Gladiator Security Forum > Need help identifying problem

Full Version: Need help identifying problem

Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?

tchas57

Feb 16 2007, 02:34 PM

Hello,

I have a problem that has spread throughout my small home LAN. Seems my wife brought a file home on a USB Flash drive and now all of the machines on the network (2 desktops and a laptop) are having similar problems. The machines won't see the internet and when windows is loaded there are several services that are enabled. Along with this there is a services.exe file that is running and there are several new user profiles and groups that are added to the Windows system configuration. It almost seems like I'm not even looking at my original copy of windows, but at another "fake" version of windows altogether.

I've reformatted the laptop drive (no big loss) but the problem keeps coming back after a new version of Windows is installed. Not sure where it's hiding, but a low-level format might be in order. Unfortunately I'd like to avoid that fate for the desktop machines if possible.

Can someone please take a look at the logs and help me see what I"m missing!? - Thanks!

From Desktop 1 - Running WinXP SP2

Logfile of HijackThis v1.99.1
Scan saved at 8:39:45 AM, on 2/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Wireless LAN Utility\tiwlnsvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\StartUp Organizer\so.exe
C:\program files\powerstrip\pstrip.exe
C:\WINDOWS\system32\SISTRAY.EXE
C:\PROGRAM FILES\PROCESS EXPLORER\PROCEXP.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\WINDOWS\soundman.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\UberIcon\UberIcon Manager.exe
C:\lockit\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?p=1153260468
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DiigoToolbar - {09197FFB-C236-4153-B268-31051E4F3B6C} - C:\Program Files\Diigo\DiigoToolbar-2006061201.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DiigoBHO Class - {84053DA7-03DE-4FB6-80AE-202C04691D8A} - C:\Program Files\Diigo\DiigoToolbar-2006061201.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: DiigoToolbar - {09197FFB-C236-4153-B268-31051E4F3B6C} - C:\Program Files\Diigo\DiigoToolbar-2006061201.dll
O4 - HKLM\..\Run: [StartUp Organizer] C:\Program Files\StartUp Organizer\so.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\SISTRAY.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU

"C:\WINDOWS\TEMP\E_S88.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Controlled StartUp] C:\Program Files\StartUp Organizer\Ctrl.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Add to EverNote - res://C:\Program Files\EverNote\EverNote\enbar.dll/2000
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://ww2.aaa.com
O15 - Trusted Zone: http://chat.adultfriendfinder.com
O15 - Trusted IP range: http://66.159.200.93
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...b?1121233276687
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...b?1120264468875
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C780F9D-90B7-4283-A9F0-A92D3FC25D05}: NameServer = 4.2.2.1,4.2.2.2,67.21.13.2
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Network Service Of Diigo (DiigoNetworkService) - Unknown owner - C:\Program Files\Diigo\DiigoNetwork.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia

Licensing.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wireless LAN Utility\tiwlnsvc.exe

After scanning some posts, I thought it might be a rootkit, so I ran Rootkit Revealer as well... here's the results

HKU\S-1-5-21-1343024091-926492609-682003330-1003\Software\GPSoftware\Directory Opus\Paths\Formats\System\[+000214001f50e04fd020ea3a6910a2d808002b30309d74012e004e012603150301000000480000007b00360042004400440031004600430036002d0038003100300046002d0031003100 2/16/2007 7:45 AM 128 bytes Hidden from Windows API.
HKU\S-1-5-21-1343024091-926492609-682003330-1003\Software\GPSoftware\Directory Opus\Paths\Formats\System\[+000214001f58602c8d20ea3a6910a2d708002b30309d1400470002456e74697265204e6574776f726b0033004600824d6963726f736f66742057696e646f7773204e6574776f726b004d 2/16/2007 7:45 AM 152 bytes Hidden from Windows API.
HKU\S-1-5-21-1343024091-926492609-682003330-1003\Software\GPSoftware\Directory Opus\Paths\Formats\System\[+000214001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c003100000000008f34f19e1000444f43554d457e310000440003 2/16/2007 7:45 AM 162 bytes Hidden from Windows API.
HKU\S-1-5-21-1343024091-926492609-682003330-1003\Software\GPSoftware\Directory Opus\Paths\Formats\System\[+000214001f50e04fd020ea3a6910a2d808002b30309d7a012e0054012603150301000000480000007b00360042004400440031004600430036002d0038003100300046002d0031003100 2/16/2007 7:45 AM 172 bytes Hidden from Windows API.
HKU\S-1-5-21-1343024091-926492609-682003330-1003\Software\GPSoftware\Directory Opus\Paths\Formats\System\[+000214001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c000000000000000000000000000000000000005c003100000000002e351d551000444f43554d457e310000440003 2/16/2007 7:45 AM 162 bytes Hidden from Windows API.
HKLM\SECURITY\Policy\Secrets\SAC* 11/21/2004 12:29 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 11/21/2004 12:29 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{32B7E16F-061D-4769-A507-9402E8C020AC}* 4/13/2006 8:41 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{4ABABDDF-B4AA-40fb-B0F3-DE3021506472}* 4/13/2006 8:41 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\PROCEXP\ImagePath 2/16/2007 8:22 AM 43 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet003\Services\PROCEXP\ImagePath 2/16/2007 8:22 AM 43 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet004\Services\PROCEXP\ImagePath 10/9/2006 12:49 PM 43 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\Troy\Cookies\troyc@hddguru[1].txt 2/16/2007 8:56 AM 377 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Troy\Local Settings\Temporary Internet Files\Content.IE5\78LZ3NWI\av-2879[1].jpg 2/16/2007 8:53 AM 2.56 KB Hidden from Windows API.
C:\Documents and Settings\Troy\Local Settings\Temporary Internet Files\Content.IE5\78LZ3NWI\button32x32b[1].gif 2/16/2007 8:56 AM 894 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Troy\Local Settings\Temporary Internet Files\Content.IE5\78LZ3NWI\button88x31a[1].gif 2/16/2007 8:56 AM 1.16 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Troy\Local Settings\Temporary Internet Files\Content.IE5\78LZ3NWI\files[1].gif 2/16/2007 8:56 AM 43 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Troy\Local Settings\Temporary Internet Files\Content.IE5\78LZ3NWI\gavadmin[1].gif 2/16/2007 8:53 AM 2.20 KB Hidden from Windows API.
C:\Documents and Settings\Troy\Local Settings\Temporary Internet Files\Content.IE5\78LZ3NWI\index[2].htm 2/16/2007 8:53 AM 120.16 KB Hidden from Windows API.
C:\Documents and Settings\Troy\Local Settings\Temporary Internet Files\Content.IE5\78LZ3NWI\menu_bg[1].gif 2/16/2007 8:56 AM 214 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Troy\Local Settings\Temporary Internet Files\Content.IE5\7IVTUWNM\arrow[1].png 2/16/2007 8:56 AM 169 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Troy\Local Settings\Temporary Internet Files\Content.IE5\7IVTUWNM\css_img_quot

Seems to have been cutoff by an error when trying to save. Not a tool I use regularly so I'm sure it'll need to be reposted, any suggestions?

Thanks again

LoPhatPhuud

Feb 16 2007, 07:49 PM

What you posted of the RootKit Revealer log did not show any rootkit nor anything else to be concerned with.

There are some entries that need removing, but other than these, the log was clean. Use HJT to remove these entries:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

O15 - Trusted Zone: http://ww2.aaa.com
O15 - Trusted Zone: http://chat.adultfriendfinder.com
O15 - Trusted IP range: http://66.159.200.93

Then we'll look deeper...

Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip

Unzip it to the desktop and double-click on it.
Silent Runners will ask if you want to skip the supplementary search.
Please select 'No' to include them.
The program will take longer to run, but will give us more information.

If you get any kind of warning message about scripts, please choose to allow the script to run.

When the scan is finished, a message will pop up and a logfile will have been created on the desktop.
The logfile is named 'Startup Programs' by default and will be located where the program is.

Please post the entire contents of this logfile for me to see.

tchas57

Feb 16 2007, 09:25 PM

Thanks,

I've made the adjustments in HJT, downloaded SilentRunners, but when I ran the script this is the message I received:

Cannot use WMI to Identify the operating system.
This is caused by corruption of the WMI installation.

WMI is complex and it is recommended that you use a Microsoft
tool, "WMIDiag.vbs," to diagnose WMI on your system.

Press "OK" to direct your browser to the WMIDiag downlload site or "Cancel" to quit.

I've downloaded the WMIDiag.exe file from the MS site... let me know if I should run it or if there is another tool that I should use.

Thanks for the help!

TC

tchas57

Feb 16 2007, 09:51 PM

Hello, I went ahead and ran WMIDiag script and it produced the attached text file.

I've added it as a zip since it was around 2.5 mb and would have taken a couple of replies to post...

TC

- After posting the attached log file, I ran the "NET Helpmsg 1722" command that is at the end of the log, with the following value returned:

The RPC Server is Unavailable

I had to stop the RPC and DCOM as soon as I saw the malicious program starting to work on the computers services. If I had let it go, then this machine would have ended up like the other two I'm assuming, with the user unable to log on and Windows say that it is unregistered and needs to be re-registered to work. Basically the accounts are locked out, or if you do get to log in, then there are no network connections, etc. and the Services / Admin Settings are not available to the user.

Looking back, not sure if I mentioned that, but I've been staring at this thing for a day or so now and my eyes are a bit crossed.

Thanks again for the help!

TC

LoPhatPhuud

Feb 16 2007, 10:43 PM

I'll take a look at that look and do some checking while you take a break. I'll post back later this weekend unless I find an answer quick.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.