PDA

View Full Version : Am I being paranoid?



kelsor
2007-02-18, 21:54
This week my anti virus PCGuard detected the following:

Drive C:\
C:\DRIVERS\eTrust\English\Bin\License\Lang\EN\LIC98\lic98rmt.exe

File infected with "W32/NewMalware-Rootkit-I-based!Maximus" virus and was successfully deleted.
C:\DRIVERS\eTrust\English\Bin\License\Lang\EN\LIC98\lic98rmtd.exe

File infected with "W32/NewMalware-Rootkit-I-based!Maximus" virus and was successfully deleted.

I also got a message saying that it had detected an infection in the system restore file that would be removed at next restart.

I have since scanned with sybot and ad=aware which I also use as well as PCguard again and i seem to be clean. Can I depend on these having removed and associated trojans or should I take any additional steps to protect my system?

Note windows asked me to reactivate my system today as my hardware had significantly changed. Was this because I started up in safe mode or because of the infection?

I also encountered a freeze in explorer when trying to create the hijackthis directory in C:\

I ran Hijacker and this is the log:

Logfile of HijackThis v1.99.1
Scan saved at 18:23:48, on 18/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\JGsoft\EditPadLite\EditPad.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Robert/My%20Documents/Webpages/Blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Kelso Internet Services
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [PCguard] C:\Program Files\blueyonder\PCguard\Rps.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk.disabled
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115588676203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Any advice on resolving this would be appreciated.

kelsor
2007-02-18, 21:58
When looking at the post in the top level before posting this I tried to go to the link http://forums.spybot.info/showpost.p...44&postcount=2 but it wouldn't give me access?

I also did the online scan at panda and it returned the following:

Incident Status Location
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Robert\Cookies\robert@2o7[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Robert\Cookies\robert@adtech[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Robert\Cookies\robert@bs.serving-sys[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Robert\Cookies\robert@microsoftwga.112.2o7[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Robert\Cookies\robert@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Robert\Cookies\robert@serving-sys[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Robert\Cookies\robert@xiti[1].txt

Hope that helps.

pskelley
2007-02-19, 20:42
Welcome to the forum, this one: C:\DRIVERS\eTrust\English\Bin\License\Lang\EN\LIC98\lic98rmt.exe
Looks valid: http://www.liutilities.com/products/wintaskspro/processlibrary/lic98rmt/
gGoogle has this to say about this. if you copied it exactly:
W32/NewMalware-Rootkit-I-based!Maximus >>>
Your search - W32/NewMalware-Rootkit-I-based!Maximus - did not match any documents.

I've never heard of it though the junk does come out fast, but it is rare Google would have no information. I am also not familiar with PC Guard?

Note windows asked me to reactivate my system today as my hardware had significantly changed. Was this because I started up in safe mode or because of the infection?I would need that exact message. If you were downloading updates you might be asked to prove you have a valid OS, that's the only time I can think this would happen.

C:\DRIVERS\eTrust\ <<< PC Guard was finding this stuff in eTrust, Seems they are both antivirus programs and it is not unusual for one AV to report false positives in another AV program, this is one of the reasons we only run one. Was eTrust left from an old installment?

This is what I see in this HJT log:

1) C:\Program Files\Java\jre1.5.0_01 <<< out of date Java program, install the newest version and uninstall all old versions in Add Remove Programs.
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Robert/My%20Documents/Webpages/Blank.htm
If you don't know what that's about have HJT remove it.

I do not believe you have anything to worry about, if you wish, follow the instructions in this link:
http://forums.security-central.us/showthread.php?t=3165
for a second opinion. If you run it, make sure you delete or at least quarantine anything located and post the scan results along with a new HJT log.

If you are satisfied this is not necessary, then take this information with you:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

kelsor
2007-02-20, 01:39
C:\DRIVERS\eTrust\ <<< PC Guard was finding this stuff in eTrust, Seems they are both antivirus programs and it is not unusual for one AV to report false positives in another AV program, this is one of the reasons we only run one. Was eTrust left from an old installment?

Not aware of have a Computer Associates anti virus so perhaps this was being added.


I would need that exact message. If you were downloading updates you might be asked to prove you have a valid OS, that's the only time I can think this would happen.
Unfortunately didn't keep that, however there were a number of security updates that had just been downloaded so perhaps that explains that.

Will update the java


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Robert/My%20Documents/Webpages/Blank.htm
This is my homepage with several liks that I use all the time doesn't look like it has been tampered with.

I have both PCguard and AVG antivirus on the machine with no problems so far, will have a think about uninstalling AVG.

I am somewhat reassured by your comments but will keep a close eye on stuff over the next week. Will have a look at the information references on security and delete the old system restore files.

Once again thanks
Robert

pskelley
2007-02-20, 02:15
OK Robert, sounds good, that would have been the next thing I would have suggested if we did not need to use AVG Anti-Spyware assuming it is a trial version. AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Safe surfing...Phil