Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

24x7 Help/PC Fix Speed 1.2.0.24 Virus on Networked PC


  • This topic is locked This topic is locked
2 replies to this topic

#1 tempjobacount

tempjobacount

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 30 January 2013 - 12:38 PM

I work at a medium sized business, and this HP Compaq Windows 7 SP1 32bit machine is as far as I know the only office machine infected with this. I have taken it off the network for the time being, but should I be concerned about this spreading to other machines or share drives on the network? The user failed to tell me about the infection for WEEKS, so I will be having a "conversation" with him about this shortly. I don't really know what type of damage was done, and the only thing he told me was that he's getting pop-ups saying he has "800+ infections, click here to remove them" etc. I have witnessed the pop-ups now first hand after taking a quick look at his PC, he also has a small icon of a woman with a headset on all windows to the left of the minimize button thanks to the 24x7 program that PC Fix Speed must have installed.

We use Symantec Endpoint Protection 12.1 (latest revision and nightly updates) here at the office and I noticed that his PC is showing fine in the console, however when looking at his license information on his client it says that his license has expired, and so updates from live update have been blocked. I attempted to re-import the SEP servers sylink file to see if that fixed it, but no luck. I then sent an "update and full scan" command from the management console, and SEP now shows all green, the main screen now says "your computer is protected", the live update button is now selectable and appears to properly download and update definitions. BUT under the client management it still says "content updates: Blocked [Expired License]". So I don't know if this is the infections doing or if this is a problem on our end that is unrelated to the infections actions.

Below is the DDS report and attached is the attach.txt.


Thanks for all your help,

Josh



DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457
Run by laptop at 12:13:56 on 2013-01-30
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3242.1852 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
C:\Windows\System32\spoolsv.exe
c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
C:\Program Files\24x7Help\App24x7Svc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files\Intel\Services\IPT\jhi_service.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe
C:\Program Files\Sendori\sndappv2.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Sendori\SendoriSvc.exe
C:\Program Files\Sendori\Sendori.Service.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\Smc.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Drive Encryption\EpePcMonitor.exe
C:\Program Files\Hewlett-Packard\File Sanitizer\coreshredder.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Sendori\SendoriTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\SymCorpUI.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.1101.401.105\Bin\SmcGui.exe
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: File Sanitizer for HP ProtectTools: {3134413B-49B4-425C-98A5-893C1F195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\symantec\symantec endpoint protection\12.1.1101.401.105\bin\ips\IPSBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Wajam: {A7A6995D-6EE1-4FD1-A258-49395D5BF99C} - c:\program files\wajam\ie\priam_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [hpsysdrv] c:\program files\hewlett-packard\hp odometer\hpsysdrv.exe
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [MfeEpePcMonitor] "c:\program files\hewlett-packard\drive encryption\EpePcMonitor.exe"
mRun: [File Sanitizer] c:\program files\hewlett-packard\file sanitizer\CoreShredder.exe
mRun: [Symantec Backup Exec System Recovery 2010] "c:\program files\symantec\backup exec system recovery\agent\VProTray.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Sendori Tray] "c:\program files\sendori\SendoriTray.exe"
mRun: [PCFixSpeed] "c:\program files\pcfixspeed\PCFixTray.exe" /startup
mRun: [24x7HELP] "c:\program files\24x7help\App24x7Help.exe" /STARTUP
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mPolicies-Explorer: NoWelcomeScreen = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: c:\windows\system32\Sendori.dll
TCP: NameServer = 192.168.0.2 192.168.0.8
TCP: Interfaces\{C9D8E2F1-A5C5-4CD3-BD3D-456A481BB1E7} : NameServer = 216.146.35.240,216.146.36.240,192.168.0.2,192.168.0.8
TCP: Interfaces\{C9D8E2F1-A5C5-4CD3-BD3D-456A481BB1E7} : DHCPNameServer = 192.168.0.2 192.168.0.8
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: DeviceNP - DeviceNP.dll
Notify: igfxcui - igfxdev.dll
Notify: SEP - c:\program files\symantec\symantec endpoint protection\12.1.1101.401.105\bin\WinLogoutNotifier.dll
SSODL: WebCheck - <orphaned>
LSA: Notification Packages = EpePcNp32 DPPassFilter scecli
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 MfeEpePc;MfeEpePc;c:\windows\system32\drivers\MfeEpePc.sys [2011-2-9 118472]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\sep\0c01044d\0191.105\x86\SymDS.sys [2012-4-19 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\sep\0c01044d\0191.105\x86\SymEFA.sys [2012-4-19 759416]
R1 BHDrvx86;BHDrvx86;c:\programdata\symantec\symantec endpoint protection\12.1.1101.401.105\data\definitions\bashdefs\20130116.011\BHDrvx86.sys [2013-1-30 997464]
R1 IDSVix86;IDSVix86;c:\programdata\symantec\symantec endpoint protection\12.1.1101.401.105\data\definitions\ipsdefs\20130129.001\IDSvix86.sys [2013-1-30 386720]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\sep\0c01044d\0191.105\x86\Ironx86.sys [2012-4-19 137336]
R1 SYMNETS;Symantec Network Security WFP Driver;c:\windows\system32\drivers\sep\0c01044d\0191.105\x86\symnets.sys [2012-4-19 299640]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2010-11-16 13880]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-10-1 106656]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [2011-1-14 57840]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-5-5 269824]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-21 20464]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-5-5 41088]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2011-2-7 51048]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
S3 IFCoEMP;IFCoEMP;c:\windows\system32\drivers\ifM52x32.sys [2011-5-5 264464]
S3 IFCoEVB;IFCoEVB;c:\windows\system32\drivers\ifP52x32.sys [2011-5-5 57616]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2011-5-5 132480]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
.
=============== Created Last 30 ================
.
2013-01-30 16:43:00 -------- d-----w- c:\users\laptop\appdata\local\Apple
2013-01-30 16:37:29 -------- d-----w- c:\users\laptop\appdata\roaming\24x7 Help
2013-01-16 15:06:37 -------- d-----w- C:\Xobni
2013-01-14 20:09:02 -------- d-----w- c:\program files\iPod
2013-01-14 20:09:01 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-01-14 20:09:01 -------- d-----w- c:\program files\iTunes
2013-01-14 20:08:18 -------- d-----w- c:\users\laptop\appdata\local\Apple Computer
2013-01-09 13:38:39 46592 ----a-w- c:\windows\system32\fpb.rs
.
==================== Find3M ====================
.
2012-12-16 14:13:28 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:13:20 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-10 23:01:54 321384 ----a-w- c:\windows\system32\Sendori.dll
2012-12-07 12:26:17 308736 ----a-w- c:\windows\system32\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- c:\windows\system32\gameux.dll
2012-11-30 04:53:34 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-11-30 04:47:45 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-11-30 02:55:25 271360 ----a-w- c:\windows\system32\conhost.exe
2012-11-30 02:38:59 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-11-23 02:56:23 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-11-23 02:48:41 49152 ----a-w- c:\windows\system32\taskhost.exe
2012-11-22 04:45:03 626688 ----a-w- c:\windows\system32\usp10.dll
2012-11-20 04:51:09 220160 ----a-w- c:\windows\system32\ncrypt.dll
2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-09 04:43:04 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-11-09 04:42:49 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-02 05:11:31 376832 ----a-w- c:\windows\system32\dpnet.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys
c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Rapid Storage Technology driver
1 ntkrnlpa!IofCallDriver[0x82C70BC5] -> \Device\Harddisk0\DR0[0x87F72550]
3 CLASSPNP[0x833D059E] -> ntkrnlpa!IofCallDriver[0x82C70BC5] -> [0x864832F8]
5 ACPI[0x83CB33D4] -> ntkrnlpa!IofCallDriver[0x82C70BC5] -> \Device\Ide\IAAStorageDevice-1[0x86426028]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user != kernel MBR !!!
copy of MBR has been found in sector 2 !
.
============= FINISH: 12:14:56.43 ===============

Edited by tempjobacount, 30 January 2013 - 12:39 PM.


BC AdBot (Login to Remove)

 


#2 tempjobacount

tempjobacount
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:15 AM

Posted 30 January 2013 - 03:36 PM

Please close this thread. We have opted to reformat the PC due to time constraints. I apologize for the confusion.

#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:15 AM

Posted 31 January 2013 - 12:05 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users