View Full Version : Bifrose.LA
I seem to have stumbled across the Bifrose.LA trojan on my machine (identified by Spybot 1.4, uptodate as of now). The machine tries to access the network roughly once a minute through IE6 and Firefox processes it launches (221.201.45.28 and 76.23.53.79 the targetted IP addresses at the moment).
The registry keys are appearing as Bifrost on
HKLM\SOFTWARE\Bifrost [binary value named 'nck']
HKU\S-1-5-21-1801674531-1957994488-725345543-1004\Software\Bifrost [binary value, 'klg' = 01]
Online virus scans (and the local Avast install) fail to find anything.
I've can't see anything obvious in the startup (msconfig), however there must be something hidden in there somewhere as the registry keys keep reappearing. There are no 'Wget' entries which seem to be the other common expression of the bifrose family.
Cheers for any help!
Nick
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18:25:13, on 25/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BOINC\boincmgr.exe
C:\program files\internet explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\BOINC\projects\biology.polytechnique.fr_proteinsathome\pah_xplor_7.30_windows_intelx86.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\InstallFiles\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:12080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [BCWipeTM Startup] "e:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: Download all by Net Transport - e:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - e:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097007064812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130175308031
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371050.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} (Java Plug-in 1.4.2_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.5.0) -
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.5.0_03) -
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - e:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: Apache2 - Apache Software Foundation - E:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cerberus FTP Server - Grant Averett - E:\Program Files\Cerberus\Cerberus.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Windows Network Log (Windows Network Log Manage) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\Netlog.exe
--
End of file - 8029 bytes
Hello bethran and sorry for the delay :)
Let's do some research...
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Thanks for looking into this.
The log from ComboFix is attached below.
Looking down the list of entries:
I have Avast4, BCWipe, Adobe Reader 8, GetRight and Spybot installed, and have an NVidia graphics card with the 93.71 driver bundle.
Steam is installed, but not setup to autostart.
The H:\NetLog.exe "Reg Loading Point" is questionable - H: is one of the USB drives - but I think that's probably signs of a different trojan all together.
Cheers,
__
"Nick" - 2007-07-03 18:38:28 - ComboFix 07-07-03.9 - Service Pack 2
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\TEMP
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_NM
-------\nm
((((((((((((((((((((((((( Files Created from 2007-06-03 to 2007-07-03 )))))))))))))))))))))))))))))))
2007-07-03 18:37 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-06-27 22:05 <DIR> d-------- C:\DOCUME~1\Nick\.housecall6.6
2007-06-23 01:15 <DIR> d--h----- C:\WINDOWS\Servcrypt
2007-06-08 22:05 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\KiwiDevelopment
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-03 17:42:35 -------- d-----w C:\Program Files\BOINC
2007-06-23 00:24:36 -------- d-----w C:\DOCUME~1\Nick\APPLIC~1\uTorrent
2007-06-22 23:01:52 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-06-15 18:00:41 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-05-25 18:50:08 -------- d-----w C:\DOCUME~1\Nick\APPLIC~1\VMware
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 17:12:22 -------- d-----w C:\DOCUME~1\Nick\APPLIC~1\Azureus
2007-05-08 17:15:37 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-06 20:42:48 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-06 20:40:58 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-06 19:19:10 94,080 ----a-w C:\DOCUME~1\Nick\APPLIC~1\ezplay.sys
2007-05-06 19:19:10 87,608 ----a-w C:\DOCUME~1\Nick\APPLIC~1\ezpinst.exe
2007-05-06 19:19:09 47,360 ----a-w C:\DOCUME~1\Nick\APPLIC~1\pcouffin.sys
2007-05-06 19:11:24 94,080 ----a-w C:\WINDOWS\system32\drivers\ezplay.sys
2007-05-06 19:11:13 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2007-05-04 21:38:49 18,112 ---ha-w C:\WINDOWS\system32\mlfcache.dat
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 21:36:23 699 ----a-w C:\WINDOWS\eReg.dat
2007-04-12 19:05:04 5,120 ----a-r C:\WINDOWS\system32\vnetinst.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}]
2005-02-14 12:08 233472 --a------ E:\Program Files\GetRight\xx2gr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 02:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 16:42]
"POINTER"="point32.exe" []
"BCWipeTM Startup"="e:\Program Files\Jetico\BCWipe\BCWipeTM.exe" [2005-03-04 07:59]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 13:22 C:\WINDOWS\system32\nvmctray.dll]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"SmcService"="E:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"ASUS Probe"="C:\Program Files\ASUS\Probe\AsusProb.exe" [2002-12-06 17:07]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 02:04]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Steam"="" []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=01000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{697f5a72-b86a-11db-81f1-0026540be015}]
AutoRun\command- H:\Netlog.exe
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6225563D-07E1-7DDA-064D-60DB26537706}
C:\WINDOWS\Servcrypt\servcrypt.exe s
**************************************************************************
catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-03 18:41:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-03 18:43:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-03 18:43
--- E O F ---
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\TEMP
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_NM
-------\nm
((((((((((((((((((((((((( Files Created from 2007-06-03 to 2007-07-03 )))))))))))))))))))))))))))))))
Hello :)
We'll continue :)
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\Servcrypt\servcrypt.exe
Click on Send
Wait for the scan to end.
Scan this too:
H:\Netlog.exe
Copy & Paste the scan results to here.
Below are the two scans.
The netlog.exe file is written when any USB flash device is mounted as H:\.
Cheers,
==========================================
C:\WINDOWS\Servcrypt\servcrypt.exe
==========================================
Complete scanning result of "servcrypt.exe", received in VirusTotal at 07.05.2007, 18:51:23 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.7.5.0 07.05.2007 no virus found
AntiVir 7.4.0.39 07.05.2007 BDS/Bifrose.NU
Authentium 4.93.8 07.04.2007 no virus found
Avast 4.7.997.0 07.04.2007 no virus found
AVG 7.5.0.476 07.05.2007 BackDoor.Generic7.JAV
BitDefender 7.2 07.05.2007 no virus found
CAT-QuickHeal 9.00 07.05.2007 no virus found
ClamAV devel-20070416 07.05.2007 Trojan.Pakes-248
DrWeb 4.33 07.05.2007 no virus found
eSafe 7.0.15.0 07.05.2007 no virus found
eTrust-Vet 30.8.3765 07.05.2007 no virus found
Ewido 4.0 07.05.2007 no virus found
FileAdvisor 1 07.05.2007 no virus found
Fortinet 2.91.0.0 07.05.2007 BDoor.CEP!tr.bdr
F-Prot 4.3.2.48 07.04.2007 no virus found
F-Secure 6.70.13260.0 07.05.2007 no virus found
Ikarus T3.1.1.8 07.05.2007 Backdoor.VB.EV
Kaspersky 4.0.2.24 07.05.2007 no virus found
McAfee 5068 07.05.2007 BackDoor-CEP.svr
Microsoft 1.2701 07.05.2007 no virus found
NOD32v2 2379 07.04.2007 no virus found
Norman 5.80.02 07.05.2007 no virus found
Panda 9.0.0.4 07.05.2007 no virus found
Sophos 4.19.0 06.24.2007 no virus found
Sunbelt 2.2.907.0 07.04.2007 VIPRE.Suspicious
Symantec 10 07.05.2007 no virus found
TheHacker 6.1.6.142 07.04.2007 no virus found
VBA32 3.12.0.2 07.05.2007 no virus found
VirusBuster 4.3.23:9 07.05.2007 no virus found
Webwasher-Gateway 6.0.1 07.05.2007 Trojan.Bifrose.NU
Aditional Information
File size: 1239933 bytes
MD5: c7e3388134ff389422ef4edfaaf6dc0a
SHA1: e846bf638bc7bd4c267586ba85efe8c3a380e369
packers: Themida
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
==========================================
H:\Netlog.exe
==========================================
Complete scanning result of "netlog.exe", received in VirusTotal at 07.05.2007, 18:56:47 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.7.5.0 07.05.2007 no virus found
AntiVir 7.4.0.39 07.05.2007 TR/Crypt.CFI.Gen
Authentium 4.93.8 07.04.2007 no virus found
Avast 4.7.997.0 07.04.2007 no virus found
AVG 7.5.0.476 07.05.2007 no virus found
BitDefender 7.2 07.05.2007 no virus found
CAT-QuickHeal 9.00 07.05.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 07.05.2007 no virus found
DrWeb 4.33 07.05.2007 no virus found
eSafe 7.0.15.0 07.05.2007 Suspicious Trojan/Worm
eTrust-Vet 30.8.3765 07.05.2007 no virus found
Ewido 4.0 07.05.2007 no virus found
FileAdvisor 1 07.05.2007 no virus found
Fortinet 2.91.0.0 07.05.2007 no virus found
F-Prot 4.3.2.48 07.04.2007 no virus found
F-Secure 6.70.13260.0 07.05.2007 Possibly malicious
Ikarus T3.1.1.8 07.05.2007 not-a-virus:Monitor.Win32.007SpySoft.308
Kaspersky 4.0.2.24 07.05.2007 no virus found
McAfee 5068 07.05.2007 no virus found
Microsoft 1.2701 07.05.2007 no virus found
NOD32v2 2379 07.04.2007 no virus found
Norman 5.80.02 07.05.2007 no virus found
Panda 9.0.0.4 07.05.2007 Suspicious file
Sophos 4.19.0 06.28.2007 no virus found
Sunbelt 2.2.907.0 07.04.2007 VIPRE.Suspicious
Symantec 10 07.05.2007 no virus found
TheHacker 6.1.6.142 07.04.2007 no virus found
VBA32 3.12.0.2 07.05.2007 no virus found
VirusBuster 4.3.23:9 07.05.2007 no virus found
Webwasher-Gateway 6.0.1 07.05.2007 Trojan.Crypt.CFI.Gen
Aditional Information
File size: 487424 bytes
MD5: 821a4e515410478059b647b21bd2ffdb
SHA1: 35274344ea6e33ebe0dfa97e9a0aa3d72c6bf2ba
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
I've tracked the source of the Netlog.exe problems back to:
*C:\Program Files\Common Files\Microsoft Shares\MSInfo\Netlog.exe*
Scanning this with VirusTotal gives the following logs:
Complete scanning result of "Netlog.exe", received in VirusTotal at 07.06.2007, 00:34:41 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.7.5.0 07.05.2007 no virus found
AntiVir 7.4.0.39 07.05.2007 TR/Crypt.CFI.Gen
Authentium 4.93.8 07.06.2007 no virus found
Avast 4.7.997.0 07.05.2007 no virus found
AVG 7.5.0.476 07.05.2007 no virus found
BitDefender 7.2 07.05.2007 no virus found
CAT-QuickHeal 9.00 07.05.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 07.05.2007 no virus found
DrWeb 4.33 07.05.2007 no virus found
eSafe 7.0.15.0 07.05.2007 Suspicious Trojan/Worm
eTrust-Vet 30.8.3766 07.05.2007 no virus found
Ewido 4.0 07.05.2007 no virus found
FileAdvisor 1 07.06.2007 no virus found
Fortinet 2.91.0.0 07.05.2007 no virus found
F-Prot 4.3.2.48 07.04.2007 no virus found
F-Secure 6.70.13260.0 07.05.2007 Possibly malicious
Ikarus T3.1.1.8 07.05.2007 not-a-virus:Monitor.Win32.007SpySoft.308
Kaspersky 4.0.2.24 07.06.2007 no virus found
McAfee 5068 07.05.2007 no virus found
Microsoft 1.2701 07.05.2007 no virus found
NOD32v2 2380 07.06.2007 no virus found
Norman 5.80.02 07.05.2007 no virus found
Panda 9.0.0.4 07.05.2007 Suspicious file
Sophos 4.19.0 06.24.2007 no virus found
Sunbelt 2.2.907.0 07.06.2007 VIPRE.Suspicious
Symantec 10 07.06.2007 no virus found
TheHacker 6.1.6.143 07.05.2007 no virus found
VBA32 3.12.0.2 07.05.2007 no virus found
VirusBuster 4.3.23:9 07.05.2007 no virus found
Webwasher-Gateway 6.0.1 07.05.2007 Trojan.Crypt.CFI.Gen
Aditional Information
File size: 487424 bytes
MD5: 821a4e515410478059b647b21bd2ffdb
SHA1: 35274344ea6e33ebe0dfa97e9a0aa3d72c6bf2ba
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Hello :)
OK good work. The results are quite awful...
One or more of the identified infections is a backdoor trojan :sick:
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.
Please let us know what you have decided to do in your next post:bigthumb:
I'm happy to just clean the machine rather than a full re-install.
There's nothing too compromising on the machine, I am behind two firewalls and Bifrose has only been operating for about a week.
I take your point about passwords though and will change them from a separate location.
What next?
Hi again, I'll be happy to help you with the cleaning....
Please download the Suspicious file Packer (http://www.safer-networking.org/files/sfp.zip) from Safer-Networking.Org and unzip it to your desktop.
Run SFP.exe.
Please copy the following lines into the Step 1: Paste Text window:
C:\Program Files\Common Files\Microsoft Shares\MSInfo\Netlog.exe
C:\WINDOWS\Servcrypt\servcrypt.exe
then click "Continue".
This will create a .cab file on your desktop named requested-files[Date/Time].cab
Please go to this forum (http://www.thespykiller.co.uk)
There's no need to register. Just start a new topic to the Uploads section, titled "Request by Mr_JAk3".
Copy the link of this topic to the message.
Use the Attachment box to upload the cab file from your desktop.
NOTE: You will not see the files that have been uploaded (including the ones you upload yourself) as they only show to the authorised users who can download them
Thank you :bigthumb:
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
==================
Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{697f5a72-b86a-11db-81f1-0026540be015}]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6225563D-07E1-7DDA-064D-60DB26537706}]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Disable the bad service
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to Windows Network Log (Windows Network Log Manage)
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; Windows Network Log Manage
Answer Yes
Close HIjackThis
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} -
O16 - DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} (Java Plug-in 1.4.2_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.5.0) -
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.5.0_03) -
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
H:\Netlog.exe
Go to the My Computer and delete the following folders (if present):
C:\Program Files\Common Files\Microsoft Shared\MSINFO
C:\WINDOWS\Servcrypt
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
Also, have you installed this Cerberus FTP Server ?
Many thanks for your help.
I've run through those fix actions. Dr Web didn't find any problems during the scan, so there's no log for that.
The cab file containing the two infected files didn't seem to pick up NetLog.exe - even if I tried in safe mode or with a single file selection. Sorry. I've put the servcrypt file on the forum you requested.
The re-run HijackThis log is below.
CerberusFTP was a service I had installed, but have now uninstalled as I've moved my FTP server from this box.
I've left the machine up and running for a few hours now and it appears the active elements of the trojan have been removed:
- I've detected no attempts to broadcast to host site(s)
- No browser processes have been started
- No new ...\bifrose or ...\bifrost registry keys have been created.
- Usb devices mounted as drive 'H' are not collecting an instance of the NetLog.exe file
The ComboFix run created a couple of backup files in c:\QooBox for entries under HKLM\system\currentcontrolset\services\nm and HKLM\system\currentcontrolset\enum\root\legacy_nm.
Am I safe in assuming these weren't terribly necessary and are now safe to delete?
I am quite concerned that the Avast virus scanner I have running failed to find any trace of either problem -- is this just a case of no virus scanner is infallible or is Avast a particularly poor system?
N.
----------------------------------------------------------------
# HijackThis log after clean
----------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:13, on 2007-07-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\BOINC\projects\boinc.bakerlab.org_rosetta\rosetta_beta_5.70_windows_intelx86.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\ProcessExplorer\procexp.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Nick\Desktop\Cleanup\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:12080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "e:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: Download all by Net Transport - e:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - e:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097007064812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130175308031
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371050.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - e:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: Apache2 - Apache Software Foundation - E:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
--
End of file - 6907 bytes
Hello :)
Looks much better but we'll run one more scan...
Yes the QooBox is related to ComboFix's quarantine...
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a fresh ComboFix log
What is being quarantined there?
That all looks promising.
A bit of a monster post this with the two logs, but there you go ;0)
IE, Firefox, Thunderbird, Sygate Firewall, Avast and BOINC were all running during the scan which would explain some (or more) of the file locks.
The three "MountPointManagerRemoteDatabase" locks on drive C:\, D:\ and I:\ correspond to three NTFS drives (two physical drives). E:\ is a FAT32 drive.
========================================================
# Kaspersky Log #
========================================================
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-07-08 19:22
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/07/2007
Kaspersky Anti-Virus database records: 359668
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
I:\
Scan Statistics:
Total number of scanned objects: 135861
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:35:07
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dc9ws5vt.default\cert8.db Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dc9ws5vt.default\history.dat Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dc9ws5vt.default\key3.db Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dc9ws5vt.default\parent.lock Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dc9ws5vt.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\dc9ws5vt.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Nick\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\History\History.IE5\MSHist012007070820070709\index.dat Object is locked skipped
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nick\ntuser.dat Object is locked skipped
C:\Documents and Settings\Nick\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nick\UserData\index.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\BOINC\slots\1\boinc_lockfile Object is locked skipped
C:\Program Files\BOINC\slots\1\stderr.txt Object is locked skipped
C:\Program Files\BOINC\slots\1\stdout.txt Object is locked skipped
C:\Program Files\BOINC\stderrdae.txt Object is locked skipped
C:\Program Files\BOINC\stderrgui.txt Object is locked skipped
C:\Program Files\BOINC\stdoutdae.txt Object is locked skipped
C:\Program Files\BOINC\stdoutgui.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E49D13F4-E66B-446D-9534-33C9C8331FC0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7cc.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\Program Files\Sygate\SPF\debug.log Object is locked skipped
E:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
E:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
E:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
E:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
E:\MyThunderbird\is8mh5o0.default\abook.mab Object is locked skipped
E:\MyThunderbird\is8mh5o0.default\cert8.db Object is locked skipped
E:\MyThunderbird\is8mh5o0.default\key3.db Object is locked skipped
E:\MyThunderbird\is8mh5o0.default\panacea.dat Object is locked skipped
E:\MyThunderbird\is8mh5o0.default\storage.sdb Object is locked skipped
E:\MyThunderbird\is8mh5o0.default\urlclassifier2.sqlite Object is locked skipped
E:\MyThunderbird\is8mh5o0.default\Mail\pop.freeserve.co.uk\Trash.msf Object is locked skipped
E:\MyThunderbird\is8mh5o0.default\Mail\mail.plus.net\filterlog.html Object is locked skipped
E:\MyThunderbird\is8mh5o0.default\Mail\mail.plus.net\Inbox.msf Object is locked skipped
E:\MyThunderbird\is8mh5o0.default\Mail\mail.plus.net\Trash.msf Object is locked skipped
E:\MyThunderbird\is8mh5o0.default\Mail\Local Folders\Inbox.msf Object is locked skipped
E:\MyThunderbird\is8mh5o0.default\Mail\Local Folders\Trash.msf Object is locked skipped
E:\MyThunderbird\is8mh5o0.default\parent.lock Object is locked skipped
E:\MyThunderbird\is8mh5o0.default\junklog.html Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
========================================================
# ComboFix Log #
========================================================
"Nick" - 2007-07-08 19:37:46 - ComboFix 07-07-03.9 - Service Pack 2
((((((((((((((((((((((((( Files Created from 2007-06-08 to 2007-07-08 )))))))))))))))))))))))))))))))
2007-07-08 16:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-08 16:35 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-07 17:05 <DIR> d-------- C:\DOCUME~1\Nick\DoctorWeb
2007-07-07 16:38 98,494,664 --a------ C:\regbackup.reg
2007-07-04 18:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SongbirdVLC
2007-07-04 18:01 <DIR> d-------- C:\DOCUME~1\Nick\APPLIC~1\Songbird
2007-07-03 18:37 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-06-27 22:05 <DIR> d-------- C:\DOCUME~1\Nick\.housecall6.6
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-08 18:20:42 -------- d-----w C:\Program Files\BOINC
2007-07-07 15:55:30 -------- d-----w C:\Program Files\QuickTime
2007-06-23 00:24:36 -------- d-----w C:\DOCUME~1\Nick\APPLIC~1\uTorrent
2007-06-22 23:01:52 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-06-15 18:00:41 -------- d-----w C:\Program Files\Mozilla Thunderbird
2007-05-25 18:50:08 -------- d-----w C:\DOCUME~1\Nick\APPLIC~1\VMware
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-08 17:15:37 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-06 20:42:48 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-05-06 19:19:10 94,080 ----a-w C:\DOCUME~1\Nick\APPLIC~1\ezplay.sys
2007-05-06 19:19:10 87,608 ----a-w C:\DOCUME~1\Nick\APPLIC~1\ezpinst.exe
2007-05-06 19:19:09 47,360 ----a-w C:\DOCUME~1\Nick\APPLIC~1\pcouffin.sys
2007-05-04 21:38:49 18,112 ---ha-w C:\WINDOWS\system32\mlfcache.dat
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 21:36:23 699 ----a-w C:\WINDOWS\eReg.dat
2007-04-12 19:05:04 5,120 ----a-r C:\WINDOWS\system32\vnetinst.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}]
2005-02-14 12:08 233472 --a------ E:\Program Files\GetRight\xx2gr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 02:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 16:42]
"POINTER"="point32.exe" []
"BCWipeTM Startup"="e:\Program Files\Jetico\BCWipe\BCWipeTM.exe" [2005-03-04 07:59]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 13:22 C:\WINDOWS\system32\nvmctray.dll]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"SmcService"="E:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Steam"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 02:04]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=01000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
**************************************************************************
catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-08 19:39:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-08 19:40:25
C:\ComboFix-quarantined-files.txt ... 2007-07-08 19:40
Hello :)
Looks good now :)
You can fix these leftovers with HijackThis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
You can delete this quarantine folder:
c:\QooBox
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
Many thanks for all your help; it has been much appreciated.
I'm not sure I could have got out of that mess on my own.
N.
You're very welcome :D:
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: