Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse: Wareout Rootkit Infection


  • Please log in to reply
1 reply to this topic

#1 BoneDigger

BoneDigger

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 16 August 2006 - 12:03 AM

I am running Windows 2000 on a Dell latitude laptop. I'm using IE 6, SP1. I was recently infected with a Trojan Horse Virus. I tried Norton virus scan and it gets halfway through the scan then says "Scan aborted by user" and stops. Ad-Aware is really slow and finds a couple of issues, but it can't fix them. I tried to run Hijackthis and it won't allow me to click the "scan" button. When I click scan it just sits there and does nothing. Every 5-10 minues or so my antivirus flashes this message:

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan Horse
File: C:\WINNT\system32\{D69D1FC6-693C-423D-ACF6-DBA09A979993}.exe
Location: Quarantine
Computer: SP-TMCMAKIN2KLT
User: tmcmakin
Action taken: Quarantine succeeded : Access denied
Date found: Tuesday, August 15, 2006 12:14:14 AM

My Hijackthis log looks like this:

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\GPS Pathfinder Office 2.90\conmgr.exe
C:\PROGRA~1\COMMON~1\Trimble\REMOTE~1\TRDMU.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\wuauclt.exe
C:\unzipped\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.hughes.net/cp/ps/Main/login/Login
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {ABBFC25C-573E-4C74-6648-7F123615F1B5} - SetupExeDll.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [PFO Check Settings] pfochk.exe
O4 - HKLM\..\Run: [abrek] runload32.exe
O4 - HKLM\..\Run: [ftbar] mozilla-text.exe
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [qpihd.exe] C:\WINNT\system32\qpihd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [msag] TorontoMail.exe
O4 - HKCU\..\Run: [sbin] install2.exe
O4 - HKCU\..\Run: [MONITER] ___.exe
O4 - Global Startup: GPS Pathfinder Office Connection Manager.lnk = C:\Program Files\GPS Pathfinder Office 2.90\conmgr.exe
O4 - Global Startup: GPS Pathfinder Office Project Changer.lnk = C:\Program Files\GPS Pathfinder Office 2.90\PfPjChgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: myPrintMileage.lnk = C:\Program Files\Hewlett-Packard\hp deskjet 450 printer\ToolBox\mpm.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tpwd.state.tx.us
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76BB730-1BFE-4064-9057-9CA98067FF76}: NameServer = 85.255.116.57,85.255.112.156
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tpwd.state.tx.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.57 85.255.112.156
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tpwd.state.tx.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.57 85.255.112.156
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.57 85.255.112.156
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TPWD_VNC - Unknown owner - C:\WINNT\system32\rc\winvnc.exe" -service (file missing)




Todd

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:10:11 AM

Posted 16 August 2006 - 03:47 AM

Hey there BoneDigger,
I will be helping you with your log today, my name is David.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

First off I see two leftover services still present in the registry which need to be deleted.
The files have already been removed so the service is therefore useless.
Click on start > run and type the following, then hit enter:

sc delete "Network Monitor"

Repeat the above for the following command:

sc delete "TPWD_VNC"

Right, let's get down to business and remove this rootkit.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R3 - URLSearchHook: (no name) - {ABBFC25C-573E-4C74-6648-7F123615F1B5} - SetupExeDll.dll (file missing)
O4 - HKLM\..\Run: [PFO Check Settings] pfochk.exe
O4 - HKLM\..\Run: [abrek] runload32.exe
O4 - HKLM\..\Run: [ftbar] mozilla-text.exe
O4 - HKLM\..\Run: [qpihd.exe] C:\WINNT\system32\qpihd.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [msag] TorontoMail.exe
O4 - HKCU\..\Run: [sbin] install2.exe
O4 - HKCU\..\Run: [MONITER] ___.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B76BB730-1BFE-4064-9057-9CA98067FF76}: NameServer = 85.255.116.57,85.255.112.156
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.57 85.255.112.156
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.57 85.255.112.156
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.57 85.255.112.156


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .
  • Double-click the Network Connections icon
  • Right-click the Local Area Connection icon and select Properties.
  • Hilight Internet Protocol (TCP/IP) and click the Properties button.
  • Be sure Obtain DNS server address automatically is selected.
  • OK your way out.
Go to Start > Run and type in cmd
Click OK.
This will open a commad prompt.
Type or copy and paste the following line in the command window:

ipconfig /flushdns

Hit Enter
Exit the command window

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

Good luck,
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users