Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.spam-mutlisite/gen


  • This topic is locked This topic is locked
10 replies to this topic

#1 JimK907

JimK907

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 13 April 2007 - 09:56 PM

Having already started in the "Am I Infected" thread, I move here after two passes by SuperAntispyware and BitDefender. The referenced trojan is very clever and I have manually attempted to understand how it works and can pretty well describe how it installs itself and protects itself from being deleted. It continuouly refreshes its references in the registry and deletes any attempts to rename, move or delete it which are placed in the registry for action on reboot by such programs as HJT and Killbox. I think if a program can be run prior to XP services being run, it may be possible to delete this .DLL. After the services start up, it attaches to CSRSS and then forget it, you're screwed becuase the operating system is gonna protect it. The beast has chosen the totally random name of mfbimfb.dll. Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:41:13 PM, on 4/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\OpcEnum.exe
C:\ORANT_9i\bin\omtsreco.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://republicweb/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=GATEWAY:80;http=GATEWAY:80;https=GATEWAY:88; socks=GATEWAY:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;170.4.*;192.1.5.*;ftp.nai.com;download.nai.com;*.conxion.com;*windowsupdate*;download.microsoft.com;msdownload.microsoft.com;*cooltick.com;finance*.vip.dcx.yahoo.com;download.adobe.com;ftp.adobe.com;ardownload.adobe.com;<local>
O1 - Hosts: 212.239.63.197 daftp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {215F8ABE-9AC1-46C8-BB20-07BCDD63DE7E} - c:\windows\system32\mfbimfb.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\pbhelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://cbcfapp2/tsweb/msrdp.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = republic.bz
O17 - HKLM\Software\..\Telephony: DomainName = republic.bz
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = republic.bz
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = republic.bz
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: fkfzjkwh - C:\WINDOWS\SYSTEM32\mfbimfb.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCommon\RSOBSERV.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: OracleDEFAULT_HOME9iClientCache - Unknown owner - C:\ORANT_9i\BIN\ONRSD.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\ORANT_9i\bin\omtsreco.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

btw- I really have no idea what this thing is doing when it is fully expanded and running in memory. Anybody have any idea? I'm really curious to know why it needs to be so persistent.

Edited by JimK907, 13 April 2007 - 09:59 PM.


BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:50 PM

Posted 13 April 2007 - 11:55 PM

Do this for me. Download The Avenger by Swandog46, and save it to your Desktop. Extract avenger.exe from the Zip file and save it to your desktop

Run avenger.exe by double-clicking on it.
Check the 'Input script manually' box.
Click on the magnifying glass icon.
Copy everything in the code box below (don't copy the word "CODE in the box header, just the box contents starting at Files to delete) and paste it in the box that opens:

WARNING: This script is not a general fix. If you are not this user, running this script could damage your system

Files to delete:
C:\WINDOWS\SYSTEM32\mfbimfb.dll

Now click the 'Done' button.
Click on the traffic light icon and OK the prompt.
You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it manually.

Please post a new HijackThis log and the log file from Avenger at C:\avenger.txt
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 JimK907

JimK907
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 14 April 2007 - 01:02 PM

btw For what its worth, this trojan Multisite/Gen is called ConHook.O by BitDefender

Avenger failed and had this to say:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gofdplwv

*******************

Script file located at: \??\C:\Documents and Settings\dfqgaaeq.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\WINDOWS\SYSTEM32\mfbimfb.dll for deletion
Deletion of file C:\WINDOWS\SYSTEM32\mfbimfb.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\mfbimfb.dll
Status: 0xc0000022


Completed script processing.

*******************

Finished! Terminate.

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:50 PM

Posted 14 April 2007 - 01:14 PM

Has it renamed? If so, obtain the latest name from HJT and repeat the instructions with the new name.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 JimK907

JimK907
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 14 April 2007 - 01:20 PM

For what its worth, I would like to include my investigation of this trojan which may be of benefit to the techies. Hijack This does not tell the whole story when it comes to Services since many service routines are 'hidden' in the SvcHost processes.....

********************************************
* Following is a listing from TaskList:
********************************************

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings>tasklist /svc

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 488 N/A
csrss.exe 536 N/A
winlogon.exe 560 N/A
services.exe 604 Eventlog, PlugPlay
lsass.exe 616 Netlogon, PolicyAgent, ProtectedStorage,
SamSs
svchost.exe 780 DcomLaunch, TermService
svchost.exe 848 RpcSs
svchost.exe 884 AudioSrv, azuvyfqa, CryptSvc, Dhcp, ERSvc,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman, Nla, RasMan,
Schedule, seclogon, SENS, ShellHWDetection,
srservice, TapiSrv, Themes, TrkWks, W32Time,
winmgmt, wuauserv, WZCSVC
Smc.exe 920 SmcService
svchost.exe 996 Dnscache
svchost.exe 1040 LmHosts, RemoteRegistry, SSDPSRV, WebClient
spoolsv.exe 1244 Spooler
scardsvr.exe 1292 SCardSvr
LogWatNT.exe 1580 LogWatch
FrameworkService.exe 1600 McAfeeFramework
Mcshield.exe 1648 McShield
VsTskMgr.exe 1696 McTaskManager
naPrdMgr.exe 1744 N/A
mdm.exe 1856 MDM
OpcEnum.exe 1924 OpcEnum
omtsreco.exe 1948 OracleMTSRecoveryService
svchost.exe 1992 stisvc
WLTRYSVC.EXE 188 WLTRYSVC
BCMWLTRY.EXE 232 N/A
wmiprvse.exe 912 N/A
ssonsvr.exe 1404 N/A
explorer.exe 3128 N/A
shstat.exe 3472 N/A
UpdaterUI.exe 3480 N/A
hkcmd.exe 3524 N/A
Directcd.exe 3536 N/A
qttask.exe 3648 N/A
ctfmon.exe 3704 N/A
SUPERAntiSpyware.exe 3812 N/A
Ymsgr_tray.exe 1384 N/A
WZQKPICK.EXE 2148 N/A
iexplore.exe 3348 N/A
iexplore.exe 2832 N/A
HijackThis.exe 512 N/A
cmd.exe 2176 N/A
tasklist.exe 3404 N/A
wmiprvse.exe 2712 N/A

************************************************
* Notice SvcHost PID 884 is hiding a service called
* azuvyfqa. Is is non-executing proxy which launches
* the trojan. Here are the registry entries for the service
************************************************
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost netsvcs
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_AZUVYFQA
NextInstance = 1
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_AZUVYFQA\0000
Class = LegacyDriver
ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
ConfigFlags = 0
DeviceDesc = Microcode Update Helper
Legacy = 1
Service = azuvyfqa
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_AZUVYFQA\0000\Control
ActiveService = azuvyfqa
HKLM\SYSTEM\ControlSet001\Services\azuvyfqa
Description = Helper for Microcode Update
DisplayName = Microcode Update Helper
ErrorControl = 1
ImagePath = %SystemRoot%\System32\svchost.exe -k netsvcs
ObjectName = LocalSystem
Start = 2
Type = 32 (decimal)
HKLM\SYSTEM\ControlSet001\Services\azuvyfqa\Enum
0 = Root\LEGACY_AZUVYFQA\0000
Count = 1
NextInstance = 1
HKLM\SYSTEM\ControlSet001\Services\azuvyfqa\Parameters
ServiceDLL = c:\windows\system32\mfbimfb.dll

****************************************
* The gui class listed above is generic and is used
* by many services which have no gui
****************************************

****************************************
* Pretty much the same for ControlSet002
****************************************
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_AZUVYFQA
NextInstance = 1
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_AZUVYFQA\0000
Class = LegacyDriver
ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
ConfigFlags = 0
DeviceDesc = Microcode Update Helper
Legacy = 1
Service = azuvyfqa
HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_AZUVYFQA\0000\Control
ActiveService = azuvyfqa
HKLM\SYSTEM\ControlSet002\Services\azuvyfqa
Description = Helper for Microcode Update
DisplayName = Microcode Update Helper
ErrorControl = 1
ImagePath = %SystemRoot%\System32\svchost.exe -k netsvcs
ObjectName = LocalSystem
Start = 2
Type = 32 (decimal)
HKLM\SYSTEM\ControlSet002\Services\azuvyfqa\Enum
0 = Root\LEGACY_AZUVYFQA\0000
Count = 1
NextInstance = 1

**************************************************
* And the same for the CurrentControlSet
**************************************************
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AZUVYFQA
NextInstance = 1
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AZUVYFQA\0000
Class = LegacyDriver
ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
ConfigFlags = 0
DeviceDesc = Microcode Update Helper
Legacy = 1
Service = azuvyfqa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AZUVYFQA\0000\Control
ActiveService = azuvyfqa
HKLM\SYSTEM\CurrentControlSet\Services\azuvyfqa
Description = Helper for Microcode Update
DisplayName = Microcode Update Helper
ErrorControl = 1
ImagePath = %SystemRoot%\System32\svchost.exe -k netsvcs
ObjectName = LocalSystem
Start = 2
Type = 32 (decimal)
HKLM\SYSTEM\CurrentControlSet\Services\azuvyfqa\Enum
0 = Root\LEGACY_AZUVYFQA\0000
Count = 1
NextInstance = 1
HKLM\SYSTEM\CurrentControlSet\Services\azuvyfqa\Parameters
ServiceDLL = c:\windows\system32\mfbimfb.dll

******************************************************
* The ServiceDLL for this 'dummy' service is our trojan:
* mfbimfb.dll. He used to have a duplicate but somewhere
* along the line the dup named mfbimfb.dll.BAK got killed and
* blown out
******************************************************
******************************************************
* These are the registry entries for the 'bad boy'
* First the DLL registration
******************************************************
HKCR\CLSID\{215F8ABE-9AC1-46C8-BB20-07BCDD63DE7E}
Flags = 1
Version = 6
HKCR\CLSID\{215F8ABE-9AC1-46C8-BB20-07BCDD63DE7E}\InProcServer32
(Default) = c:\windows\system32\mfbimfb.dll
ThreadingModel = Apartment
HKLM\Software\Classes\CLSID\{215F8ABE-9AC1-46C8-BB20-07BCDD63DE7E}
Flags = 1
Version = 6
HKLM\Software\Classes\CLSID\{215F8ABE-9AC1-46C8-BB20-07BCDD63DE7E}\InProcServer32
(Default) = c:\windows\system32\mfbimfb.dll
ThreadingModel = Apartment

********************************************************
* Next, another hook just to make sure he gets run
* one way or another
********************************************************
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\fkfzjkwh
Asynchronous = 0
DLLName = mfbimfb.dll
Impersonate = 0
Logoff = WLEventStop
Logon = WLEventStart

*******************************************************
* It appears to me, and Im no expert, he will start as a service
* or upon logon whichever occurs first. And once he runs he is
* protected by the operating system
* I am not sure if he is overwriting the registry if you delete one
* of his hooks or if the OS is doing it. Either way, this is no
* amateur bug.
*******************************************************

#6 JimK907

JimK907
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 14 April 2007 - 01:23 PM

For completeness and at you request, here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:19:41 PM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\OpcEnum.exe
C:\ORANT_9i\bin\omtsreco.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://republicweb/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=GATEWAY:80;http=GATEWAY:80;https=GATEWAY:88; socks=GATEWAY:1080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.repsteel.com;10.*;170.4.*;192.1.5.*;ftp.nai.com;download.nai.com;*.conxion.com;*windowsupdate*;download.microsoft.com;msdownload.microsoft.com;*cooltick.com;finance*.vip.dcx.yahoo.com;download.adobe.com;ftp.adobe.com;ardownload.adobe.com;<local>
O1 - Hosts: 212.239.63.197 daftp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {215F8ABE-9AC1-46C8-BB20-07BCDD63DE7E} - c:\windows\system32\mfbimfb.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Netscape Internet Service\Netscape Web Accelerator\pbhelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://cbcfapp2/tsweb/msrdp.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = republic.bz
O17 - HKLM\Software\..\Telephony: DomainName = republic.bz
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = republic.bz
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = republic.bz
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: fkfzjkwh - C:\WINDOWS\SYSTEM32\mfbimfb.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCommon\RSOBSERV.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: OracleDEFAULT_HOME9iClientCache - Unknown owner - C:\ORANT_9i\BIN\ONRSD.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\ORANT_9i\bin\omtsreco.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#7 JimK907

JimK907
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 14 April 2007 - 01:26 PM

Has it renamed? If so, obtain the latest name from HJT and repeat the instructions with the new name.


No it has not renamed - I am pointing out that it known by two different names (or types of trojans) depending on who scans it.

#8 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:50 PM

Posted 14 April 2007 - 04:57 PM

Well it looks like vundo. Do this. Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#9 JimK907

JimK907
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 14 April 2007 - 07:42 PM

Hi Daemon

Vundo log:

VundoFix V6.3.19

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 8:15:52 PM 4/14/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

**************************
It exited clean with no reboot.

#10 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:50 PM

Posted 15 April 2007 - 01:55 AM

OK, let's see if we can clear it this way. Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, right-click inside the listbox (white box) and click add more files.
  • Copy & paste the 2 entries below into the top 2 boxes (one in each).
C:\WINDOWS\SYSTEM32\mfbimfb.dll
C:\WINDOWS\system32\bfmibfm.*

  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#11 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:50 PM

Posted 20 April 2007 - 01:33 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a Moderator. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users