe

c:\program files\Git\libexec\git-core\git-status.exe

c:\program files\Git\libexec\git-core\git-stripspace.exe

c:\program files\Git\libexec\git-core\git-symbolic-ref.exe

c:\program files\Git\libexec\git-core\git-tag.exe

c:\program files\Git\libexec\git-core\git-tar-tree.exe

c:\program files\Git\libexec\git-core\git-unpack-file.exe

c:\program files\Git\libexec\git-core\git-unpack-objects.exe

c:\program files\Git\libexec\git-core\git-update-index.exe

c:\program files\Git\libexec\git-core\git-update-ref.exe

c:\program files\Git\libexec\git-core\git-update-server-info.exe

c:\program files\Git\libexec\git-core\git-upload-archive.exe

c:\program files\Git\libexec\git-core\git-var.exe

c:\program files\Git\libexec\git-core\git-verify-pack.exe

c:\program files\Git\libexec\git-core\git-verify-tag.exe

c:\program files\Git\libexec\git-core\git-whatchanged.exe

c:\program files\Git\libexec\git-core\git-write-tree.exe

c:\program files\Git\libexec\git-core\git.exe

.

.

((((((((((((((((((((((((( Files Created from 2010-10-10 to 2010-11-10 )))))))))))))))))))))))))))))))

.



2010-11-09 14:11 . 2010-11-09 14:11 -------- d-----w- c:\users\slave\AppData\Local\Milestone_Systems

2010-11-09 13:30 . 2010-10-07 15:21 6146896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CB8CCEC9-9B50-4F4B-88D9-43697B0B7B55}\mpengine.dll

2010-11-05 11:34 . 2010-11-05 12:08 -------- d-----w- C:\Python26

2010-11-05 08:48 . 2010-11-05 08:48 65024 ----a-w- c:\windows\CabArc.Exe

2010-11-04 17:42 . 2010-11-04 17:42 2266112 ----a-w- c:\windows\system32\python26.dll

2010-11-04 17:42 . 2010-11-04 17:42 3128320 ----a-w- c:\windows\system32\python26_d.dll

2010-11-04 17:10 . 2010-11-04 17:18 -------- d-----w- c:\program files\nasm

2010-11-04 16:58 . 2010-11-04 17:00 -------- d-----w- C:\Perl

2010-11-04 16:26 . 2010-11-04 16:26 -------- d-----w- c:\users\slave\AppData\Roaming\Python

2010-11-04 16:16 . 2010-11-04 16:06 353280 ----a-w- c:\windows\system32\pythoncom26.dll

2010-11-04 16:16 . 2010-11-04 16:05 109568 ----a-w- c:\windows\system32\pywintypes26.dll

2010-11-04 15:44 . 2010-11-04 15:44 -------- d-----w- c:\users\slave\AppData\Roaming\Subversion

2010-11-04 15:42 . 2010-11-04 15:42 -------- d-----w- c:\program files\Subversion

2010-11-04 13:43 . 2009-07-23 03:08 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll

2010-11-04 13:42 . 2009-07-23 03:08 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll

2010-11-04 13:42 . 2010-11-04 13:42 -------- d-----w- c:\windows\system32\RsFx

2010-11-04 13:37 . 2010-11-04 13:37 112832 ----a-w- c:\programdata\Microsoft\VCExpress\10.0\1033\ResourceCache.dll

2010-11-04 13:35 . 2010-11-04 14:55 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0

2010-11-04 13:35 . 2010-11-04 13:35 -------- d-----w- c:\program files\Microsoft Help Viewer

2010-11-04 09:45 . 2010-11-04 09:45 -------- d-----w- c:\programdata\Office Genuine Advantage

2010-11-04 09:42 . 2010-11-04 09:42 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU

2010-11-04 09:40 . 2010-11-04 09:40 -------- d-----w- c:\windows\SQL9_KB970892_ENU

2010-11-04 09:39 . 2010-10-07 15:21 6146896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2010-11-03 13:44 . 2010-11-03 13:45 -------- d-----w- c:\users\slave\AppData\Roaming\gtk-2.0

2010-11-03 13:40 . 2010-11-03 13:40 -------- d--h--w- c:\programdata\CanonIJScan

2010-11-03 13:40 . 2010-11-03 13:40 -------- d-----w- c:\users\slave\AppData\Roaming\Canon

2010-11-03 13:38 . 2010-11-03 14:27 -------- d-----w- c:\users\slave\.gimp-2.6

2010-11-03 13:38 . 2010-11-03 13:38 -------- d-----w- c:\program files\GIMP-2.0

2010-11-03 13:35 . 2010-11-03 13:35 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information

2010-11-03 13:35 . 2010-03-29 16:31 438272 ----a-w- c:\windows\system32\CNQ4809L.dll

2010-11-03 13:35 . 2010-03-18 16:12 1335296 ----a-w- c:\windows\system32\CNQ4809C.dll

2010-11-03 13:35 . 2010-03-18 16:12 114688 ----a-w- c:\windows\system32\CNQ4809I.dll

2010-11-03 13:35 . 2010-03-18 16:11 106496 ----a-w- c:\windows\system32\CNQ4809U.dll

2010-11-03 13:35 . 2008-08-25 17:02 15872 ----a-w- c:\windows\system32\CNHMCA.dll

2010-11-03 11:19 . 2010-11-03 11:19 -------- d-----w- c:\windows\en

2010-11-03 11:19 . 2010-11-03 11:19 -------- dc----w- c:\windows\system32\DRVSTORE

2010-11-03 11:19 . 2010-09-22 23:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys

2010-11-03 11:17 . 2010-11-03 11:20 -------- d-----w- c:\program files\Windows Live

2010-11-03 11:17 . 2010-11-09 14:29 -------- d-----w- c:\program files\Microsoft

2010-11-03 11:17 . 2009-09-04 16:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll

2010-11-03 11:17 . 2009-09-04 16:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll

2010-11-03 11:17 . 2009-09-04 16:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

2010-11-03 11:17 . 2006-11-29 12:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll

2010-11-03 11:16 . 2010-11-04 09:44 -------- d-----w- c:\program files\Microsoft Silverlight

2010-11-03 11:12 . 2010-11-09 14:26 -------- d-----w- c:\users\slave\AppData\Local\Windows Live

2010-11-03 11:12 . 2010-11-03 11:12 -------- d-----w- c:\program files\Common Files\Windows Live

2010-11-03 11:11 . 2010-05-23 10:15 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL

2010-11-03 11:11 . 2010-05-23 10:11 196608 ----a-w- c:\windows\system32\mfreadwrite.dll

2010-11-03 11:11 . 2010-05-23 10:11 3181568 ----a-w- c:\windows\system32\mf.dll

2010-11-03 11:07 . 2010-08-04 06:18 641536 ----a-w- c:\windows\system32\CPFilters.dll

2010-11-03 11:07 . 2010-08-04 06:17 417792 ----a-w- c:\windows\system32\msdri.dll

2010-11-03 11:07 . 2010-08-04 06:15 204288 ----a-w- c:\windows\system32\MSNP.ax

2010-11-03 11:07 . 2010-08-04 06:15 199680 ----a-w- c:\windows\system32\mpg2splt.ax

2010-11-03 11:07 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys

2010-11-03 10:31 . 2010-11-03 10:31 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-11-02 13:48 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{848BBEAF-6761-4FAC-981C-E7642F320F6E}\mpengine.dll

2010-10-21 06:15 . 2010-03-04 04:04 146304 ----a-w- c:\windows\system32\drivers\usbvideo.sys

2010-10-21 06:15 . 2010-03-04 03:57 190976 ----a-w- c:\windows\system32\drivers\ks.sys

2010-10-21 06:15 . 2010-08-27 05:30 13312 ----a-w- c:\program files\Internet Explorer\iecompat.dll

2010-10-20 10:43 . 2010-10-20 10:43 -------- d-----w- c:\program files\Common Files\Adobe

2010-10-20 10:27 . 2010-05-05 06:46 363520 ----a-w- c:\windows\system32\StructuredQuery.dll

2010-10-12 13:05 . 2010-10-12 13:05 -------- d-----w- c:\users\slave\.idlerc



.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-04 09:34 . 2010-10-06 09:14 729464 ----a-w- c:\windows\autoruns.exe

2010-11-04 09:34 . 2010-10-06 09:13 594296 ----a-w- c:\windows\autorunsc.exe

2010-10-19 20:51 . 2010-09-13 13:05 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-09-23 13:41 . 2010-09-23 13:41 26861 ----a-w- c:\windows\system32\tmp8FD5.tmp

2010-09-23 13:40 . 2010-09-23 13:40 27802 ----a-w- c:\windows\system32\tmp5B6C.tmp

2010-09-23 13:39 . 2010-09-23 13:39 34183 ----a-w- c:\windows\system32\tmpBB46.tmp

2010-09-23 12:30 . 2010-09-23 12:30 6908 ----a-w- c:\windows\system32\tmpDA96.tmp

2010-09-23 12:29 . 2010-09-23 12:29 26479 ----a-w- c:\windows\system32\tmpAE09.tmp

2010-09-23 12:29 . 2010-09-23 12:29 27562 ----a-w- c:\windows\system32\tmpA0C.tmp

2010-09-23 12:13 . 2010-09-23 12:13 25903 ----a-w- c:\windows\system32\tmpC9E0.tmp

2010-09-23 07:54 . 2010-09-23 07:54 36905 ----a-w- c:\windows\system32\tmpC44F.tmp

2010-09-23 07:54 . 2010-09-23 07:54 22838 ----a-w- c:\windows\system32\tmp7BAA.tmp

2010-09-23 07:13 . 2010-09-23 07:13 18144 ----a-w- c:\windows\system32\tmpAB9E.tmp

2010-09-23 07:12 . 2010-09-23 07:12 25337 ----a-w- c:\windows\system32\tmp3D9F.tmp

2010-09-23 07:04 . 2010-09-23 07:04 24782 ----a-w- c:\windows\system32\tmpE3FA.tmp

2010-09-23 07:03 . 2010-09-23 07:03 26000 ----a-w- c:\windows\system32\tmp25E8.tmp

2010-09-23 06:37 . 2010-09-23 06:37 25524 ----a-w- c:\windows\system32\tmp2AE.tmp

2010-09-22 23:47 . 2010-09-22 23:47 49016 ----a-w- c:\windows\system32\sirenacm.dll

2010-09-22 23:32 . 2010-09-22 23:32 301936 ----a-w- c:\windows\WLXPGSS.SCR

2010-09-22 17:09 . 2010-09-22 17:09 26189 ----a-w- c:\windows\system32\tmpD087.tmp

2010-09-22 17:07 . 2010-09-22 17:07 27025 ----a-w- c:\windows\system32\tmp3A6.tmp

2010-09-22 16:41 . 2010-09-22 16:41 26218 ----a-w- c:\windows\system32\tmpC78F.tmp

2010-09-22 14:39 . 2010-09-22 14:39 25625 ----a-w- c:\windows\system32\tmpC7C2.tmp

2010-09-22 14:36 . 2010-09-22 14:36 19503 ----a-w- c:\windows\system32\tmp5292.tmp

2010-09-22 14:36 . 2010-09-22 14:36 20956 ----a-w- c:\windows\system32\tmp1FCE.tmp

2010-09-22 14:23 . 2010-09-22 14:23 19794 ----a-w- c:\windows\system32\tmpB23C.tmp

2010-09-22 14:22 . 2010-09-22 14:22 19797 ----a-w- c:\windows\system32\tmp337B.tmp

2010-09-22 14:20 . 2010-09-22 14:20 19447 ----a-w- c:\windows\system32\tmpB4C9.tmp

2010-09-22 14:19 . 2010-09-22 14:19 21215 ----a-w- c:\windows\system32\tmpB313.tmp

2010-09-22 14:16 . 2010-09-22 14:16 19779 ----a-w- c:\windows\system32\tmp4830.tmp

2010-09-22 14:15 . 2010-09-22 14:15 20854 ----a-w- c:\windows\system32\tmp2341.tmp

2010-09-22 14:10 . 2010-09-22 14:10 17398 ----a-w- c:\windows\system32\tmpA78C.tmp

2010-09-22 14:09 . 2010-09-22 14:09 17374 ----a-w- c:\windows\system32\tmp62CE.tmp

2010-09-22 13:41 . 2010-09-22 13:41 13387 ----a-w- c:\windows\system32\tmpD434.tmp

2010-09-22 13:11 . 2010-09-22 13:11 15899 ----a-w- c:\windows\system32\tmp5276.tmp

2010-09-22 12:33 . 2010-09-22 12:33 19528 ----a-w- c:\windows\system32\tmp4200.tmp

2010-09-22 12:31 . 2010-09-22 12:31 17317 ----a-w- c:\windows\system32\tmp2194.tmp

2010-09-22 11:49 . 2010-09-22 11:49 22711 ----a-w- c:\windows\system32\tmp169A.tmp

2010-09-22 11:49 . 2010-09-22 11:49 21883 ----a-w- c:\windows\system32\tmp11F7.tmp

2010-09-22 11:46 . 2010-09-22 11:46 25835 ----a-w- c:\windows\system32\tmp4045.tmp

2010-09-22 11:41 . 2010-09-22 11:41 19417 ----a-w- c:\windows\system32\tmp95D.tmp

2010-09-22 11:40 . 2010-09-22 11:40 19673 ----a-w- c:\windows\system32\tmp24A.tmp

2010-09-22 11:40 . 2010-09-22 11:40 19632 ----a-w- c:\windows\system32\tmpF7DC.tmp

2010-09-22 11:35 . 2010-09-22 11:35 23202 ----a-w- c:\windows\system32\tmp792B.tmp

2010-09-22 11:31 . 2010-09-22 11:31 26755 ----a-w- c:\windows\system32\tmp716.tmp

2010-09-22 11:31 . 2010-09-22 11:31 24944 ----a-w- c:\windows\system32\tmpA0A6.tmp

2010-09-22 11:22 . 2010-09-22 11:22 28175 ----a-w- c:\windows\system32\tmp5FCE.tmp

2010-09-22 11:21 . 2010-09-22 11:21 27017 ----a-w- c:\windows\system32\tmpDA59.tmp

2010-09-22 11:00 . 2010-09-22 11:00 25029 ----a-w- c:\windows\system32\tmp4FE4.tmp

2010-09-22 11:00 . 2010-09-22 11:00 22541 ----a-w- c:\windows\system32\tmpFF6.tmp

2010-09-22 10:49 . 2010-09-22 10:49 26614 ----a-w- c:\windows\system32\tmp7904.tmp

2010-09-22 10:46 . 2010-09-22 10:46 26035 ----a-w- c:\windows\system32\tmpF62D.tmp

2010-09-22 10:45 . 2010-09-22 10:45 21554 ----a-w- c:\windows\system32\tmp6EF5.tmp

2010-09-22 10:45 . 2010-09-22 10:45 20909 ----a-w- c:\windows\system32\tmp4026.tmp

2010-09-22 10:44 . 2010-09-22 10:44 20750 ----a-w- c:\windows\system32\tmp151F.tmp

2010-09-22 10:44 . 2010-09-22 10:44 20634 ----a-w- c:\windows\system32\tmpE642.tmp

2010-09-22 10:44 . 2010-09-22 10:44 21124 ----a-w- c:\windows\system32\tmpBB4B.tmp

2010-09-22 10:44 . 2010-09-22 10:44 21246 ----a-w- c:\windows\system32\tmp8C6D.tmp

2010-09-22 10:44 . 2010-09-22 10:44 20650 ----a-w- c:\windows\system32\tmp5D90.tmp

2010-09-22 10:43 . 2010-09-22 10:43 21051 ----a-w- c:\windows\system32\tmp3289.tmp

2010-09-22 10:43 . 2010-09-22 10:43 20949 ----a-w- c:\windows\system32\tmp3AB.tmp

2010-09-22 10:43 . 2010-09-22 10:43 21179 ----a-w- c:\windows\system32\tmpD4CE.tmp

2010-09-22 10:43 . 2010-09-22 10:43 21032 ----a-w- c:\windows\system32\tmpA9D7.tmp

2010-09-22 10:43 . 2010-09-22 10:43 21031 ----a-w- c:\windows\system32\tmp7AF9.tmp

2010-09-22 10:42 . 2010-09-22 10:42 21088 ----a-w- c:\windows\system32\tmp4C2C.tmp

2010-09-22 10:42 . 2010-09-22 10:42 21171 ----a-w- c:\windows\system32\tmp1D3E.tmp

2010-09-22 10:42 . 2010-09-22 10:42 21154 ----a-w- c:\windows\system32\tmpF238.tmp

2010-09-22 10:42 . 2010-09-22 10:42 20829 ----a-w- c:\windows\system32\tmpC35A.tmp

2010-09-22 10:42 . 2010-09-22 10:42 21167 ----a-w- c:\windows\system32\tmp947D.tmp

2010-09-22 10:41 . 2010-09-22 10:41 20980 ----a-w- c:\windows\system32\tmp65AF.tmp

2010-09-22 10:41 . 2010-09-22 10:41 22048 ----a-w- c:\windows\system32\tmp3AA8.tmp

2010-09-22 10:41 . 2010-09-22 10:41 20899 ----a-w- c:\windows\system32\tmpFB1.tmp

2010-09-22 10:41 . 2010-09-22 10:41 21030 ----a-w- c:\windows\system32\tmpE0D4.tmp

2010-09-22 10:41 . 2010-09-22 10:41 20998 ----a-w- c:\windows\system32\tmpB1F6.tmp

2010-09-22 10:40 . 2010-09-22 10:40 21006 ----a-w- c:\windows\system32\tmp7F32.tmp

2010-09-22 10:40 . 2010-09-22 10:40 20831 ----a-w- c:\windows\system32\tmp542C.tmp

2010-09-22 10:40 . 2010-09-22 10:40 20771 ----a-w- c:\windows\system32\tmp254E.tmp

2010-09-22 10:40 . 2010-09-22 10:40 21031 ----a-w- c:\windows\system32\tmpF671.tmp

2010-09-22 10:40 . 2010-09-22 10:40 21013 ----a-w- c:\windows\system32\tmpC793.tmp

2010-09-22 10:39 . 2010-09-22 10:39 21014 ----a-w- c:\windows\system32\tmp98B6.tmp

2010-09-22 10:39 . 2010-09-22 10:39 20647 ----a-w- c:\windows\system32\tmp6DBF.tmp

2010-09-22 10:39 . 2010-09-22 10:39 22429 ----a-w- c:\windows\system32\tmp4373.tmp

2010-09-22 10:39 . 2010-09-22 10:39 22429 ----a-w- c:\windows\system32\tmp42B6.tmp

2010-09-22 10:39 . 2010-09-22 10:39 22073 ----a-w- c:\windows\system32\tmp17BF.tmp

2010-09-22 10:39 . 2010-09-22 10:39 21564 ----a-w- c:\windows\system32\tmpE8E2.tmp

2010-09-22 10:39 . 2010-09-22 10:39 22032 ----a-w- c:\windows\system32\tmpBA04.tmp

2010-09-22 10:38 . 2010-09-22 10:38 21788 ----a-w- c:\windows\system32\tmp8B36.tmp

2010-09-22 10:38 . 2010-09-22 10:38 21929 ----a-w- c:\windows\system32\tmp5C49.tmp

2010-09-22 10:38 . 2010-09-22 10:38 22109 ----a-w- c:\windows\system32\tmp2D6C.tmp

2010-09-22 10:38 . 2010-09-22 10:38 21465 ----a-w- c:\windows\system32\tmp265.tmp

2010-09-22 10:38 . 2010-09-22 10:38 21672 ----a-w- c:\windows\system32\tmpD397.tmp

2010-09-22 10:37 . 2010-09-22 10:37 22131 ----a-w- c:\windows\system32\tmpA4BA.tmp

2010-09-22 10:37 . 2010-09-22 10:37 22242 ----a-w- c:\windows\system32\tmp79B3.tmp

2010-09-22 10:37 . 2010-09-22 10:37 21819 ----a-w- c:\windows\system32\tmp4AD5.tmp

2010-09-22 10:37 . 2010-09-22 10:37 21527 ----a-w- c:\windows\system32\tmp1812.tmp

2010-09-22 10:37 . 2010-09-22 10:37 22028 ----a-w- c:\windows\system32\tmpE934.tmp

2010-09-22 10:36 . 2010-09-22 10:36 21940 ----a-w- c:\windows\system32\tmpBA57.tmp

2010-09-22 10:36 . 2010-09-22 10:36 21899 ----a-w- c:\windows\system32\tmp8F50.tmp

2010-09-22 10:36 . 2010-09-22 10:36 21966 ----a-w- c:\windows\system32\tmp6072.tmp

2010-09-22 10:36 . 2010-09-22 10:36 21903 ----a-w- c:\windows\system32\tmp357B.tmp

.



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\users\slave\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-09-13 136176]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-09 36864]

"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2010-07-09 261736]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]



c:\users\slave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

start bitten slave.lnk - c:\users\slave\Desktop\bitten\run.bat [2010-9-13 119]



c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Recording Server Manager.lnk - c:\program files\Milestone\Milestone Surveillance\RecordingServerManager.exe [2010-1-28 193960]

XProtect Transact Tray Manager.lnk - c:\windows\Installer\{B56D8EEA-13C9-4B7C-80E1-ECFFE09A7A3F}\_2E9132426D3EB2EF522CCA.exe [2010-11-8 32038]



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv



[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"



R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 EventProxyService;VideoOS Event Proxy Service;c:\program files\Milestone\XProtect Analytics\VideoOS.EventProxy.EventProxyService.exe [2010-07-12 15288]

R2 Milestone Image Import Service;Milestone Image Import Service;c:\program files\Milestone\Milestone Surveillance\ImageImportService.exe [2010-01-28 6336512]

R2 Milestone Log Check Service;Milestone Log Check Service;c:\program files\Milestone\Milestone Surveillance\ELFFLogCheckerService.exe [2010-01-28 364544]

R2 Milestone Recording Server;Milestone Recording Server;c:\program files\Milestone\Milestone Surveillance\RecordingServer.exe [2010-01-28 7155712]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-13 1343400]

R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]

R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-30 239336]

R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-30 366936]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]

S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-09-13 691696]

S2 Milestone Image Server;Milestone Image Server;c:\program files\Milestone\Milestone Surveillance\ImageServer.exe [2010-01-28 7446528]

S2 Milestone Service Control;Milestone Service Control;c:\program files\Milestone\Milestone Surveillance\VideoOS.ServiceControl.Service.exe [2010-01-28 14336]

S2 MSSQL$VIDEOOS_TRANSACT;SQL Server (VIDEOOS_TRANSACT);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]

S2 VideoOSTransactService;Milestone XProtect Transact Service;c:\program files\Milestone\XProtect Transact\VideoOS.Transact.TransactService.exe [2010-05-05 75224]

S2 XProtect Generic VA Server;XProtect Generic VA Server;c:\program files\Milestone\XProtect Analytics\xpahost.exe [2010-07-12 980424]

S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-13 45736]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-25 42368]

S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]



.

Contents of the 'Scheduled Tasks' folder



2010-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2405215052-172305981-3784324679-1000Core.job

- c:\users\slave\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-13 12:53]



2010-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2405215052-172305981-3784324679-1000UA.job

- c:\users\slave\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-13 12:53]

.

.

------- Supplementary Scan -------

.

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://192.168.1.110/activex/AMC.cab

.



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MySQL]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

.

--------------------- LOCKED REGISTRY KEYS ---------------------



[HKEY_USERS\S-1-5-21-2405215052-172305981-3784324679-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.Email.1"



[HKEY_USERS\S-1-5-21-2405215052-172305981-3784324679-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]

@Denied: (2) (LocalSystem)

"Progid"="WindowsLiveMail.VCard.1"



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2010-11-10 14:01:14

ComboFix-quarantined-files.txt 2010-11-10 13:01



Pre-Run: 202,016,448,512 bytes free

Post-Run: 202,663,260,160 bytes free



- - End Of File - - A1254F832BCC5654304D47C268A94133


Please help :)

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:49 PM

Posted 10 November 2010 - 12:38 PM

Hello tauran ,

Posted Image

A few things here......first, Torpig is a backdoor infection. Any of the machines with this indicated should be reformatted, especially since they are business computers likely to have sensitive information on them. I cannot promise you totally secure machines.

ComboFix is not a toy and should not be run on your own....most especially with W7. I hope you didn't damage any of the W7 systems you might have.

Lastly, are you the IT person? Is there an IT department for this business?

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 tauran

tauran
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 10 November 2010 - 01:47 PM

Thanks for the welcome.

Hello tauran ,

Posted Image

A few things here......first, Torpig is a backdoor infection. Any of the machines with this indicated should be reformatted, especially since they are business computers likely to have sensitive information on them. I cannot promise you totally secure machines.

I feared so.

ComboFix is not a toy and should not be run on your own....most especially with W7. I hope you didn't damage any of the W7 systems you might have.

Well that's why I only ran it on a test machine, which gets reformatted from time to time and doesn't have any important data on it.

Lastly, are you the IT person? Is there an IT department for this business?

We don't have either of them - very small company... :)
So is there no reliable way of infection detection?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:49 PM

Posted 10 November 2010 - 01:56 PM

So is there no reliable way of infection detection?

Sure there is....or you would not have found it to begin with, right? The trick is knowing what you can and can't get rid of completely once a system is compromised like that. What that infection does is steal information. So even when the infection itself is gone, the information on the system is still compromised, especially passwords, account numbers, etc...see what I mean?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 tauran

tauran
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 10 November 2010 - 02:29 PM

Well, the test machine has no valuable information. If I could clean it I wouldn't have to reinstall it.
@infection detection: All our computers were tested clean by different security programs, yet our ISP
reported Torpig/Mebroot activity from our network :(
So I don't know how to detect the infection reliable. If I reinstall and by some careless user
the infection comes back, the whole games starts anew.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:49 PM

Posted 10 November 2010 - 02:46 PM

Let's have a look to be sure then so you can either confirm or refute the ISP info :

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

You can run this on ANY of the systems, no problem :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 tauran

tauran
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:49 PM

Posted 15 November 2010 - 06:51 AM

Ok. So far we found one infected computer.
Otherwise everything seems fine at the moment ...

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:49 PM

Posted 15 November 2010 - 11:54 AM

Hello there,

What is the ISP saying today after cleaning them? Have you done all of them? Also, don't forget you cannot run ComboFix on your W7 or 64 bit systems. :wink: After this long, ComboFix should really be uninstalled since it's updated so often, and a fresh one IF we need it. :)

Uninstall ComboFix by doing the following :

Click Start>Run>Type in, or copy and paste ComboFix /Uninstall > click OK

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:49 PM

Posted 19 November 2010 - 11:25 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users