Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected by Torpig ?


  • This topic is locked This topic is locked
21 replies to this topic

#1 nicoco

nicoco

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 31 May 2011 - 10:39 PM

Hello,

I found out that my network has been block by the CBL ( http://cbl.abuseat.org/lookup.cgi?ip=61.9.245.10&.submit=Lookup )
According to them, one of my computers is hosting Torpig.
I have ran several tools including AVG pro, Malwarebytes, spybot, and decided to request to be unlisted, but I got relisted this morning.

In the past days I have looked at the info given by the CBL, especially the precise time where the infection has been detected. At these times there are usually only a couple of computers turned on, and it appears like the problem is coming from one of my new Windows 7 x64 computers, which have same installed programs etc.
I have ran some tools (dds and hjt) on one of them, here they are.

If you have any information on how to detected/remove torpig, I would LOVE to hear it...
I am planning on implementing a scan on my network, just waiting for some hardware to be delivered and installed...

Thank you for your help

Nic


.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.7601.17514
Run by admin2 at 11:23:05 on 2011-06-01
Microsoft Windows 7 Professional 6.1.7601.1.1252.61.1033.18.8055.6150 [GMT 8:00]
.
AV: AVG Internet Security Business Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security Business Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG10\avgchsva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Fingerprint Sensor\ATService.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\OEM\USBDECTION\USBS3S4Detection.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\AVG\AVG10\avgam.exe
C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
C:\Program Files (x86)\AVG\AVG10\avgemca.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrvx.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\TrustedNet Connect 2.1\TNCTray.exe
C:\Program Files (x86)\TrustedNet Connect 2.1\tncservice.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Program Files (x86)\Java\jre7\bin\jusched.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\mobsync.exe
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
C:\PROGRA~2\AVG\AVG10\avgrsa.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\icelive\Copyshop.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
\\tls-server\Company\Staff Folders\Nick\Malicious software removal tool\dds.scr
C:\Windows\SysWOW64\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com.au/
uDefault_Page_URL = hxxp://companyweb
mDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [TrustedNet Connect 2.x] "C:\Program Files (x86)\TrustedNet Connect 2.1\TNCTray.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [OOTag] C:\Program Files (x86)\Acer\OOBEOffer\OOTag.exe
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
mRun: [gemstrmw] C:\Windows\system32\gemstrmw.exe /r
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre7\bin\jusched.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: telstra.com
Trusted Zone: telstra.com.au
DPF: {02B7146F-723A-4B80-A597-F0AA74B40520} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_UInbox.cab
DPF: {150C4895-B693-4FB4-9D3D-09A39066957C} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_Marketing_Calendar.cab
DPF: {276BD137-696E-4276-843A-1EEE3C661469} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_Configurator.cab
DPF: {4387A5D0-6276-4603-AA29-6EBD09BCEED1} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_Prodselection.cab
DPF: {6BACBCAB-3332-4CE6-9BCB-F7808E820F15} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_Test_Automation.cab
DPF: {70695156-30ED-4E39-BDEC-CFA9017373FA} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_Container_Control.cab
DPF: {72A59E9E-4475-4343-B82E-93EF73F2A104} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_Marketing_HTML_Editor.cab
DPF: {79006115-9A97-459D-B7F3-0D07308122BD} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_Gantt_Chart.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_Desktop_Integration.cab
DPF: {91BBD15D-A065-4BC6-967C-244B6D1EBA2C} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_Catalog_Navigator.cab
DPF: {97D6A566-D701-467F-A7B5-19B1F1C35896} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_CTI_Toolbar.cab
DPF: {A351F0E7-DB33-4506-BF0A-622BCF5633E8} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_Smartscript.cab
DPF: {B2F2E66A-242C-446C-B20D-A52B54CACF3A} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_Marketing_Allocation.cab
DPF: {C1FC96DA-81BE-4836-B3A5-958F55E56E8E} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_OutBound_mail.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {D113F990-B556-4930-8B9D-7A45A8C5DED1} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_Microsite_Layout.cab
DPF: {D142D7F2-200E-461D-BBC2-D97AE3632FFF} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_iHelp.cab
DPF: {D1CAF963-A066-4814-9AA7-AC80B0916BF6} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_Calendar.cab
DPF: {E709FE80-04E4-4CF9-84AD-7999D449675D} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_HI_Client.cab
DPF: {EFB7D763-97A3-11CF-AE19-00608CEADE00} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\iTools.cab
DPF: {FD83D8B6-1C5A-441D-9FC1-B0E3804B5394} - file://D:\Siebel CRM AND PRM COMPONENTS SOURCE FILES\19251\applets\SiebelAx_Hospitality_Gantt.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssiea.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
mRun-x64: [WavXMgr] "C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe"
mRun-x64: [EmbassySecurityCheck] ";C:\Program Files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe"
mRun-x64: [OOTag] C:\Program Files (x86)\Acer\OOBEOffer\ootag.exe
mRun-x64: [IgfxTray] C:\Windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
mRun-x64: [Persistence] C:\Windows\system32\igfxpers.exe
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 ATService;AuthenTec Fingerprint Service;C:\Program Files\Fingerprint Sensor\ATService.exe [2009-5-16 2682616]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2011-2-8 269520]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-1-17 13336]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-10-17 369256]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-9-17 2320920]
R2 USBS3S4Detection;USBS3S4Detection;C:\OEM\USBDECTION\USBS3S4Detection.exe [2010-9-17 76320]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\system32\DRIVERS\e1k62x64.sys --> C:\Windows\system32\DRIVERS\e1k62x64.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
R3 TrustedNet Connect 2;TrustedNet Connect 2;C:\Program Files (x86)\TrustedNet Connect 2.1\TNCService.exe [2011-4-12 320408]
S3 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-4-18 7398752]
S3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
S3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
S3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
S3 md.WS.Service;SharperLight Service;C:\Program Files (x86)\phiLight\SharperLight\bin\md.WS.Service.exe [2010-8-11 19312]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]
S3 SNXPPAMD;SUNIX Parallel Port Driver;C:\Windows\system32\DRIVERS\snxppamd.sys --> C:\Windows\system32\DRIVERS\snxppamd.sys [?]
S3 SNXPSAMD;SUNIX Serial Port Driver;C:\Windows\system32\DRIVERS\snxpsamd.sys --> C:\Windows\system32\DRIVERS\snxpsamd.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
.
=============== Created Last 30 ================
.
2011-06-01 02:53:48 388096 ----a-r- C:\Users\admin2.TLSALB\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-01 02:53:48 -------- d-----w- C:\Program Files (x86)\Trend Micro
2011-05-31 07:16:38 -------- d-----w- C:\Users\admin2.TLSALB\AppData\Roaming\Malwarebytes
2011-05-31 07:16:36 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-31 07:16:36 -------- d-----w- C:\ProgramData\Malwarebytes
2011-05-31 07:16:33 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-05-31 07:16:33 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-05-30 09:06:32 -------- d-----w- C:\x64
2011-05-25 01:41:53 -------- d-----w- C:\Users\admin2.TLSALB\AppData\Local\CutePDF Writer
2011-05-25 01:41:27 -------- d-----w- C:\Program Files (x86)\GPLGS
2011-05-25 01:41:15 85504 ----a-w- C:\Windows\System32\cpwmon64.dll
2011-05-25 01:41:15 -------- d-----w- C:\Program Files (x86)\Acro Software
2011-05-13 00:52:28 142336 ----a-w- C:\Windows\System32\poqexec.exe
2011-05-13 00:52:28 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
2011-05-12 08:33:12 5562240 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-05-12 08:33:11 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-05-12 08:33:11 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-05-10 09:35:23 -------- d-----w- C:\Program Files (x86)\EASEUS
2011-05-03 03:22:42 -------- d-----w- C:\Users\admin2.TLSALB\AppData\Local\Diagnostics
2011-05-02 08:43:29 -------- d-----w- C:\Users\admin2.TLSALB\AppData\Local\Adobe
.
==================== Find3M ====================
.
2011-04-14 13:28:24 118864 ----a-w- C:\Windows\System32\drivers\AVGIDSDriver.sys
2011-04-12 05:28:06 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-04-12 05:28:06 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-04-12 04:43:24 411368 ----a-w- C:\Windows\SysWow64\deploytk.dll
2011-04-04 16:59:54 377936 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
2011-03-16 08:03:18 37456 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
2011-03-11 06:34:51 1359872 ----a-w- C:\Windows\System32\mfc42u.dll
2011-03-11 06:34:50 1395712 ----a-w- C:\Windows\System32\mfc42.dll
2011-03-11 05:33:59 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll
2011-03-11 05:33:59 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll
2011-03-08 06:29:32 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-03-08 05:28:29 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-03-07 06:31:44 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-03-07 05:33:13 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-03-07 04:24:34 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-03-07 03:52:25 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-03-03 06:24:16 183296 ----a-w- C:\Windows\System32\dnsrslvr.dll
2011-03-03 06:21:57 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe
2011-03-03 05:36:16 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe
2011-03-03 03:52:08 3135488 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 11:23:18.16 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:52 AM

Posted 09 June 2011 - 05:36 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 nicoco

nicoco
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 09 June 2011 - 09:11 PM

Hi m0le,

thanks for your answer.
I'm happy to listen to your instructions.
I have a new router that should give me better logs, I'm currently configuring it and will install when possible.

Cheers

nicoco

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:52 AM

Posted 10 June 2011 - 01:51 PM

Let's take a look for the rootkit which Torpig employs

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


And then

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 nicoco

nicoco
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 12 June 2011 - 11:12 PM

Hi m0le,

Thanks for the instructions.
I ran the tools on all the computers on the network.

Almost all the computers came clean (including the ones I suspected the most).

However, 2 computers (called POS1 and BILLPAY) came with infections with TDSSKiller (which have been repaired after reboot), and 1 of those (BILLPAY) also came an infection with aswMBR.exe (which I suppose needs fixing).

I'm attaching the logs for those 2, I assume you don't need the others?

Thanks

nicoco

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:52 AM

Posted 13 June 2011 - 05:22 PM

The TDSSKiller report for BILLPAY shows a successful rootkit clean. The other TDSSKiller report shows a false positive which is related to emulation software.

Both aswMBR logs are clean too.

We can now concentrate on BILLPAY. Please now run Combofix on the system

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 nicoco

nicoco
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 13 June 2011 - 08:50 PM

Thanks m0le,

I will run combofix on Billpay asap.

Just to confirm... you say that the logs for aswmbr are clean... I found this line in the one for Billpay
11:10:55.640 Disk 0 malicious Win32:MBRoot code @ sector 156280323 !
is this normal?

I'll let you know as soon as I'm done with combofix

Thanks again

nicoco

#8 nicoco

nicoco
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 13 June 2011 - 09:30 PM

Hi,

I ran comfix.exe on Billpay.
I had to uninstall AVG pro before launching it, then re-install after...

Anyway, here's the log

Cheers

nicoco

Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:52 AM

Posted 14 June 2011 - 02:53 PM

I think I got confused with the chronology of the tools and PCs...

Can you run TDSSKiller on BILLPAY. The log you posted was back on 7th June so I need to see if it's seeing the infection that is showing on aswMBR. We will come back to Combofix later.
Posted Image
m0le is a proud member of UNITE

#10 nicoco

nicoco
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 14 June 2011 - 10:02 PM

Hi,

sorry I probably made it confusing... the first logs I posted in my first message (dds and hjt) were from a computer I suspected more than the others... however this one came out clean with both TDSSKiller and aswmbr.

Later, I ran TDSSkiller and aswmbr on ALL computers and the ones that came with infections were POS1 and BILLPAY, so I sent logs for those on the 13th...

Anyway, I've ran TDSSKiller again today on Billpay, and it came clean again.
I've also ran aswMBR again, and came with the same warning as last time (so combofix didn't get rid of it).

I'm attaching the new logs. Are you happy with logs being attached or would you rather have them pasted in the message?

Thanks again for your time

Nic

Attached Files



#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:52 AM

Posted 15 June 2011 - 05:14 PM

I think with only one suspect PC we should be okay from now on. Attaching is fine providing you don't run out of your allocated memory.

Re-Run aswMBR

  • Click Scan
  • On completion of the scan, click the FIX button,
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.
  • Save the log as before and post in your next reply.

Posted Image
m0le is a proud member of UNITE

#12 nicoco

nicoco
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 15 June 2011 - 11:06 PM

Hi,

I have ran aswmbr and selected the Fix option, it apparently went well.
Afther that I've ran a hjt (with avg disabled) and saved the report.

The files are attached to my post.

Thanks again

Attached Files



#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:52 AM

Posted 16 June 2011 - 05:16 PM

Thanks for the log but HJT won't detect rootkits. Please run aswMBR again and let's see if it did fix it
Posted Image
m0le is a proud member of UNITE

#14 nicoco

nicoco
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 16 June 2011 - 09:00 PM

Hi m0le, it looks like it's been cleaned out

Attached Files



#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:52 AM

Posted 17 June 2011 - 04:17 PM

Yes, that's gone and I've returned to the Combofix log and that's cleaned out a possible BITS infection and removed the .dat files which mean that won't be returning. The log is effectively clean.

How are things running now?
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users