Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Spywarequake


  • This topic is locked This topic is locked
2 replies to this topic

#1 Robsta

Robsta

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 26 April 2006 - 08:41 AM

I have followed many guides as to how to remove this little blighter and seem to have removed all the files listed. However, I still have the little icon (g/wheelchair, r/stop sign) in my task bar.

I have looked through the task manager with no avail as to how it still runs and through msconfig with no luck. Have I missed something? I think I have checked all process names correlate to something I know should be on the system (I think?).

I've tried using AVG (latest update), ewido (w/out update due to lack of Interweb connection), Cleanup, Xoftspy, eTrust (w/out update), Ad-Aware (updated), Spybot S&D (Updated)

I remember before from being a coder that there are ways of hiding applications from the task manager. I also downloaded a couple of applications to try and find the b**tard.

My first tool was an Hwnd finder... It revealed the following responses:

Taskbar Icon
parent: 65632 [0x10060
topparent: 262204 [0x4003c]
processid: 0x0000030x (explorer.exe again)
thread: 0x00000324

Popup window:
parent: 65680 [0x10090]
topparent: 65680 [0x10090]
process id: 0x0000030c (c:\windows\explorer.exe
thread id0x000001b8

I then used a tool called SysTree++ to compare the process Id's to those of running processes as the tool seems to show a much larger list. This was to no avail!
Through frustration I started closing running processes until one of the final 3 "blue screen"'ed me, as expected.

I have included the HIJACK-THIS log followed by the ROOTKIT-REVEAL log but cant figure out for the life of me how this little f**ker is hiding still?

Please let me know of my next plan of action, and also if anything else abnormal is running?

Thanx in advance,

Robsta


******PLEASE NOTE MSN MESSENGER DIRECTORY CHANGE******
I have manually moved msn messenger as we arent supposed to have it on computers at work. Its now inside C:\WINDOWS\ime\chsime\msmger\ so this abnormality may be ignored!





O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINDOWS\system32\hpB4F6.tmp (file missing)
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\System32\TpScrLk.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\betsp.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://192.168.2.35/iNotes6.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141217865813
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141217858092
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://neocol.webex.com/client/v_mywebex-t...bex/ieatgpc.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\WINDOWS\ime\chsime\msmger\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\psqlpwd.dll
O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lmab_device - Lexmark International, Inc. - C:\WINDOWS\System32\LMabcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe




******ROOTKIT REVEAL LOG******



HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 26/04/2006 10:00 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\SchedulingAgent\LastTaskRun 25/04/2006 22:16 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 20/03/2006 17:14 0 bytes Access is denied.
C:\System Volume Information\catalog.wci\00010002.ci 26/04/2006 10:11 108.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010002.dir 26/04/2006 10:11 898 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010003.ci 26/04/2006 10:11 96.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010003.dir 26/04/2006 10:11 829 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010004.ci 26/04/2006 10:12 92.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010004.dir 26/04/2006 10:12 810 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010005.ci 26/04/2006 10:12 96.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010005.dir 26/04/2006 10:12 819 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010006.ci 26/04/2006 10:13 96.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010006.dir 26/04/2006 10:13 857 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010007.ci 26/04/2006 10:13 92.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010007.dir 26/04/2006 10:13 844 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010008.ci 26/04/2006 10:14 92.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010008.dir 26/04/2006 10:14 818 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010009.ci 26/04/2006 10:15 80.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010009.dir 26/04/2006 10:15 767 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001000A.ci 25/04/2006 20:01 80.00 KB Visible in Windows API, directory index, but not in MFT.
C:\System Volume Information\catalog.wci\0001000A.dir 25/04/2006 20:01 773 bytes Visible in Windows API, directory index, but not in MFT.
C:\System Volume Information\catalog.wci\0001000B.ci 25/04/2006 20:01 4.00 KB Visible in Windows API, directory index, but not in MFT.
C:\System Volume Information\catalog.wci\0001000B.dir 25/04/2006 20:01 320 bytes Visible in Windows API, directory index, but not in MFT.
C:\System Volume Information\catalog.wci\0001000C.ci 25/04/2006 20:01 4.00 KB Visible in Windows API, directory index, but not in MFT.
C:\System Volume Information\catalog.wci\0001000C.dir 25/04/2006 20:01 324 bytes Visible in Windows API, directory index, but not in MFT.
C:\System Volume Information\catalog.wci\0001000D.ci 25/04/2006 20:01 76.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000D.dir 25/04/2006 20:01 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000E.ci 25/04/2006 20:02 76.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\0001000E.dir 25/04/2006 20:02 748 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010010.ci 25/04/2006 20:07 84.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010010.dir 25/04/2006 20:07 772 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\00010013.ci 26/04/2006 10:04 528.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010013.dir 26/04/2006 10:04 3.13 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010014.ci 26/04/2006 10:04 524.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010014.dir 26/04/2006 10:04 3.43 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001001B.ci 26/04/2006 10:07 368.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\0001001B.dir 26/04/2006 10:07 2.24 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.000 26/04/2006 10:07 240 bytes Visible in Windows API, MFT, but not in directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.001 26/04/2006 10:07 960.00 KB Visible in Windows API, MFT, but not in directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.002 26/04/2006 10:07 960.00 KB Visible in Windows API, MFT, but not in directory index.
C:\System Volume Information\catalog.wci\CiFLfffd.000 26/04/2006 10:16 240 bytes Visible in directory index, but not Windows API or MFT.
C:\System Volume Information\catalog.wci\CiFLfffd.001 26/04/2006 10:16 960.00 KB Visible in directory index, but not Windows API or MFT.
C:\System Volume Information\catalog.wci\CiFLfffd.002 26/04/2006 10:16 960.00 KB Visible in directory index, but not Windows API or MFT.

BC AdBot (Login to Remove)

 


m

#2 Robsta

Robsta
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 27 April 2006 - 06:20 AM

FIXED

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:12:23 PM

Posted 27 April 2006 - 12:06 PM

Nice work Robsta! Thanks for telling us.

For others, this is the thread that details what Robsta did to accomplish the fix.

This topic is now closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users