Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Boaxxe & Suspicious.Pythia infections


  • This topic is locked This topic is locked
21 replies to this topic

#1 bur75

bur75

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 17 June 2011 - 02:38 PM

I have an HP desktop running XP Pro SP3. Computer is symptom free, but Symantec Endpoint started picking up Suspicious.Pythia infections a couple weeks ago. 18 infections on 6/6, 21 infections on 6/10 & 22 on 6/13. Each scan shows the risk as being cleaned successfully, but it keeps coming back. Running Malwarebytes produced 24 Trojan.Boaxxe infections. The file names and locations are the same for both Symantec and MBAM, sot hey are finding the same risk, just identifying it differently. I am concerned that the infection keeps returning, so I need to explore more robust cleaning methods. DDS log below and attach log attached.
.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 12:31:27 on 2011-06-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1454 [GMT -7:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239756022328
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://paychex.webex.com/client/T27L/support/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2006\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-4-4 2234296]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-16 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110614.001\NAVENG.SYS [2011-6-14 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110614.001\NAVEX15.SYS [2011-6-14 1542392]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-3-24 39984]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-05-29 16:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 12:32:06.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:09 PM

Posted 26 June 2011 - 09:10 AM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 bur75

bur75
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 29 June 2011 - 05:04 PM

Computer status has not changed since original post, it has been shelved until it can be thoroughly cleaned. Fresh DDS, attach and GMER logs below and attached:

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 13:01:07 on 2011-06-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1440 [GMT -7:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\rundll32.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239756022328
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://paychex.webex.com/client/T27L/support/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2006\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-4-4 2234296]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-16 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110620.004\NAVENG.SYS [2011-6-20 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110620.004\NAVEX15.SYS [2011-6-20 1542392]
.
=============== Created Last 30 ================
.
2011-06-20 17:58:08 105472 -c----w- c:\windows\system32\dllcache\mup.sys
.
==================== Find3M ====================
.
2011-05-29 16:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 13:01:47.12 ===============


GMER:
.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 13:01:07 on 2011-06-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.1440 [GMT -7:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\rundll32.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239756022328
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://paychex.webex.com/client/T27L/support/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2006\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-2-1 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-4-4 2234296]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-16 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110620.004\NAVENG.SYS [2011-6-20 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110620.004\NAVEX15.SYS [2011-6-20 1542392]
.
=============== Created Last 30 ================
.
2011-06-20 17:58:08 105472 -c----w- c:\windows\system32\dllcache\mup.sys
.
==================== Find3M ====================
.
2011-05-29 16:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ------w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 13:01:47.12 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:09 PM

Posted 04 July 2011 - 03:57 AM

Hi,

Seems that you accidentally posted dds.txt contents as gmer log. Please post correct one + MBAM log of your earlier run.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 bur75

bur75
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 05 July 2011 - 04:51 PM

Sorry about that. Below is the GMER log as well as the MBAM log that shows the infection:

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-29 14:41:40
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250823AS rev.3.03
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdypoc.sys


---- System - GMER 1.0.15 ----

SSDT 89CA1AE0 ZwAlertResumeThread
SSDT 89D36240 ZwAlertThread
SSDT 89B0B230 ZwAllocateVirtualMemory
SSDT 89B5F0B0 ZwConnectPort
SSDT 89AF02B8 ZwCreateMutant
SSDT 89AABE80 ZwCreateThread
SSDT 89B07DB8 ZwFreeVirtualMemory
SSDT 89CA7998 ZwImpersonateAnonymousToken
SSDT 89D53B28 ZwImpersonateThread
SSDT 89C93450 ZwMapViewOfSection
SSDT 89C9E5A0 ZwOpenEvent
SSDT 89C9CE20 ZwOpenProcessToken
SSDT 89AF2170 ZwOpenThreadToken
SSDT 89D30270 ZwResumeThread
SSDT 89D3EFD0 ZwSetContextThread
SSDT 89D20B80 ZwSetInformationProcess
SSDT 89BC4118 ZwSetInformationThread
SSDT 89B23DC0 ZwSuspendProcess
SSDT 89D37E40 ZwSuspendThread
SSDT 89D30B60 ZwTerminateProcess
SSDT 89D35620 ZwTerminateThread
SSDT 89C9DFD0 ZwUnmapViewOfSection
SSDT 89C8C2D0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6858

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/14/2011 5:33:54 PM
mbam-log-2011-06-14 (17-33-54).txt

Scan type: Full scan (C:\|)
Objects scanned: 245859
Time elapsed: 44 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4dd1c811.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4dd29f81.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4dd3f0d6.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4dd54255.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4dd693ca.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4dd7e564.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4dd936ce.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4ddb2a1f.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4ddc7b46.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4dddccc0.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4ddf1e46.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4de5b5d1.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4de7075a.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4de858dc.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4de998cf.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4deae9e9.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4dec3b63.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4ded8ce3.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4deede79.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4df02fe9.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4df1816b.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4df63c5c.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer\4df78e06.tmp (Trojan.Boaxxe) -> Quarantined and deleted successfully.
c:\system volume information\_restore{5933c8e4-d00f-4b2a-bd5b-a831012f60a7}\RP3\A0001478.scr (PUP.FunWebProducts) -> Not selected for removal.

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:09 PM

Posted 06 July 2011 - 12:59 AM

Hi,

MBAM made its findings in Symantec folder - maybe items Symantec Endpoint had quarantined. Where does Symantec Endpoint Protection see infected items in?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 bur75

bur75
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 06 July 2011 - 12:04 PM

Symantec made its findings in the same folder, in addition to the system restore folder. My concern is that the infections kept returning and they might be some kind of backdoor trojan that require more thorough cleaning procedures than Symantec or MBAM can provide.

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:09 PM

Posted 06 July 2011 - 04:08 PM

Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
DIR /A/S c:\documents and settings\all users\application data\Symantec >%USERPROFILE%\Desktop\Log.txt
DEL %0

Double-click on fixes.bat file to execute it. Log.txt file should appear on your desktop. Zip it up, if big, and attach to your post.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 bur75

bur75
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 06 July 2011 - 04:56 PM

fixes.bat was ran, however, no log file appeared on the desktop. I tried running it 3 times just to be sure, but no log file appeared.

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:09 PM

Posted 07 July 2011 - 04:42 AM

Please navigate to c:\documents and settings\all users\application data folder and see if there is any Symantec named there.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 bur75

bur75
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 07 July 2011 - 08:20 PM

There is a Symantec folder in the directory you referenced. It contains 7 folders, Cashed Installs, LiveUpdate, SPBBC, Symantec Antivirus Coporate Edition, Common Client, SavSubEng, and SRTSP. The folder where all previous infections were found can be found in here (c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition\7.5\xfer) and in this folder was another tmp file that was identified by MBAM as Trojan.Boaxxe and cleaned successfully. However, this has happened many times, and the trojan keeps returning.

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:09 PM

Posted 08 July 2011 - 12:07 PM

Hi,

I find it odd that detected items are in Symantec's subfolder. Would it be too much trouble to uninstall Symantec Endpoint Protection, delete c:\documents and settings\all users\application data\Symantec\symantec antivirus corporate edition folder if it still exists and after that reinstall the protection?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 bur75

bur75
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 08 July 2011 - 03:25 PM

Done. Usually it takes a few days for the trojan to reappear. I will repost on Monday and give you an updated status.

#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:09 PM

Posted 08 July 2011 - 04:30 PM

:thumbup2:

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 bur75

bur75
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 11 July 2011 - 08:25 PM

After reinstalling Symantec, it did not replicate those same folders, as it was a newer version. Instead of the Symantec Antivirus Corporate Edition folder, there is now one for Symantec Endpoint Protection. It does contain the same "xfer" folder, however no suspicious files have turned up in it yet. However, this computer has been disconnected from the web and not in use due to the issue. Should I start using it again and see if the trojan reappears?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users