PDA

View Full Version : Mailbot infection, blacklisted, no internet



dvanwagnen
2007-12-22, 18:20
Hello very gratious and wonderful volunteers!!

Here's my dilemma - I manage a small company IT. One of my off-site users (they dial-up from a different ISP) started having "trouble" with their system. XP SP1. I brought it to my office, removed Norton AV (old, not updated) and installed Trendmicro officescan, client managed copy and ran it - it found a couple things, nothing major.

So....I put it on my network so I could download the XP SP2 updates, etc - whilst I was doing this - a nasty little, yet unknown mailbot started sending out email from the machine from behind my router. This got me blacklisted on the variety of blacklisting sites and all hell started to break loose as our regular Exchange mail started coming back at us. My crack team of experts offsite (my "guys") proceeded to tell me they did get a notice of my blacklist, etc but all I could do was pull the system off the network, wait 24 hours and clean it up. (actually, I did find I could get delisted, shows what they know).

So, I was able to download Adaware to pen drive and install/run it - again, cleaned a few, but I keep getting win32.trojan.agent malware message even if I clean/quarantine.

So, I tired to download?install spybot to pen drive, but when I try to intall it, it needs internet access? Is there a non-internet version? I do not want to put this machine back online until I know I've gotten the bots.

Then, I downloaded the following:
Stinger
rustbfix
Smithfraudfix
vundofix
hijackthis

I ran them, below are the Smithfraud and Hijack logs - Vundo, rustbfix, stinger did not seem to find anything.

Any holiday cheer :angel: that can be brought my way is appreciated. I normally wipe the systems and start over when I get this deep into a problem, but lots of good info on the system and I can't risk backing-up an infection and can't afford to wipe it all.

Dan VW

Rapport.txt
SmitFraudFix v2.274

Scan done at 10:41:17.42, 12/22/2007
Run from C:\smithfraudfix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\update293.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\_svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\TEMP\uewzcuwe.exe
C:\WINDOWS\TEMP\winlogan.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\DOCUME~1\User\LOCALS~1\Temp\winsto.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\User\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Helper\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B5AC49A2-94F2-42BD-F434-2604812C897D}"="sklfc94krteetj"

[HKEY_CLASSES_ROOT\CLSID\{B5AC49A2-94F2-42BD-F434-2604812C897D}\InProcServer32]
@="C:\WINDOWS\System32\Lfj95jg.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B5AC49A2-94F2-42BD-F434-2604812C897D}\InProcServer32]
@="C:\WINDOWS\System32\Lfj95jg.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B5AF0562-94F3-42BD-F434-2604812C797D}"="JGhsdk393ktrfggh9dtj"

[HKEY_CLASSES_ROOT\CLSID\{B5AF0562-94F3-42BD-F434-2604812C797D}\InProcServer32]
@="C:\WINDOWS\System32\Frjkfl4g.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B5AF0562-94F3-42BD-F434-2604812C797D}\InProcServer32]
@="C:\WINDOWS\System32\Frjkfl4g.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=hex(1):24,ef,12,00,b8,f0,12,00,18,ee,90,7c,38,07,91,7c,ff,ff,ff,\


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com OfficeConnect 10/100 Network Interface Card (3CSOHO100B-TX) - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.4

HKLM\SYSTEM\CCS\Services\Tcpip\..\{774E7EB0-3895-4F63-8909-4966CEDE6ABD}: NameServer=192.168.0.4
HKLM\SYSTEM\CS1\Services\Tcpip\..\{774E7EB0-3895-4F63-8909-4966CEDE6ABD}: NameServer=192.168.0.4
HKLM\SYSTEM\CS2\Services\Tcpip\..\{774E7EB0-3895-4F63-8909-4966CEDE6ABD}: NameServer=192.168.0.4


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Hijackthis.txt

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:54:03 AM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\update293.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\_svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\TEMP\uewzcuwe.exe
C:\WINDOWS\TEMP\winlogan.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\DOCUME~1\User\LOCALS~1\Temp\winsto.exe
C:\hijackthis\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.accnorwalk.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\System32\Lfj95jg.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\System32\Lfj95jg.dll
O2 - BHO: C:\WINDOWS\System32\Frjkfl4g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\System32\Frjkfl4g.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [AvRack] C:\WINDOWS\TEMP\uewzcuwe.exe
O4 - HKLM\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Microsoft Visual Studio] C:\WINDOWS\TEMP\uewzcuwe.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\TEMP\uewzcuwe.exe
O4 - HKCU\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKCU\..\Run: [Windows Rescue System] C:\DOCUME~1\User\LOCALS~1\Temp\winsto.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Rescue System] C:\WINDOWS\TEMP\winsto.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WintelUpdate] C:\WINDOWS\System32\update290.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\old c\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.accnorwalk.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198099533218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198095933593
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = egc.local
O17 - HKLM\Software\..\Telephony: DomainName = egc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{774E7EB0-3895-4F63-8909-4966CEDE6ABD}: NameServer = 192.168.0.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = egc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = egc.local
O20 - AppInit_DLLs: ?????????????? ?????????????? ???
O20 - Winlogon Notify: csfdll - C:\WINDOWS\Media\smartwarxyu.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\System32\Lfj95jg.dll
O22 - SharedTaskScheduler: JGhsdk393ktrfggh9dtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\System32\Frjkfl4g.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Local Security Manager (LocalAgent) - Unknown owner - C:\WINDOWS\System32\update293.exe
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 7106 bytes


This all means little to me, I'd love to know though!
Dan :present:

Shaba
2007-12-24, 12:07
Hi dvanwagnen and welcome to Safer Networking Forums

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

dvanwagnen
2007-12-24, 15:31
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
...
once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

...We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Bummer, that's what I was afraid of!

Questions:
1. Are data files compromised? (IE: .doc, .xls, etc) or am I safe to back them up via CDrom or copy to pen drive?

2. The system was on my companies network for about a day before I pulled the plug - I have not seen any other indications for infection? How can I check? We run Trendmicro officescan and mailscan from the server.

3. I know the procedure for wiping drive (format) and reinstall. Without a sure-fire way to remove trojan, that's the only way I can sleep at night.

4. How can I prevent this type of infection in the future? This particular machine is using dial-up through an ISP normally, so all the protection I can have at the workstation is all there is? I will reinstall trend-micro officescan, client managed, but what else? Too many other options, noone has 1 stop solution?

Being as you are in the home of Santa Clause, make sure Santa gets a head start tonight! Thank you for your help and Merry Christmas to you!
Dan

Shaba
2007-12-24, 15:39
Hi

1. They should be fine to backup.

2. I suggest running some online scan like below:

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Also if you see entries like these in HjT log of those computers, they have also same bots/backdoors/proxys (if they don't, it doesn't mean that they are clean!):

O4 - HKLM\..\Run: [AvRack] C:\WINDOWS\TEMP\uewzcuwe.exe
O4 - HKLM\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKLM\..\Run: [Microsoft Visual Studio] C:\WINDOWS\TEMP\uewzcuwe.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\TEMP\uewzcuwe.exe
O4 - HKCU\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKCU\..\Run: [Windows Rescue System] C:\DOCUME~1\User\LOCALS~1\Temp\winsto.exe
O4 - HKUS\S-1-5-18\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Rescue System] C:\WINDOWS\TEMP\winsto.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WintelUpdate] C:\WINDOWS\System32\update290.exe (User 'SYSTEM')
O20 - Winlogon Notify: csfdll - C:\WINDOWS\Media\smartwarxyu.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\System32\Lfj95jg.dll
O22 - SharedTaskScheduler: JGhsdk393ktrfggh9dtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\System32\Frjkfl4g.dll
O23 - Service: Local Security Manager (LocalAgent) - Unknown owner - C:\WINDOWS\System32\update293.exe
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe

3. Yes, better be safe than sorry.

4. Below are some suggestions:

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

Instructions for Spybot S & D (http://www.bleepingcomputer.com/forums/?showtutorial=43)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

dvanwagnen
2007-12-24, 16:19
2. I suggest running some online scan like below:

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Also if you see entries like these in HjT log of those computers, they have also same bots/backdoors/proxys (if they don't, it doesn't mean that they are clean!):

O4 - HKLM\..\Run: [AvRack] C:\WINDOWS\TEMP\uewzcuwe.exe
O4 - HKLM\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKLM\..\Run: [Microsoft Visual Studio] C:\WINDOWS\TEMP\uewzcuwe.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\TEMP\uewzcuwe.exe
O4 - HKCU\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKCU\..\Run: [Windows Rescue System] C:\DOCUME~1\User\LOCALS~1\Temp\winsto.exe
O4 - HKUS\S-1-5-18\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Rescue System] C:\WINDOWS\TEMP\winsto.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [WintelUpdate] C:\WINDOWS\System32\update290.exe (User 'SYSTEM')
O20 - Winlogon Notify: csfdll - C:\WINDOWS\Media\smartwarxyu.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\System32\Lfj95jg.dll
O22 - SharedTaskScheduler: JGhsdk393ktrfggh9dtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\System32\Frjkfl4g.dll
O23 - Service: Local Security Manager (LocalAgent) - Unknown owner - C:\WINDOWS\System32\update293.exe
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe




I take this to mean on the existing computers on the network?




4. Below are some suggestions:

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

Instructions for Spybot S & D (http://www.bleepingcomputer.com/forums/?showtutorial=43)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

This assumes each individual user will stay current with these items if I update/install them? This Malware/virus industry sure does put a burden on the IT of this world!

Thanks again!

Shaba
2007-12-24, 16:26
Hi

"I take this to mean on the existing computers on the network?"

Yes.

"This assumes each individual user will stay current with these items if I update/install them? This Malware/virus industry sure does put a burden on the IT of this world!
"

Nothing can guarantee that, but following those makes chance to get infected much less.

Shaba
2007-12-31, 12:21
Since this issue appears resolved ... this Topic is closed. Glad I could help.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.