Unsolved
This post is more than 5 years old
13 Posts
0
4244
Redirected searches and new tabs and windows; started with Protection Center Malware
SHORT VERSION
The short summary is that I managed to get the Protection Center malware installed on my machine. I believe I have gotten it mostly gone, but I still have some issues with new windows or tabs coming up after Google or Bing searches. It also hijacks Google search links to malware removal sites.
LONG VERSION
Now for the long version....
History
This malware installed itself on Tuesday. I stupidly clicked on a link I shouldn't have and it started installing. I killed power midway through the install, but it still got on there. I was able to boot to safe mode and remove the files. I have Norton AV installed. It detected a Trojan Horse in fjhdyfhsn.bat. I also deleted that file. While the malware was there, it stopped the Norton realtime service. Before I realized it was just a stopped service, at the recommendation of my IT guy, I installed Microsoft Security Essentials. I ran a quick scan and it found:
VirTool:WinNT/Cutwail.L
driver:NDIS
file:C:\WINDOWS\system32\drivers\ndis.sys
regkey:HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
safeboot:HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
service:NDIS
Trojan:Win32/Alureon
file:C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0ZG5C5QT\396-direct[1].ex
Trojan:Win32/FakeCog
containerfile:c:\documents and settings\akotmel\Local Settings\Temp\wscsvc32.exe
file:c:\documents and settings\akotmel\Local Settings\Temp\wscsvc32.exe
file:c:\documents and settings\akotmel\Local Settings\Temp\wscsvc32.exe->[Obfuscator.EW]
I removed those and rebooted and then had no network connection. It looks like something attempted to install some WAN driver and corrupted all of my network drivers, so I had no network access. I went back to a previous restore point. This restored my network and put Protection Center back on my machine. It also put some porn and spam icons on my desktop. I was able to easily remove all of those, although I'm sure that all of my previous restore points are infected.
Over the last 3 days, I've run MSE a few more times and it has occasionally found something. Here is the list, in order:
Trojan:Win32/FakeCog
containerfile:C:\Program Files\Protection Center\cntext.dll
containerfile:C:\Program Files\Protection Center\cnthook.dll
containerfile:C:\Program Files\Protection Center\Uninstall.exe
file:c:\documents and settings\akotmel\Application Data\Microsoft\Internet Explorer\Quick Launch\Protection Center.lnk
file:C:\Program Files\Protection Center\about.ico
file:C:\Program Files\Protection Center\activate.ico
file:C:\Program Files\Protection Center\buy.ico
file:C:\Program Files\Protection Center\cntext.dll
file:C:\Program Files\Protection Center\cntext.dll->[Obfuscator.EW]
file:C:\Program Files\Protection Center\cnthook.dll
file:C:\Program Files\Protection Center\cnthook.dll->[Obfuscator.EW]
file:c:\Program Files\Protection Center\cntprot.exe
file:C:\Program Files\Protection Center\help.ico
file:C:\Program Files\Protection Center\scan.ico
file:C:\Program Files\Protection Center\settings.ico
file:C:\Program Files\Protection Center\Uninstall.exe
file:C:\Program Files\Protection Center\Uninstall.exe->[Obfuscator.EW]
file:C:\Program Files\Protection Center\update.ico
folder:C:\Program Files\Protection Center\
Trojan:BAT/Killfiles.J
file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP499\A0298722.bat
Trojan:Win32/Alureon.DN
file:C:\WINDOWS\PRAGMAxpbvpesmqx\pragmabbr.dll
file:C:\WINDOWS\PRAGMAxpbvpesmqx\pragmaserf.dll
Trojan:Win32/FakeCog
containerfile:C:\Documents and Settings\akotmel\Local Settings\Temp\asd48D.tmp.exe
containerfile:C:\Documents and Settings\akotmel\Local Settings\Temp\asd97C.tmp.exe
containerfile:C:\Documents and Settings\akotmel\Local Settings\Temp\kernel64xp.dll
file:C:\Documents and Settings\akotmel\Local Settings\Temp\65a7.tmp
file:C:\Documents and Settings\akotmel\Local Settings\Temp\asd48D.tmp.exe->[Obfuscator.EW]
file:C:\Documents and Settings\akotmel\Local Settings\Temp\asd97C.tmp.exe->[Obfuscator.EW]
file:C:\Documents and Settings\akotmel\Local Settings\Temp\kernel64xp.dll->[Obfuscator.EW]
Trojan:Win32/FakeCog
containerfile:C:\Documents and Settings\akotmel\Local Settings\Temp\mscdexnt.exe
file:C:\Documents and Settings\akotmel\Local Settings\Temp\mscdexnt.exe->[Obfuscator.EW]->(VFS:kernel64xp.dll#1)->[Obfuscator.EW]
Trojan:Win32/FakeCog
containerfile:C:\WINDOWS\Temp\kernel64xp.dll
containerfile:C:\WINDOWS\Temp\mscdexnt.exe
file:C:\WINDOWS\Temp\kernel64xp.dll->[Obfuscator.EW]
file:C:\WINDOWS\Temp\mscdexnt.exe->[Obfuscator.EW]->(VFS:kernel64xp.dll#1)->[Obfuscator.EW]
Trojan:Win32/Alureon
file:C:\Documents and Settings\akotmel\Local Settings\Temporary Internet Files\Content.IE5\33T7MOAF\396-direct[1].ex
Trojan:Win32/Alureon.DK
file:C:\WINDOWS\Temp\PRAGMAa3b4.tmp
Trojan:Win32/Alureon.DK
file:C:\WINDOWS\Temp\PRAGMAa3b4.tmp
Trojan:Win32/Alureon.gen!U
file:C:\WINDOWS\PRAGMAxpbvpesmqx\PRAGMAc.dll
Trojan:Win32/FakeCog
containerfile:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP499\A0299290.dll
file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP499\A0299290.dll->[Obfuscator.EW]
Trojan:Win32/FakeCog
containerfile:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP499\A0299291.dll
file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP499\A0299291.dll->[Obfuscator.EW]
Trojan:Win32/FakeCog
containerfile:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP499\A0299296.exe
file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP499\A0299296.exe->[Obfuscator.EW]
Trojan:Win32/Alureon.DN
file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP515\A0301110.dll
Norton Realtime scan has also found the following since being restarted:
Trojan.FakeAV (C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\
\APQE5.tmp)
Trojan.FakeAV (C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP515\A0301179.dll)
Trojan.FakeAV (C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP515\A0301111.dll)
I have not been able to run a full system scan with Norton, because every time I do, it says "Scan stopped by user". This is not new from this infection, though, I do not believe.
I have also run Malwarebytes. Malwarebytes found and removed the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\sorry.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Trojan.DNSChanger C:\WINDOWS\PRAGMAxpbvpesmqx
Rootkit.TDSS.Gen C:\WINDOWS\Temp\5D.tmp
Trojan.DNSChanger C:\WINDOWS\PRAGMAxpbvpesmqx\PRAGMAc.dll
Trojan.DNSChanger C:\WINDOWS\PRAGMAxpbvpesmqx\PRAGMAcfg.ini
Trojan.DNSChanger C:\WINDOWS\PRAGMAxpbvpesmqx\PRAGMAsrcr.dat
Malware.Trace C:\Documents and Settings\akotmel\Application Data\avdrn.dat
Rootkit.TDSS C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll
Trojan.DNSChanger C:\WINDOWS\Temp\PRAGMAa3b4.tmp
Rootkit.TDSS C:\WINDOWS\Temp\pragmamainqt.dll
Current Issue
So, the above covers everything I've cleaned up. The issue I am left with now is that sometimes when I do Google searches (I also tried and saw it in Bing), I will see another window or tab pop up going to some other site. The other sites look like generic ad sites, like someone is just trying to generate click-through money. Typically, these searches go through c.php, go.php, search.php or click.php. I have also noticed that some Google links to malware removal sites will immediately skip the malware site page and go straight to an ad page. However, the site still shows up in my history, so I can get to it that way or by pasting it into my browser.
I hope I have covered everything here. I am also pasting in a HijackThis log.
If you have any questions, please ask. If you can help, please do.
Thanks!
Allan
HIJACKTHIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:01 AM, on 6/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Evoluent\VMouse\EvoMouExec.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HoeKey\HoeKey.exe
C:\WINDOWS\qmc.exe
C:\Documents and Settings\akotmel\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\tmp\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2080614
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2080614
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2080614
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: HoeKey.lnk = C:\Program Files\HoeKey\HoeKey.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Evoluent Mouse Manager.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = biap.local
O17 - HKLM\Software\..\Telephony: DomainName = biap.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = biap.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = biap.local
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 14289 bytes
kevin27_b3d29f
1.5K Posts
0
June 24th, 2010 13:00
Hi,
sorry for the delay in replying.
Please go to VirSCAN where you will see a browse button at the top of the screen.
C:\WINDOWS\qmc.exe
C:\bin\M.EXE
Note: you may need to show hidden files to locate the files requested:
Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Look for "Hidden files and folders"
Select "Show hidden files and folders"
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:
Remember to hide hidden files/folders by reversing the action when you have finished
There are some entries in the log that look suspicious, maybe you can shed some light before we take them out. Please let me know if you recognize the Domain biap.local. All google brings up are things related to Baghdad Airport.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = biap.local
O17 - HKLM\Software\..\Telephony: DomainName = biap.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = biap.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = biap.local
Please post back the VirScan reports, whether you set the Domain, and a status report on how the system is running.
Thanks.
mrbaseball
13 Posts
0
June 24th, 2010 15:00
No worries at all. I think everything you called out there should be fine.. I know what both m.exe and qmc.exe are. m.exe is an emacs-like text editor I use. qmc.exe is something called quickmonth calendar. It lets me hover over the clock and see a calendar. I did run the scans anyway, though. It can't hurt.
BIAP is the old name for my company. biap.local is our internal domain name.
That's a handy web site.
Here are the scan logs:
qmc.exe scan
VirSCAN.org Scanned Report :
Scanned time : 2010/06/24 16:43:34 (EDT)
Scanner results: Scanners did not find malware!
File Name : qmc.exe
File Size : 429003 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 4b681dfd9a7eafbc39440c91c4e42d5c
SHA1 : 7165d40762e2484dc82dc98c1c121fbcfda6cf2f
Online report : http://virscan.org/report/debc3b349177fa396464a8af77741225.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.11 20100624063430 2010-06-24 5.37 -
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 1.17 -
AntiVir 8.2.4.2 7.10.8.185 2010-06-24 0.26 -
Antiy 2.0.18 20100620.4774407 2010-06-20 0.02 -
Arcavir 2009 201006241441 2010-06-24 0.13 -
Authentium 5.1.1 201006241456 2010-06-24 3.64 -
AVAST! 4.7.4 100624-1 2010-06-24 0.03 -
AVG 8.5.793 271.1.1/2960 2010-06-24 1.75 -
BitDefender 7.90123.6275712 7.32389 2010-06-25 4.43 -
ClamAV 0.96.1 11256 2010-06-24 0.08 -
Comodo 3.13.579 5206 2010-06-24 0.92 -
CP Secure 1.3.0.5 2010.06.25 2010-06-25 0.09 -
Dr.Web 5.0.2.3300 2010.06.25 2010-06-25 8.66 -
F-Prot 4.4.4.56 20100624 2010-06-24 3.02 -
F-Secure 7.02.73807 2010.06.24.05 2010-06-24 0.32 -
Fortinet 4.1.133 12.80 2010-06-23 0.15 -
GData 21.405/21.147 20100624 2010-06-24 7.11 -
ViRobot 20100624 2010.06.24 2010-06-24 0.37 -
Ikarus T3.1.01.84 2010.06.24.76133 2010-06-24 7.83 -
JiangMin 13.0.900 2010.06.24 2010-06-24 1.24 -
Kaspersky 5.5.10 2010.06.24 2010-06-24 0.17 -
KingSoft 2009.2.5.15 2010.6.24.18 2010-06-24 0.72 -
McAfee 5400.1158 6023 2010-06-24 16.45 -
Microsoft 1.5902 2010.06.24 2010-06-24 7.86 -
Norman 6.05.10 6.05.00 2010-06-24 6.01 -
Panda 9.05.01 2010.06.24 2010-06-24 1.93 -
Trend Micro 9.120-1004 7.264.13 2010-06-24 0.04 -
Quick Heal 10.00 2010.06.24 2010-06-24 1.63 -
Rising 20.0 22.53.03.04 2010-06-24 1.27 -
Sophos 3.07.1 4.54 2010-06-25 3.67 -
Sunbelt 3.9.2426.2 6501 2010-06-24 15.80 -
Symantec 1.3.0.24 20100615.005 2010-06-15 0.44 -
nProtect 20100624.01 8765388 2010-06-24 8.39 -
The Hacker 6.5.2.0 v00303 2010-06-24 0.32 -
VBA32 3.12.12.5 20100624.0925 2010-06-24 4.31 -
VirusBuster 4.5.11.10 10.126.101/20293452010-06-24 2.94 -
m.exe scan
VirSCAN.org Scanned Report :
Scanned time : 2010/06/24 16:55:37 (EDT)
Scanner results: Scanners did not find malware!
File Name : M.EXE
File Size : 266240 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 63887afec956a6eb4ce0c2b8833b8e5d
SHA1 : 5cc6381b0556e647990b508de7d39929bac408b2
Online report : http://virscan.org/report/4c0e41c541b2c83d7e2b6d68699fe77f.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.11 20100624063430 2010-06-24 5.02 -
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 1.34 -
AntiVir 8.2.4.2 7.10.8.185 2010-06-24 0.27 -
Antiy 2.0.18 20100620.4774407 2010-06-20 0.02 -
Arcavir 2009 201006241441 2010-06-24 0.11 -
Authentium 5.1.1 201006241456 2010-06-24 2.20 -
AVAST! 4.7.4 100624-1 2010-06-24 0.02 -
AVG 8.5.793 271.1.1/2960 2010-06-24 0.29 -
BitDefender 7.90123.6275712 7.32389 2010-06-25 5.72 -
ClamAV 0.96.1 11256 2010-06-24 0.08 -
Comodo 3.13.579 5206 2010-06-24 0.90 -
CP Secure 1.3.0.5 2010.06.25 2010-06-25 0.08 -
Dr.Web 5.0.2.3300 2010.06.25 2010-06-25 8.50 -
F-Prot 4.4.4.56 20100624 2010-06-24 2.14 -
F-Secure 7.02.73807 2010.06.24.05 2010-06-24 0.21 -
Fortinet 4.1.133 12.80 2010-06-23 0.18 -
GData 21.405/21.147 20100624 2010-06-24 7.02 -
ViRobot 20100624 2010.06.24 2010-06-24 0.36 -
Ikarus T3.1.01.84 2010.06.24.76133 2010-06-24 7.04 -
JiangMin 13.0.900 2010.06.24 2010-06-24 1.23 -
Kaspersky 5.5.10 2010.06.24 2010-06-24 0.15 -
KingSoft 2009.2.5.15 2010.6.24.18 2010-06-24 0.62 -
McAfee 5400.1158 6023 2010-06-24 16.37 -
Microsoft 1.5902 2010.06.24 2010-06-24 6.72 -
Norman 6.05.10 6.05.00 2010-06-24 4.01 -
Panda 9.05.01 2010.06.24 2010-06-24 1.95 -
Trend Micro 9.120-1004 7.264.13 2010-06-24 0.04 -
Quick Heal 10.00 2010.06.24 2010-06-24 1.60 -
Rising 20.0 22.53.03.04 2010-06-24 1.24 -
Sophos 3.07.1 4.54 2010-06-25 3.65 -
Sunbelt 3.9.2426.2 6501 2010-06-24 7.68 -
Symantec 1.3.0.24 20100615.005 2010-06-15 0.06 -
nProtect 20100624.01 8765388 2010-06-24 7.96 -
The Hacker 6.5.2.0 v00303 2010-06-24 0.32 -
VBA32 3.12.12.5 20100624.0925 2010-06-24 3.19 -
VirusBuster 4.5.11.10 10.126.101/20293452010-06-24 2.77 -
kevin27_b3d29f
1.5K Posts
0
June 25th, 2010 06:00
Ok,
If your happy then I'm happy.
Please run another online scan with ESET and post the log results back to me.
Please let me know how the system is running <---Important.
Thanks.
mrbaseball
13 Posts
0
June 25th, 2010 13:00
Good news! No threats found on this run.
As for how the system is running, it seems fine. I have not seen the issue that I was originally having since we removed the rootkit. So, things are looking very good right now.
What else would you like me to do?
kevin27_b3d29f
1.5K Posts
0
June 25th, 2010 15:00
Hi,
You system is now clean from infection, all that is left to do is to remove the tools we used, some general housekeeping and then some prevention advice for the future. Please proceed as follows.
The following will implement some cleanup procedures as well as reset System Restore points:
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /uninstall
Note the space between Combofix and /
Please uninstall the other programs we used as without proper guidance they can seriously harm the workings of Windows and your PC
.
Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
In the Applications Tab:
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.
.
Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.
To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.
.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.
To disable the JQS service if you don't want to use it:
.
Adobe Acrobat/Reader is out of date please update to the latest version from HERE
Now some advice on how to surf safe in the future.
ALWAYS keep all programs on your PC up to date and this especially means your Anti-Virus/Anti-Spyware/Firewall/Java and Adobe programs.
They can all be found via the "All Programs" feature in the start menu and if opened will 100% have a update feature somewhere.
NEVER use more than ONE Anti-Virus,
NEVER use more than ONE Anti-Spyware,
NEVER use more than ONE Software Firewall,(and never use the Windows built in Firewall as it will not keep you protected)
As more than one of each of these will conflict with each other and leave you just as vunrable as not having them.
You can get some VERY GOOD FREE ones from HERE
Its always a good idea to back these up with SpywareBlaster as this will run in the background and not conflict with any of your other Security.
Also give WinPatrol a try as it is a very good program that will inform you of any changes being made to your system in the same way that User Account Control does but better, (DO NOT switch off UAC if you install WinPatrol, it is still very much needed)
Research and consider using a HARDWARE Firewall as this will provide a very good extra layer of protection.
Scan with each piece of your security Daily and at the very least two daily.
Always keep a few on-demand scanners on your machine and use them every other day, such as,
If you use IE then consider using a more secure browser such as FireFox or Opera
Install all the latest Windows updates from HERE
or by clicking start>all programs>Windows update, and keep going back and doing these untill you have all the avalible updates untill none are showing.
Its a good idea to set Windows Update to automatic so as not to miss any Important updates.
Always you a site advisor such as WOT to confirm the sites you are using are really the sites they say they are.
There is a version of WOT avalible for both IE and FIreFox.
And please read these links for adivce on Computer Security:
So how did I get infected in the first place by Tony Klein
Do's and Don't's of Security Programs
Anti-Virus Programs Explained
If you have any other questions then please fill free to post back,
I will mark this thread as solved tomorrow,
Safe Surfing,
K27.
kevin27_b3d29f
1.5K Posts
0
June 26th, 2010 12:00
This topic is Resolved.....
The fixes in this topic were written specifically for this user, following them may cause harm to your machine and render it a brick (useless)
If you are the original poster and would like further assistance please post a fresh HJT log and details of the problems you are having.
All other user's, please read THIS page and then please start a New Topic at the top of the Malware Removal Forum by clicking the button.
Regards
K27
mrbaseball
13 Posts
0
June 29th, 2010 08:00
Thanks very much for all of your help and your quick response time, K27. You've been great and I'm very happy to have things up and running cleanly now. I really can't thank you enough.
kevin27_b3d29f
1.5K Posts
0
June 29th, 2010 12:00
Your Welcome.