PDA

View Full Version : win32 trojan/worm



sky11
2009-12-20, 03:25
Hi, I was recently infected with the win32.downloader.dequ

Can anyone tell me if this trojan can take off private information from my computer? Or is it more of a computer destroyer? What type of trojan is it?

Spybot detected it even after reformatting (deleting and reinstalling xp).
Is there any way to stop it returning after reformatting?

I would appreciate any advice.

thanks
sky

my system is xp

shelf life
2009-12-23, 22:55
Hi,

Your log is a few days old. If you still need help do this;

lease download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.

Double click dds.scr to run the tool. When done, DDS.txt will open.

Save both reports to your desktop.

Copy/paste both logs in your reply.

sky11
2009-12-24, 10:09
Below is the DDS and i have attached the second list in a compressed folder. Originaly Spybot detected Win32. I deleted windows xp pro and reinstalled it with the disk. When i downloaded spybot and opened it immedietly detected win32.downloader.dequ. I'm wondering if this is the same infection? Is this spyware?

Thanks


DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 7:47:04.23 on 24/12/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.254.29 [GMT 0:00]

AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\osk.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 4 for RootkitRevealer.zip\RootkitRevealer.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HUYFIV.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\7il91260.default\
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 142832]

=============== Created Last 30 ================

2009-12-24 07:19:51 3989504 ----a-w- c:\windows\system32\PGIVUD
2009-12-24 04:55:21 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-12-24 04:55:18 17992 ----a-w- c:\windows\system32\bcm42rly.sys
2009-12-24 04:54:51 0 d-----w- c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster
2009-12-24 04:54:46 609 ----a-w- c:\windows\system32\WLAN.INI
2009-12-22 07:58:58 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-22 07:58:58 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-22 07:58:58 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-12-18 03:30:18 6400 -c--a-w- c:\windows\system32\dllcache\splitter.sys
2009-12-18 03:30:18 6400 ----a-w- c:\windows\system32\drivers\splitter.sys
2009-12-18 03:30:11 82944 -c--a-w- c:\windows\system32\dllcache\wdmaud.sys
2009-12-18 03:30:11 82944 ----a-w- c:\windows\system32\drivers\wdmaud.sys
2009-12-18 03:30:06 52864 -c--a-w- c:\windows\system32\dllcache\dmusic.sys
2009-12-18 03:30:06 52864 ----a-w- c:\windows\system32\drivers\DMusic.sys
2009-12-18 03:29:57 54272 -c--a-w- c:\windows\system32\dllcache\swmidi.sys
2009-12-18 03:29:57 54272 ----a-w- c:\windows\system32\drivers\swmidi.sys
2009-12-18 03:29:47 142464 -c--a-w- c:\windows\system32\dllcache\aec.sys
2009-12-18 03:29:47 142464 ----a-w- c:\windows\system32\drivers\aec.sys
2009-12-18 03:29:37 171776 -c--a-w- c:\windows\system32\dllcache\kmixer.sys
2009-12-18 03:29:37 171776 ----a-w- c:\windows\system32\drivers\kmixer.sys
2009-12-18 03:29:26 2944 -c--a-w- c:\windows\system32\dllcache\drmkaud.sys
2009-12-18 03:29:26 2944 ----a-w- c:\windows\system32\drivers\drmkaud.sys
2009-12-18 03:29:18 60800 -c--a-w- c:\windows\system32\dllcache\sysaudio.sys
2009-12-18 03:29:18 60800 ----a-w- c:\windows\system32\drivers\sysaudio.sys
2009-12-18 03:29:01 7552 -c--a-w- c:\windows\system32\dllcache\mskssrv.sys
2009-12-18 03:29:01 7552 ----a-w- c:\windows\system32\drivers\MSKSSRV.sys
2009-12-18 03:28:45 4992 -c--a-w- c:\windows\system32\dllcache\mspqm.sys
2009-12-18 03:28:45 4992 ----a-w- c:\windows\system32\drivers\MSPQM.sys
2009-12-18 03:27:52 5376 -c--a-w- c:\windows\system32\dllcache\mspclock.sys
2009-12-18 03:27:52 5376 ----a-w- c:\windows\system32\drivers\MSPCLOCK.sys
2009-12-18 03:26:04 145792 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2009-12-18 03:26:04 145792 ----a-w- c:\windows\system32\drivers\portcls.sys
2009-12-18 03:26:02 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2009-12-18 03:26:02 4096 ----a-w- c:\windows\system32\ksuser.dll
2009-12-18 03:26:01 60288 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2009-12-18 03:26:01 60288 ----a-w- c:\windows\system32\drivers\drmk.sys
2009-12-18 03:25:53 130048 -c--a-w- c:\windows\system32\dllcache\ksproxy.ax
2009-12-18 03:25:53 130048 ----a-w- c:\windows\system32\ksproxy.ax
2009-12-18 03:24:54 4816 ----a-w- c:\windows\system32\drivers\aeaudio.sys
2009-12-18 03:24:53 3744 ----a-w- c:\windows\system32\drivers\smsens.sys
2009-12-18 03:24:40 765952 ----a-w- c:\windows\system\crlds3d.dll
2009-12-18 03:24:37 0 d-----w- c:\windows\VirtualEar
2009-12-18 03:24:36 720896 ----a-w- c:\windows\system32\Audio3d.dll
2009-12-18 03:24:31 991232 ----a-w- c:\windows\system32\virtear.dll
2009-12-18 03:24:17 612352 ----a-w- c:\windows\system32\drivers\smwdm.sys
2009-12-18 03:24:15 720896 -c--a-w- c:\windows\system32\dllcache\a3d.dll
2009-12-18 03:24:15 720896 ----a-w- c:\windows\system32\a3d.dll
2009-12-18 03:23:55 0 d-----w- c:\program files\Analog Devices
2009-12-18 03:23:38 45056 ----a-w- c:\windows\system32\CleanUp.exe
2009-12-18 03:22:45 49152 ----a-w- c:\windows\system32\DSndUp.exe
2009-12-18 03:20:30 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-18 03:04:59 0 d-----w- C:\dell
2009-12-18 02:27:26 0 d-----w- c:\program files\Trend Micro
2009-12-18 01:03:30 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-18 00:56:26 0 d-s---w- c:\documents and settings\administrator\UserData
2009-12-18 00:55:44 0 d-----w- c:\program files\Microsoft Security Essentials
2009-12-18 00:51:47 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-12-18 00:51:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-18 00:38:20 0 d-----w- c:\docume~1\admini~1\applic~1\AVG8
2009-12-18 00:36:43 0 d-----w- c:\windows\system32\PreInstall
2009-12-18 00:34:35 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2009-12-18 00:32:02 0 d--h--w- c:\windows\$hf_mig$
2009-12-18 00:32:00 332288 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-12-18 00:30:41 0 d-----w- c:\windows\system32\SoftwareDistribution
2009-12-15 23:11:52 0 d-----w- c:\windows\system32\wbem\AutoRecover
2009-12-15 22:17:21 0 d-sh--w- c:\documents and settings\all users\DRM
2009-12-15 22:15:56 0 d-----w- c:\program files\common files\MSSoap
2009-12-15 22:14:42 0 d--h--w- c:\program files\WindowsUpdate
2009-12-15 22:14:42 0 d-----w- c:\program files\Online Services
2009-12-15 22:14:32 0 d-----w- c:\program files\Messenger
2009-12-15 22:14:27 0 d-----w- c:\program files\MSN Gaming Zone
2009-12-15 22:13:53 0 d-----w- c:\program files\Windows NT
2009-12-15 22:06:13 0 d-----w- c:\program files\common files\ODBC
2009-12-15 22:06:09 0 d-----w- c:\program files\common files\SpeechEngines
2009-12-15 22:05:46 0 d-----r- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-12-15 22:15:03 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 7:49:07.56 ===============

sky11
2009-12-24, 10:28
Below is also a rootkitrevealer scan.

HKLM\SECURITY\Policy\Secrets\SAC* 15/12/2009 22:36 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 15/12/2009 22:36 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\7il91260.default\urlclassifierkey3.txt 24/12/2009 07:39 154 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Desktop\Attach.txt 24/12/2009 07:50 5.71 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Desktop\DDS.txt 24/12/2009 07:50 8.42 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Desktop\New Compressed (zipped) Folder.zip 24/12/2009 07:57 2.11 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\031D7A1Bd01 24/12/2009 07:41 50.36 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\131DB99Cd01 24/12/2009 07:44 123.18 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\1713D29Ed01 24/12/2009 07:44 38.71 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\1FD5F091d01 24/12/2009 07:41 16.40 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\21551AB8d01 24/12/2009 07:41 16.53 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\2B47097Ed01 24/12/2009 07:44 18.03 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\2CE7FC17d01 24/12/2009 07:44 19.76 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\2E11CFF9d01 24/12/2009 07:41 25.02 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\2E11DFF9d01 24/12/2009 07:41 22.28 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\61DCDAF9d01 24/12/2009 07:41 83.08 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\6BF41AB8d01 24/12/2009 07:41 42.62 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\830B4D02d01 24/12/2009 07:52 53.78 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\86CD53FCd01 24/12/2009 07:41 17.17 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\BF1E1DD0d01 24/12/2009 07:41 30.90 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\C0305210d01 24/12/2009 07:41 16.17 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\C1AE0834d01 24/12/2009 07:40 23.32 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\C7784FACd01 24/12/2009 07:44 29.94 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7il91260.default\Cache\CED3E256d01 24/12/2009 07:44 38.07 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\

shelf life
2009-12-24, 17:26
hi,

Well if you reformatted and reinstalled Windows then any previous malware wouldnt show up. A reformat wipes the hard drive. Spybot is finding it on a scan? On a side note; have you been to Windows updates lately?

sky11
2009-12-28, 04:47
Spybot detected win32.downloader.dequ after the first time i deleted windows and reinstalled it which i thought was strange. I also thought the harddrive would be wiped, but i think it came back because it's a worm?

I then downloaded the windows updates for the win32/conficker, which i didn't know would work.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker

I installed the bullitin and autorun updates and then deleted windows and reinstalled. So far spybot has not detected anything.

I think the microsoft updates stopped the trojan/worm from ressurecting, on my reinstall of windows? What do u think?

Thanks 4 your advice.

sky11
2009-12-28, 06:00
Would u also be able to tell me what win32.downloader.dequ does? Could my desktop information have been exposed like spyware?

thanks.

shelf life
2009-12-28, 21:52
but i think it came back because it's a worm hard to say, may have been a false positive. I suppose it could have reinfected your machine after the reinstall of windows. One ways worms can spread is by exploiting vulnerabilities in Windows. You are running IE 6.0. You visit windows updates on occasion to get critical patches or have auto-updates turned on? they can also spread to usb flash drives and across networks etc. They could have different capabilities based on the worm. Once malware comes out it can 'morph' into many different forms with varying capabilities.


Could my desktop information have been exposed like spyware?
I would suppose so. worms can have trojan components. Couldnt tell you if any personal information was compromised.
Visit windows update and get any critical 'patches' update your AV and do a full scan. Might do a online scan also:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only

check "YES" to accept terms

click start button

allow the ActiveX component to install

click the start button. the Scanner will update.

check both "Remove found threats" and "Scan unwanted applications"

click scan

when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt

sky11
2010-01-05, 12:08
The Eset scan is below. I am also downloading the latest 'patches' from windows and I have updated my AV. I also have microsoft automatic updates turned on.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=cd2e0d21c0186040a695224bba32e05b
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-05 09:10:06
# local_time=2010-01-05 09:10:06 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 1580360 1580360 0 0
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776533 100 100 434528 17329122 0 0
# compatibility_mode=8192 67108863 100 0 72337 72337 0 0
# scanned=25021
# found=0
# cleaned=0
# scan_time=2605

sky11
2010-01-05, 12:42
I would also like to just confirm the following with you:

Originaly Spybot detected Win32 after I downloaded a programme, so i know up to this point I had a real infection. But, then I deleted windows xp pro and reinstalled it with the disk. After this when i downloaded spybot and opened it, it immedietly detected win32.downloader.dequ. I'm wondering if this is the same infection that morphed because of different detection? This could imply this second detection was not a false positive or spybot just wasn't specific on first detection? What do u think?

I then downloaded the following updates from microsoft http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://www.microsoft.com/downloads/details.aspx?FamilyID=96ca61f6-8b16-4157-9635-8cfc0bbf4c35&displaylang=en

I found the updates on this microsoft page: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker

I then reformatted again. There has been no detection since.

In your opinion do you think the second detection, win32.dowloader.dequ was still a false positive because many forums suggest that detecting a win32infection after a reformat is usually a false positive? I'm trying to figure out if the infection is really gone.
Thanks 4 your advice.

shelf life
2010-01-06, 01:10
One way worms can spread and infect is by taking advantage of vulnerabilities in Windows. No vulnerability present then no worm. Having Windows update on is good. They can be pretty frequent updates. In fact there is a name for it; "patch Tuesday"
The 2nd Tuesday in each month when patches can be released.

If you reformatted and reinstalled Windows then I find it hard to believe you got a worm, even though you may have heard stories about without this that and the other installed your computer will be hit in ____ (fill in the blank) seconds. As long as you make it a point to install MS updates, get AV installed and a antimalware with out delay all should be ok.

Iam also wondering if you really reformatted your hard drive. some disks may be a re-install or recovery disk. If you saw anything on your computer that was there before like software you installed, text documents, photos etc any content you created then it wasnt a clean install of Windows.
The computer vendors web site would have more info about the disk they supplied you and its capabilities.

sky11
2010-01-06, 18:18
Thanks 4 your advice. I did delete windows completely and then installed the windows disk again. Spybot's detection after this must have been a false positive.

You also mentioned usb's. I have a usb that allows me to use wireless broadband. It is a cisko system linksys. Could this had been affected on the initial infection?

shelf life
2010-01-07, 01:08
Iam talking about a USB flash drive that would be used to transfer files between computers. If one is inserted into a computer that has malware then its possible that the drive itself becomes infected then when you plug it into another machine you can infect that computer. Not all malware can spread that way though.

Your USB wireless adapter can not get infected with malware.