mrbaseball

13 Posts

4244

June 11th, 2010 09:00

Redirected searches and new tabs and windows; started with Protection Center Malware

SHORT VERSION

The short summary is that I managed to get the Protection Center malware installed on my machine. I believe I have gotten it mostly gone, but I still have some issues with new windows or tabs coming up after Google or Bing searches. It also hijacks Google search links to malware removal sites.

LONG VERSION

Now for the long version....

History

This malware installed itself on Tuesday. I stupidly clicked on a link I shouldn't have and it started installing. I killed power midway through the install, but it still got on there. I was able to boot to safe mode and remove the files. I have Norton AV installed. It detected a Trojan Horse in fjhdyfhsn.bat. I also deleted that file. While the malware was there, it stopped the Norton realtime service. Before I realized it was just a stopped service, at the recommendation of my IT guy, I installed Microsoft Security Essentials. I ran a quick scan and it found:

   VirTool:WinNT/Cutwail.L
       driver:NDIS
       file:C:\WINDOWS\system32\drivers\ndis.sys
       regkey:HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
       safeboot:HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
       service:NDIS
   Trojan:Win32/Alureon
       file:C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0ZG5C5QT\396-direct[1].ex
   Trojan:Win32/FakeCog
       containerfile:c:\documents and settings\akotmel\Local Settings\Temp\wscsvc32.exe
       file:c:\documents and settings\akotmel\Local Settings\Temp\wscsvc32.exe
       file:c:\documents and settings\akotmel\Local Settings\Temp\wscsvc32.exe->[Obfuscator.EW]

I removed those and rebooted and then had no network connection. It looks like something attempted to install some WAN driver and corrupted all of my network drivers, so I had no network access. I went back to a previous restore point. This restored my network and put Protection Center back on my machine. It also put some porn and spam icons on my desktop. I was able to easily remove all of those, although I'm sure that all of my previous restore points are infected.

Over the last 3 days, I've run MSE a few more times and it has occasionally found something. Here is the list, in order:

   Trojan:Win32/FakeCog
       containerfile:C:\Program Files\Protection Center\cntext.dll
       containerfile:C:\Program Files\Protection Center\cnthook.dll
       containerfile:C:\Program Files\Protection Center\Uninstall.exe
       file:c:\documents and settings\akotmel\Application Data\Microsoft\Internet Explorer\Quick Launch\Protection Center.lnk
       file:C:\Program Files\Protection Center\about.ico
       file:C:\Program Files\Protection Center\activate.ico
       file:C:\Program Files\Protection Center\buy.ico
       file:C:\Program Files\Protection Center\cntext.dll
       file:C:\Program Files\Protection Center\cntext.dll->[Obfuscator.EW]
       file:C:\Program Files\Protection Center\cnthook.dll
       file:C:\Program Files\Protection Center\cnthook.dll->[Obfuscator.EW]
       file:c:\Program Files\Protection Center\cntprot.exe
       file:C:\Program Files\Protection Center\help.ico
       file:C:\Program Files\Protection Center\scan.ico
       file:C:\Program Files\Protection Center\settings.ico
       file:C:\Program Files\Protection Center\Uninstall.exe
       file:C:\Program Files\Protection Center\Uninstall.exe->[Obfuscator.EW]
       file:C:\Program Files\Protection Center\update.ico
       folder:C:\Program Files\Protection Center\
   Trojan:BAT/Killfiles.J
       file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP499\A0298722.bat
   Trojan:Win32/Alureon.DN
       file:C:\WINDOWS\PRAGMAxpbvpesmqx\pragmabbr.dll
       file:C:\WINDOWS\PRAGMAxpbvpesmqx\pragmaserf.dll
   Trojan:Win32/FakeCog
       containerfile:C:\Documents and Settings\akotmel\Local Settings\Temp\asd48D.tmp.exe
       containerfile:C:\Documents and Settings\akotmel\Local Settings\Temp\asd97C.tmp.exe
       containerfile:C:\Documents and Settings\akotmel\Local Settings\Temp\kernel64xp.dll
       file:C:\Documents and Settings\akotmel\Local Settings\Temp\65a7.tmp
       file:C:\Documents and Settings\akotmel\Local Settings\Temp\asd48D.tmp.exe->[Obfuscator.EW]
       file:C:\Documents and Settings\akotmel\Local Settings\Temp\asd97C.tmp.exe->[Obfuscator.EW]
       file:C:\Documents and Settings\akotmel\Local Settings\Temp\kernel64xp.dll->[Obfuscator.EW]
   Trojan:Win32/FakeCog
       containerfile:C:\Documents and Settings\akotmel\Local Settings\Temp\mscdexnt.exe
       file:C:\Documents and Settings\akotmel\Local Settings\Temp\mscdexnt.exe->[Obfuscator.EW]->(VFS:kernel64xp.dll#1)->[Obfuscator.EW]
   Trojan:Win32/FakeCog
       containerfile:C:\WINDOWS\Temp\kernel64xp.dll
       containerfile:C:\WINDOWS\Temp\mscdexnt.exe
       file:C:\WINDOWS\Temp\kernel64xp.dll->[Obfuscator.EW]
       file:C:\WINDOWS\Temp\mscdexnt.exe->[Obfuscator.EW]->(VFS:kernel64xp.dll#1)->[Obfuscator.EW]
   Trojan:Win32/Alureon
       file:C:\Documents and Settings\akotmel\Local Settings\Temporary Internet Files\Content.IE5\33T7MOAF\396-direct[1].ex
   Trojan:Win32/Alureon.DK
       file:C:\WINDOWS\Temp\PRAGMAa3b4.tmp
   Trojan:Win32/Alureon.DK
       file:C:\WINDOWS\Temp\PRAGMAa3b4.tmp
   Trojan:Win32/Alureon.gen!U
       file:C:\WINDOWS\PRAGMAxpbvpesmqx\PRAGMAc.dll
   Trojan:Win32/FakeCog
       containerfile:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP499\A0299290.dll
       file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP499\A0299290.dll->[Obfuscator.EW]
   Trojan:Win32/FakeCog
       containerfile:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP499\A0299291.dll
       file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP499\A0299291.dll->[Obfuscator.EW]
   Trojan:Win32/FakeCog
       containerfile:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP499\A0299296.exe
       file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP499\A0299296.exe->[Obfuscator.EW]
   Trojan:Win32/Alureon.DN
       file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP515\A0301110.dll

Norton Realtime scan has also found the following since being restarted:

   Trojan.FakeAV (C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\
\APQE5.tmp)
   Trojan.FakeAV (C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP515\A0301179.dll)
   Trojan.FakeAV (C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP515\A0301111.dll)

I have not been able to run a full system scan with Norton, because every time I do, it says "Scan stopped by user". This is not new from this infection, though, I do not believe.

I have also run Malwarebytes. Malwarebytes found and removed the following:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad:    (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\sorry.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

   Trojan.DNSChanger   C:\WINDOWS\PRAGMAxpbvpesmqx
   Rootkit.TDSS.Gen   C:\WINDOWS\Temp\5D.tmp
   Trojan.DNSChanger   C:\WINDOWS\PRAGMAxpbvpesmqx\PRAGMAc.dll
   Trojan.DNSChanger   C:\WINDOWS\PRAGMAxpbvpesmqx\PRAGMAcfg.ini
   Trojan.DNSChanger   C:\WINDOWS\PRAGMAxpbvpesmqx\PRAGMAsrcr.dat
   Malware.Trace       C:\Documents and Settings\akotmel\Application Data\avdrn.dat
   Rootkit.TDSS       C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll
   Trojan.DNSChanger   C:\WINDOWS\Temp\PRAGMAa3b4.tmp
   Rootkit.TDSS       C:\WINDOWS\Temp\pragmamainqt.dll

Current Issue

So, the above covers everything I've cleaned up. The issue I am left with now is that sometimes when I do Google searches (I also tried and saw it in Bing), I will see another window or tab pop up going to some other site. The other sites look like generic ad sites, like someone is just trying to generate click-through money. Typically, these searches go through c.php, go.php, search.php or click.php. I have also noticed that some Google links to malware removal sites will immediately skip the malware site page and go straight to an ad page. However, the site still shows up in my history, so I can get to it that way or by pasting it into my browser.

I hope I have covered everything here. I am also pasting in a HijackThis log.

If you have any questions, please ask. If you can help, please do.

Thanks!

Allan

HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:01 AM, on 6/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Evoluent\VMouse\EvoMouExec.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HoeKey\HoeKey.exe
C:\WINDOWS\qmc.exe
C:\Documents and Settings\akotmel\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\tmp\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2080614
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2080614
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=2080614
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: HoeKey.lnk = C:\Program Files\HoeKey\HoeKey.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Evoluent Mouse Manager.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = biap.local
O17 - HKLM\Software\..\Telephony: DomainName = biap.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = biap.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = biap.local
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 14289 bytes

Responses(23)

kevin27_b3d29f

1.5K Posts

0

June 24th, 2010 13:00

Hi,

sorry for the delay in replying.

Please go to VirSCAN where you will see a browse button at the top of the screen.

Click the Browse button
Locate the following file(s)(Note:You can only upload one file at a time)

C:\WINDOWS\qmc.exe
C:\bin\M.EXE

Click Upload button
Once the scan has finished, click the Save to Clipboard button at the bottom of the page
Open Notepad and right click and then click paste
Post Report(s) back to this thread

Note: you may need to show hidden files to locate the files requested:

Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Look for "Hidden files and folders"
Select "Show hidden files and folders"
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:

Search System folders
Search Hidden Files and folders
Search SubFolders

Remember to hide hidden files/folders by reversing the action when you have finished

There are some entries in the log that look suspicious, maybe you can shed some light before we take them out. Please let me know if you recognize the Domain biap.local. All google brings up are things related to Baghdad Airport.

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = biap.local
O17 - HKLM\Software\..\Telephony: DomainName = biap.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = biap.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = biap.local

Please post back the VirScan reports, whether you set the Domain, and a status report on how the system is running.

Thanks.

mrbaseball

13 Posts

0

June 24th, 2010 15:00

No worries at all. I think everything you called out there should be fine.. I know what both m.exe and qmc.exe are. m.exe is an emacs-like text editor I use. qmc.exe is something called quickmonth calendar. It lets me hover over the clock and see a calendar. I did run the scans anyway, though. It can't hurt.

BIAP is the old name for my company. biap.local is our internal domain name.

That's a handy web site.

Here are the scan logs:

qmc.exe scan

VirSCAN.org Scanned Report :
Scanned time   : 2010/06/24 16:43:34 (EDT)
Scanner results: Scanners did not find malware!
File Name      : qmc.exe
File Size      : 429003 byte
File Type      : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5            : 4b681dfd9a7eafbc39440c91c4e42d5c
SHA1           : 7165d40762e2484dc82dc98c1c121fbcfda6cf2f
Online report : http://virscan.org/report/debc3b349177fa396464a8af77741225.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      5.0.0.11        20100624063430    2010-06-24 5.37   -
AhnLab V3      2010.06.18.01   2010.06.18        2010-06-18 1.17   -
AntiVir        8.2.4.2         7.10.8.185        2010-06-24 0.26   -
Antiy          2.0.18          20100620.4774407 2010-06-20 0.02   -
Arcavir        2009            201006241441      2010-06-24 0.13   -
Authentium     5.1.1           201006241456      2010-06-24 3.64   -
AVAST!         4.7.4           100624-1          2010-06-24 0.03   -
AVG            8.5.793         271.1.1/2960      2010-06-24 1.75   -
BitDefender    7.90123.6275712 7.32389           2010-06-25 4.43   -
ClamAV         0.96.1          11256             2010-06-24 0.08   -
Comodo         3.13.579        5206              2010-06-24 0.92   -
CP Secure      1.3.0.5         2010.06.25        2010-06-25 0.09   -
Dr.Web         5.0.2.3300      2010.06.25        2010-06-25 8.66   -
F-Prot         4.4.4.56        20100624          2010-06-24 3.02   -
F-Secure       7.02.73807      2010.06.24.05     2010-06-24 0.32   -
Fortinet       4.1.133         12.80             2010-06-23 0.15   -
GData          21.405/21.147   20100624          2010-06-24 7.11   -
ViRobot        20100624        2010.06.24        2010-06-24 0.37   -
Ikarus         T3.1.01.84      2010.06.24.76133 2010-06-24 7.83   -
JiangMin       13.0.900        2010.06.24        2010-06-24 1.24   -
Kaspersky      5.5.10          2010.06.24        2010-06-24 0.17   -
KingSoft       2009.2.5.15     2010.6.24.18      2010-06-24 0.72   -
McAfee         5400.1158       6023              2010-06-24 16.45 -
Microsoft      1.5902          2010.06.24        2010-06-24 7.86   -
Norman         6.05.10         6.05.00           2010-06-24 6.01   -
Panda          9.05.01         2010.06.24        2010-06-24 1.93   -
Trend Micro    9.120-1004      7.264.13          2010-06-24 0.04   -
Quick Heal     10.00           2010.06.24        2010-06-24 1.63   -
Rising         20.0            22.53.03.04       2010-06-24 1.27   -
Sophos         3.07.1          4.54              2010-06-25 3.67   -
Sunbelt        3.9.2426.2      6501              2010-06-24 15.80 -
Symantec       1.3.0.24        20100615.005      2010-06-15 0.44   -
nProtect       20100624.01     8765388           2010-06-24 8.39   -
The Hacker     6.5.2.0         v00303            2010-06-24 0.32   -
VBA32          3.12.12.5       20100624.0925     2010-06-24 4.31   -
VirusBuster    4.5.11.10       10.126.101/20293452010-06-24 2.94   -

m.exe scan

VirSCAN.org Scanned Report :
Scanned time   : 2010/06/24 16:55:37 (EDT)
Scanner results: Scanners did not find malware!
File Name      : M.EXE
File Size      : 266240 byte
File Type      : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5            : 63887afec956a6eb4ce0c2b8833b8e5d
SHA1           : 5cc6381b0556e647990b508de7d39929bac408b2
Online report : http://virscan.org/report/4c0e41c541b2c83d7e2b6d68699fe77f.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      5.0.0.11        20100624063430    2010-06-24 5.02   -
AhnLab V3      2010.06.18.01   2010.06.18        2010-06-18 1.34   -
AntiVir        8.2.4.2         7.10.8.185        2010-06-24 0.27   -
Antiy          2.0.18          20100620.4774407 2010-06-20 0.02   -
Arcavir        2009            201006241441      2010-06-24 0.11   -
Authentium     5.1.1           201006241456      2010-06-24 2.20   -
AVAST!         4.7.4           100624-1          2010-06-24 0.02   -
AVG            8.5.793         271.1.1/2960      2010-06-24 0.29   -
BitDefender    7.90123.6275712 7.32389           2010-06-25 5.72   -
ClamAV         0.96.1          11256             2010-06-24 0.08   -
Comodo         3.13.579        5206              2010-06-24 0.90   -
CP Secure      1.3.0.5         2010.06.25        2010-06-25 0.08   -
Dr.Web         5.0.2.3300      2010.06.25        2010-06-25 8.50   -
F-Prot         4.4.4.56        20100624          2010-06-24 2.14   -
F-Secure       7.02.73807      2010.06.24.05     2010-06-24 0.21   -
Fortinet       4.1.133         12.80             2010-06-23 0.18   -
GData          21.405/21.147   20100624          2010-06-24 7.02   -
ViRobot        20100624        2010.06.24        2010-06-24 0.36   -
Ikarus         T3.1.01.84      2010.06.24.76133 2010-06-24 7.04   -
JiangMin       13.0.900        2010.06.24        2010-06-24 1.23   -
Kaspersky      5.5.10          2010.06.24        2010-06-24 0.15   -
KingSoft       2009.2.5.15     2010.6.24.18      2010-06-24 0.62   -
McAfee         5400.1158       6023              2010-06-24 16.37 -
Microsoft      1.5902          2010.06.24        2010-06-24 6.72   -
Norman         6.05.10         6.05.00           2010-06-24 4.01   -
Panda          9.05.01         2010.06.24        2010-06-24 1.95   -
Trend Micro    9.120-1004      7.264.13          2010-06-24 0.04   -
Quick Heal     10.00           2010.06.24        2010-06-24 1.60   -
Rising         20.0            22.53.03.04       2010-06-24 1.24   -
Sophos         3.07.1          4.54              2010-06-25 3.65   -
Sunbelt        3.9.2426.2      6501              2010-06-24 7.68   -
Symantec       1.3.0.24        20100615.005      2010-06-15 0.06   -
nProtect       20100624.01     8765388           2010-06-24 7.96   -
The Hacker     6.5.2.0         v00303            2010-06-24 0.32   -
VBA32          3.12.12.5       20100624.0925     2010-06-24 3.19   -
VirusBuster    4.5.11.10       10.126.101/20293452010-06-24 2.77   -

kevin27_b3d29f

1.5K Posts

0

June 25th, 2010 06:00

Ok,

If your happy then I'm happy.

Please run another online scan with ESET and post the log results back to me.

Please let me know how the system is running <---Important.

Thanks.

mrbaseball

13 Posts

0

June 25th, 2010 13:00

Good news! No threats found on this run.

As for how the system is running, it seems fine. I have not seen the issue that I was originally having since we removed the rootkit. So, things are looking very good right now.

What else would you like me to do?

kevin27_b3d29f

1.5K Posts

0

June 25th, 2010 15:00

Hi,

You system is now clean from infection, all that is left to do is to remove the tools we used, some general housekeeping and then some prevention advice for the future. Please proceed as follows.

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall
Note the space between Combofix and /

Please uninstall the other programs we used as without proper guidance they can seriously harm the workings of Windows and your PC

HiJackThis via Add/Remove Programs in control Panel
DDS and the two(2) logs you saved from it by right clicking there Desktop icons and clicking delete
The ARK tool we used by right clicking the folder you created to run the ARK tool from and then clicking delete
TDSS Killer

.
Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose

In the Applications Tab:

Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

.
Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
Scroll down to "JDK 6 Update 20 (JDK or JRE).
Click the Download JRE button to the right.
Select your Platform: "Windows".
Select your Language: "Multi-language".
Read the License Agreement, and then check the box that says: "Accept License Agreement".
Click Continue and the page will refresh.
Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications.
To disable the JQS service if you don't want to use it:

Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
Click Ok and reboot your computer.

.
Adobe Acrobat/Reader is out of date please update to the latest version from HERE

Now some advice on how to surf safe in the future.

ALWAYS keep all programs on your PC up to date and this especially means your Anti-Virus/Anti-Spyware/Firewall/Java and Adobe programs.
They can all be found via the "All Programs" feature in the start menu and if opened will 100% have a update feature somewhere.
NEVER use more than ONE Anti-Virus,
NEVER use more than ONE Anti-Spyware,
NEVER use more than ONE Software Firewall,(and never use the Windows built in Firewall as it will not keep you protected)

As more than one of each of these will conflict with each other and leave you just as vunrable as not having them.
You can get some VERY GOOD FREE ones from HERE

Its always a good idea to back these up with SpywareBlaster as this will run in the background and not conflict with any of your other Security.

Also give WinPatrol a try as it is a very good program that will inform you of any changes being made to your system in the same way that User Account Control does but better, (DO NOT switch off UAC if you install WinPatrol, it is still very much needed)

Research and consider using a HARDWARE Firewall as this will provide a very good extra layer of protection.

Scan with each piece of your security Daily and at the very least two daily.
Always keep a few on-demand scanners on your machine and use them every other day, such as,

Malwarebytes Anti-Malware(consider perchusing the paid version for £25 for a lifetimes use and a very good piece of kit to have running on your machine)
Spybot Search&Destroy (DO NOT install the Tea Timer Function)
Ad-Aware (Again DO NOT install the resident scanner)

If you use IE then consider using a more secure browser such as FireFox or Opera

Install all the latest Windows updates from HERE
or by clicking start>all programs>Windows update, and keep going back and doing these untill you have all the avalible updates untill none are showing.
Its a good idea to set Windows Update to automatic so as not to miss any Important updates.

Always you a site advisor such as WOT to confirm the sites you are using are really the sites they say they are.
There is a version of WOT avalible for both IE and FIreFox.

And please read these links for adivce on Computer Security:
So how did I get infected in the first place by Tony Klein
Do's and Don't's of Security Programs
Anti-Virus Programs Explained

If you have any other questions then please fill free to post back,
I will mark this thread as solved tomorrow,

Safe Surfing,
K27.

kevin27_b3d29f

1.5K Posts

0

June 26th, 2010 12:00

This topic is Resolved.....

The fixes in this topic were written specifically for this user, following them may cause harm to your machine and render it a brick (useless)

If you are the original poster and would like further assistance please post a fresh HJT log and details of the problems you are having.

All other user's, please read THIS page and then please start a New Topic at the top of the Malware Removal Forum by clicking the button.

Regards
K27

mrbaseball

13 Posts

0

June 29th, 2010 08:00

Thanks very much for all of your help and your quick response time, K27. You've been great and I'm very happy to have things up and running cleanly now. I really can't thank you enough.

kevin27_b3d29f

1.5K Posts

0

June 29th, 2010 12:00

Your Welcome.

1
2

View All

No Events found!

Virus & Spyware

Redirected searches and new tabs and windows; started with Protection Center Malware

SHORT VERSION

LONG VERSION

History

Current Issue

HIJACKTHIS LOG