Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Personal Security + Unknown


  • This topic is locked This topic is locked
4 replies to this topic

#1 SommerNyte

SommerNyte

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 09 August 2011 - 06:17 PM

Windows XP Pro SP3 on a small office network. Started as Personal Security infection. Killed all processes and started Malwarebytes. Had 10+ infections found when I had to leave the office. When I returned, it was back to the network login screen and said:

The maximum number of secrets that may be stored in a single system has been exceeded. The length and number of secrets is limited to satisfy United States State Department export restrictions.


Logged back in and tried to run Malwarebytes. It will run 3 seconds then get shut down. Then the .exe file is unusable (says "not found") and not removable ("access denied" upon trying to delete). Renaming does not help.

Checked AVG and it reports that "there are no active components".

GMER will do the initial scan but then shuts itself down when I try to run the full scan.

HijackThis also crashes when trying to run.

I followed the preparation guide and as such, here is DDS.txt, with attatch.txt attached. I will also attach all I could get from GMER:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by sommerc at 15:56:14 on 2011-08-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2266 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\3953351133:581327892.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\CRDTCH25652487470269\AgentMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k termfsc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://companyweb
uDefault_Page_URL = hxxp://companyweb
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: OpenLastClosedTab.LastClosedTab: {e05e75e9-a653-42a3-8d05-f2f7e309bdca} - mscoree.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: PicLens plug-in for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\PicLens.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AdobeBridge]
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Ufiwatebiwelohaw] rundll32.exe "c:\windows\sprapi.dll",Startup
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /systrayIcon:on
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Wjiwotizic] rundll32.exe "c:\windows\odoxafujahozazoh.dll",Startup
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [772278201] c:\documents and settings\networkservice\local settings\application data\enr.exe
StartupFolder: c:\docume~1\sommerc\startm~1\programs\startup\ccc.lnk - c:\program files\ati technologies\ati.ace\core-static\CCC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\PicLens.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {e05e75e9-a653-42a3-8d05-f2f7e309bdca} - {e05e75e9-a653-42a3-8d05-f2f7e309bdca} - mscoree.dll
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
Notify: temsvw32 - temsvw32.dll
Notify: termfsvses - temsvw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sommerc\application data\mozilla\firefox\profiles\crkdgqfo.default\
FF - prefs.js: browser.startup.homepage - hxxp://player.radio.com/player/RadioPlayer.php|http://www.bellingham.org|http://search.swagbucks.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\adobe\acrobat 9.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
============= SERVICES / DRIVERS ===============
.
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-8-12 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-8-12 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-8-12 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-8-12 243152]
R2 KACRDTCH25652487470269;Kaseya Agent #2;c:\program files\kaseya\crdtch25652487470269\AgentMon.exe [2010-6-4 839680]
R2 TermServices;Remote Desktop Services;c:\windows\system32\svchost.exe -k termfsc [2006-4-29 14336]
R3 e1qexpress;Intel® PCI Express Network Connection Driver Q;c:\windows\system32\drivers\e1q5132.sys [2010-7-8 170152]
R3 KAPFA;KAPFA;c:\windows\system32\drivers\KaPFA.sys [2008-7-1 17920]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2007-5-22 30336]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-27 41272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-3 136176]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-3 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-4-29 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-09 22:14:25 -------- d-s---w- C:\ComboFix
2011-08-09 21:50:50 98816 ----a-w- c:\windows\sed.exe
2011-08-09 21:50:50 518144 ----a-w- c:\windows\SWREG.exe
2011-08-09 21:50:50 256000 ----a-w- c:\windows\PEV.exe
2011-08-09 21:50:50 208896 ----a-w- c:\windows\MBR.exe
2011-08-09 19:58:17 -------- d--h--w- c:\windows\PIF
2011-08-09 16:06:55 169848 ----a-w- c:\windows\system32\PsService.exe
2011-08-09 15:53:53 621944 ----a-w- c:\windows\system32\pskill.exe
2011-08-09 11:12:44 35840 ----a-w- c:\windows\system32\temsvw32.dll
2011-08-09 11:12:44 218624 ----a-w- c:\windows\system32\terdsw32.dll
2011-08-08 22:15:07 -------- d-----w- c:\documents and settings\sommerc\application data\Malwarebytes
2011-08-08 21:23:50 0 ----a-w- c:\windows\Qrorep.bin
2011-08-08 21:23:48 -------- d-----w- c:\documents and settings\sommerc\local settings\application data\{713622DA-F8E9-4D31-8FAB-154414AF0612}
2011-08-08 21:22:00 57856 ---ha-w- c:\windows\system32\dllhetup.dll
2011-08-08 21:21:34 -------- d-----w- c:\documents and settings\all users\application data\lA01603HhDhO01603
2011-08-08 18:31:23 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
2011-08-01 18:10:57 270536 ----a-w- c:\windows\system32\PROUnstl.exe
2011-07-20 17:54:11 -------- d-----w- C:\OutputFolder
.
==================== Find3M ====================
.
2011-08-09 19:31:52 241664 ----a-w- c:\windows\odoxafujahozazoh.dll.DEL
2011-07-07 02:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 02:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-17 21:13:40 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-08 16:46:57 49319 ----a-w- C:\crlog_.tot.tmp
2008-06-06 23:04:45 774144 ------w- c:\program files\RngInterstitial.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3250820AS rev.3.CQD -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AEFFAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8ACFDF08]
\Driver\00000975[0x8AAC4F38] -> IRP_MJ_CREATE -> 0xB1FEF660
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { JMP 0x10; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AED231B
user & kernel MBR OK
.
============= FINISH: 15:56:36.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:34 PM

Posted 10 August 2011 - 03:26 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button and a new window will open - you may need to maximise it.
  • Click the Run ESET Online Scanner button in the new window.
  • If you are using any other browser than IE, you will be prompted to download and run esetsmartinstaller_enu.exe and the scan will run from within the window that the executable opens.
  • Regardless of which browser you are using, you will be shown some terms and conditions and you will need to accept these to continue.
  • If you are running IE for this scan you will then be prompted to allow an ActiveX component to be downloaded, unless you already have it installed, and the scan will run inside IE.
  • When you see the Computer Scan Settings window, you will need to make the following changes:

    • UNCHECK Remove found threats - this is important.
    • Check Scan archives
    • Click on Advanced settings
    • Check Scan for potentially unsafe applications
  • Once ready, click Start to begin - not a surprise really!
  • The anti-virus definitions will now be downloaded, so don't forget to allow them through your firewall if prompted.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

Also, do you have a flashdrive of at least 128 Mb that you can wipe clean for a little tool to play with?

So long, and thanks for all the fish.

 

 


#3 SommerNyte

SommerNyte
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:34 AM

Posted 10 August 2011 - 04:28 PM

I can't access the Internet on the infected machine.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:34 PM

Posted 10 August 2011 - 05:02 PM

Download CKScanner by askey127 from here and save it to your Desktop.

  • Double click CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • Please copy and paste the contents of CKFiles.txt into your next reply.

So long, and thanks for all the fish.

 

 


#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:06:34 PM

Posted 15 August 2011 - 03:03 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users