Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection - Malicious outgoing IP requests,pop-ups,search redirects


  • This topic is locked This topic is locked
4 replies to this topic

#1 Troutinthemilk

Troutinthemilk

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 09 July 2013 - 12:20 PM

Our office has an ASUS netbook that gets passed around to who ever needs it (read as "no accountability!" )

Sort of the red-headed stepchild.

 

This morning, it landed on my desk with the suggestion that something might be not-ok with it....

Seem our little orphan has managed to contract the equivalent of an IT STD, with many partners, and no one 'fessing up to being the one responsible.

 

Regardless of who caused the problem, at this point, I'd have to very much agree we have one.

The netbook boots and runs slowly (even for its usual low speeds).
Searches in Internet Explorer and Chrome on google and bing are redirected to unrelated sites.

The SEARCH RESULTS themselves show up on the search engine page - its what comes up when you click through that's the problem.

 

In the course of locking things down and trying to figure out what's going on, I installed malwarebytes and Avast. Neither detected any malware or problem in complete scans. However, both are picking up repeated malicious outgoing website connection requests.

MWB gives a pop-up with the IP address (which has included 68.57.188.235, 195.3.145.57 and 89.28.7.139, if they mean anything to anyone.).

 

Avast flags the connection via its network shield notification, with a very long url, and ID'ing the process as C/Windows/system32/svchost.exe

 

The netbook is running Windows XP sp3, and in checking the Security Center, the firewall and auto updating have been turned off. When I try to click on the Windows Firewall in the Control Panel, I get a message that the service is not available. No luck restarting from Services.

 

I started simple, and ran the basic scans and then some - with no results, detections or remedies.

These have included 

Microsoft Security Essentials, SuperAntiSpyware, CCleaner, Avast, Malwarebytes, and Spybot S&D.

All have come back as clean scans. > :o(

So at this point, its clear there's a problem, but I'm not at all sure how to fix it.

Figured it was time to check with the experts.

Also - if this is relevant to resolution - due to the limited memory of the netbook, we have an SD card with several of the applications I mentioned running from there as "portable apps" which is why they do not appear on the log below.
None are system apps, and the netbook can run without that card.

 

Here is the DDS File:

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by XXX LAW at 12:44:10 on 2013-07-09
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1015.666 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Elantech\ETDDect.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kerkia\Minimem\minimem.exe
C:\Program Files\ASUS\EeePC\Asus Power Management Utility\Asus Power Management Utility.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://eeepc.asus.com/global
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Minimem] c:\program files\kerkia\minimem\minimem.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [ETDWareDetect] c:\program files\elantech\ETDDect.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asuspo~1.lnk - c:\program files\asus\eeepc\asus power management utility\Asus Power Management Utility.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1.lnk - c:\program files\asus\asus os cleaner\AsOSCleaner.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
LSP: mswsock.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1373382128046
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1352948346000
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{1F06B4A8-BAD8-425B-A00C-5C9802CD4EA6} : DHCPNameServer = 8.8.4.4 8.8.8.8 4.2.2.2 4.2.2.1
TCP: Interfaces\{CB92CC4B-E238-4740-9151-E5DD3E501680} : DHCPNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-7-9 175176]
R0 DummyDisk;DummyDisk;c:\windows\system32\drivers\dummydsk.sys [2012-11-15 3073]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-7-9 369584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-7-9 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-7-9 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-7-9 46808]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-7-9 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-7-9 701512]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-7-9 22856]
S0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-7-9 49376]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-7-9 770344]
S3 NAVENG;NAVENG;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\naveng.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\navex15.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20080829.024\NAVEX15.SYS [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
.
=============== Created Last 30 ================
.
2013-07-09 14:55:59 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-07-09 14:55:59 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-07-09 14:55:59 175176 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-07-09 14:55:57 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-07-09 14:52:39 41664 ----a-w- c:\windows\avastSS.scr
2013-07-09 14:50:34 -------- d-----w- c:\program files\AVAST Software
2013-07-09 14:49:37 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2013-07-09 13:25:08 -------- d-----w- c:\documents and settings\XXXlaw\local settings\application data\VS Revo Group
2013-07-09 13:24:54 -------- d-----w- c:\documents and settings\all users\application data\VS Revo Group
2013-07-09 12:11:23 -------- d-----w- c:\documents and settings\XXXlaw\application data\Malwarebytes
2013-07-09 12:09:42 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-07-09 12:09:39 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-07-09 12:09:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-07-09 11:00:41 -------- d-----w- c:\documents and settings\XXXlaw\local settings\application data\Google
2013-07-09 02:36:42 60872 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8e2375f1-7492-4e4a-abc3-4234753a7679}\offreg.dll
2013-07-09 02:29:59 7068072 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8e2375f1-7492-4e4a-abc3-4234753a7679}\mpengine.dll
2013-07-08 22:40:44 7068072 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
.
==================== Find3M  ====================
.
2013-05-02 06:06:08 238872 ------w- c:\windows\system32\MpSigStub.exe
2008-05-07 14:34:00 15523560 -c--a-w- c:\program files\U1 Setup.exe
.
============= FINISH: 12:44:59.70 ===============

Attached Files


Edited by Troutinthemilk, 09 July 2013 - 04:15 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:30 PM

Posted 09 July 2013 - 03:40 PM

Good evening. :)

Given what you have posted my best advice to you is to reformat and reinstall Windows and then put in place some better PC security for the future - it's what I would do. There are various reasons for this:

 

Given the lack of ownership of the machine there is unlikely to have been any serious concern about security - not my machine, not my problem. I don't know what anti-virus program(s) have been on the machine in the past, but i'd be surprised if they were kept up to date and regular scans run.

Added to that is one of the browsers that is being used - IE8. It is a touch out of date by about two and a quarter years and is likely to have enough security holes that can be exploited to keep malware writers happy until Christmas next year, at least.

The ease with which malware can get onboard, both in terms of ways on and lack of effective blocking, makes diagnosis and resolution difficult and there are no guarantees that all will be well at the end of the process. A fresh start is quicker and more reliable.

 

Next, the "phone home" contacts that you have listed are a major concern. You can check the locations associated with the IP addresses here. For example, 195.3.145.57 resolves to Latvia, which isn't what you want to see, unless you have relatives there!

The worry here is that there is some sort of backdoor on your machine which could have allowed someone on the other end of that connection to download any files that they chose as effectively as if they had been sat in front of the system themselves. System files could have been patched or replaced and identifying and replacing them is not an easy thing to do, particularly if you need any real guarantee, which is the final reason for my "doom and gloom" advice...

 

 

Run by ****** at 12:44:10 on 2013-07-09

***** suggests that your office is a legal one and while I don't know exactly how this machine is used, any potential breech of confidentiality would be serious. It doesn't actually matter if I made one and one equal seventeen here, and your business isn't in the legal field, as any business should be concerned about data loss and your PC is trying to contact Latvia, which isn't what you want at all.

 

If you have any questions about the above, please ask and I will answer as best I can.


Edited by Noviciate, 09 July 2013 - 05:10 PM.

So long, and thanks for all the fish.

 

 


#3 Troutinthemilk

Troutinthemilk
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 09 July 2013 - 05:02 PM

Not that its good news...

but after I posted earlier, I left the lil' netbook running ESET Scanner for giggles to see if it picked up anything.

It did.

Still waiting for it to finish, but it seems at least one of my problems is Win32\downloadadmin.e 

:deadhorse:

Any chance this is somehow an improvement?

 

Sent private message earlier.



#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:30 PM

Posted 09 July 2013 - 05:30 PM

Any chance this is somehow an improvement?

Yes, you now have an infection name to put to one malicious file on your system - it's a small victory but not sufficient to warrant any other advice.

 

Imagine that somebody broke a window and got into your house while you were out. Would you:

 

a) Get the window repaired and put it down to experience, or

b ) Search the house from top to bottom to ensure that it was empty, then change all the locks in case they had copied your spare keys and finally check that there weren't any windows left ajar that could provide access should the miscreant return?

 

Your PC has been infected to an unknown extent and could either remain infected after trying to clean it or have access points created that would allow reinfection after cleaning. In cases such as this the potential risks coupled with the time that cleaning takes makes a reformat and reinstall the quickest and safest method here.


So long, and thanks for all the fish.

 

 


#5 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:30 PM

Posted 13 July 2013 - 03:54 PM

As this issue appears to have been resolved, this thread is now closed.
 


So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users