PDA

View Full Version : Infected with Antispyware Soft



capulinflicker
2010-06-03, 07:30
Hello,

This evening my computer was infected with Antivirus Soft. It was exhibiting all the signs: fake security warnings, fake system scan screen, all programs disabled, IE redirects to Antivirus Soft webpage, etc etc.

I was able to open task manager and kill the .exe file. After which I went to msconfig and disabled it from the start-up list. I then went to %Documents and Settings%\user\Local Settings\Application Data\[random string] and delted the exe. (It was named some jibberish, [random string].exe.

Sadly, this is my work computer which puts me in even more of a bind. I would take this to our IT department, however we no longer have IT support in-house and now have to wait for a remote technician to make a visit. (I had to wait over a month for them just to send someone out to switch the extension on my phone when I moved desks). I would greatly appreciate it if someone could help. Thanks in advance!

As instructed here's the DDS log and the Attach.txt in a .zip.


DDS (Ver_10-03-17.01) - NTFSx86
Run by user at 22:09:32.13 on Wed 06/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.119 [GMT -6:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {860E5DC2-3A32-441D-AEED-A06D4F3C3FC0}
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {07526210-19C0-48AC-8EB0-B15A9C95859C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\CATPC\CATSYS\CatSystemSvc.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBBS.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Java\jre1.6.0_17\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\OfficeScan NT\tmlisten.exe
C:\Program Files\OfficeScan NT\CNTAoSMgr.exe
C:\WINDOWS\TEMP\KVBA23.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Siemens\CAT Bulletin Board\CBB.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Siemens\CardOS API\bin\siecacst.exe
C:\Program Files\OfficeScan NT\Pccntmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Documents and Settings\user\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Windows Internet Explorer provided by Siemens
uStart Page = https://intranet.industry.usa.siemens.com
uDefault_Page_URL = https://intranet.industry.usa.siemens.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=CatUInit
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - Java(tm) Plug-In SSV Helper
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre1.6.0_17\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre1.6.0_17\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CatUserRun] exec32 /wh /c chgreg5 /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [USM] c:\program files\siemens\usm\USM.exe
mRun: [SIECACST] c:\program files\siemens\cardos api\bin\siecacst.exe
mRun: [OfficeScanNT Monitor] "c:\program files\officescan nt\Pccntmon.exe" -HideWindow
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\firewa~1.lnk - c:\program files\microsoft firewall client\ISATRAY.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\multim~1.lnk - c:\program files\mmtaskbar\MultiMon.exe
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: GreyMSIAds = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 1 (0x1)
uPolicies-explorer: StartRunNoHOMEPATH = 1 (0x1)
uPolicies-system: ConnectHomeDirToRoot = 0 (0x0)
uPolicies-system: HideLogonScripts = 0 (0x0)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoWebServices = 1 (0x1)
mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: MaxGPOScriptWait = 1800 (0x708)
mPolicies-system: HideShutdownScripts = 0 (0x0)
dPolicies-explorer: NoActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\microsoft firewall client\wspwsp.dll
Trusted Zone: authoria.com
Trusted Zone: authoria.com\si-salplan
Trusted Zone: cexp.com\*.ib2b
Trusted Zone: extremelearning.com
Trusted Zone: hewitt.com\*.resources
Trusted Zone: learnatsiemens.com
Trusted Zone: microsoft.com
Trusted Zone: monsoon5.com
Trusted Zone: netglearning.com
Trusted Zone: sap-ag.de
Trusted Zone: sap.com
Trusted Zone: siemenshealthservices.com
Trusted Zone: skilldialogue.com
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com
Trusted Zone: skillwsa.com
Trusted Zone: vinimaya.com\*.siemens
Trusted Zone: authoria.com
Trusted Zone: authoria.com\si-salplan
Trusted Zone: cexp.com\*.ib2b
Trusted Zone: extremelearning.com
Trusted Zone: hewitt.com\*.resources
Trusted Zone: learnatsiemens.com
Trusted Zone: microsoft.com
Trusted Zone: monsoon5.com
Trusted Zone: netglearning.com
Trusted Zone: sap-ag.de
Trusted Zone: sap.com
Trusted Zone: siemenshealthservices.com
Trusted Zone: skilldialogue.com
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com
Trusted Zone: skillwsa.com
Trusted Zone: vinimaya.com\*.siemens
DPF: {41E6DDD6-FBD6-4718-80F7-9B160533C2F5} - hxxp://inet16.sbt.siemens.com/esonline/cabs/IGToolbars50.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {B3014671-7872-4671-BE73-5D05EB5B2AF5} - hxxp://inet16.sbt.siemens.com/esonline/cabs/IGUltraGrid20.CAB
DPF: {B63EA811-FF25-4211-A6D2-58BF767432E1} - hxxp://inet16.sbt.siemens.com/esonline/cabs/pictureloader.cab
DPF: {CAFECAFE-0013-0001-0009-ABCDEFABCDEF}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC696B63-4159-11D0-BDCB-0020A90B183A} - hxxp://usbgresw01/esonline/cabs/PVDATECAL9.CAB
DPF: {F0D96671-A5CE-4854-AE49-6835742D232F} - hxxp://inet16.sbt.siemens.com/esonline/cabs/IGThreed40.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 CatSystemSvc;CatSystem;c:\windows\catpc\catsys\CatSystemSvc.exe [2009-1-27 607744]
R2 CBBS;CAT Bulletin Board;c:\program files\siemens\cat bulletin board\CBBS.exe [2002-6-20 65536]
R2 TmFilter;Trend Micro Filter;c:\program files\officescan nt\TmXPFlt.sys [2008-8-15 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\officescan nt\tmpreflt.sys [2008-8-15 36368]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S3 AsyncSvc;Insight AsyncSvc;c:\commtool\system\asyncsvc.exe [2009-7-27 601344]
S3 BACnetClientSvc;Insight BACnetClientSvc;c:\commtool\system\bacin.exe [2009-7-27 306432]
S3 BACnetServerSvc;Insight BACnetServerSvc;c:\commtool\system\bnsvc.exe [2009-7-27 1015040]
S3 CrossTrunkService;Insight CrossTrunkService;c:\commtool\system\xtsvc.exe [2009-7-27 224512]
S3 EventLogSvc;Insight EventLogSvc;c:\commtool\Eventlog.exe [2009-7-27 150784]
S3 EventPrtSvc;Insight EventPrtSvc;c:\commtool\Eventptr.exe [2009-7-27 138496]
S3 GlobalTablesService;Insight GlobalTablesService;c:\commtool\system\gtsvc.exe [2009-7-27 437504]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-6-1 24576]
S3 Insight DBCSServer;Insight DBCSServer;c:\commtool\system\InsightDBCSServer.exe [2009-7-27 1838336]
S3 Insight MonitorSvc;Insight MonitorSvc;c:\commtool\system\monitor.exe [2009-7-27 81152]
S3 Insight RENOServer;Insight RENOServer;c:\commtool\system\InsightRENOServer.EXE [2009-7-27 494848]
S3 LoaderSvc;Insight LoaderSvc;c:\commtool\system\loader.exe [2009-7-27 740608]
S3 ooams-3;Objectivity AMS;c:\commtool\system\dbmanagr\ooams.exe [2007-10-15 24576]
S3 ools-13;Objectivity Lock Server;c:\commtool\system\dbmanagr\ools.exe [2007-10-15 98304]
S3 ResidentPointSvc;Insight ResidentPointSvc;c:\commtool\RPMonitor.exe [2009-7-27 195840]
S3 SchedulerSvc;Insight SchedulerSvc;c:\commtool\Schedsrv.exe [2009-7-27 97536]
S3 SoftControllerSvc;Insight Softcontroller Service;c:\commtool\system\vfpsvc.exe [2009-7-27 118080]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\officescan nt\TmProxy.exe [2008-7-2 652552]
S4 SentinelLM;SentinelLM;c:\program files\siemens\apogee\common\lservnt.exe [2006-7-12 577536]

============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2010-06-01 20:01:28 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ANDROIDUSB_01007.Wdf
2010-06-01 20:01:26 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-06-01 20:00:58 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-06-01 14:57:24 0 d-----w- c:\docume~1\user\applic~1\Teleca
2010-06-01 14:56:04 0 d-----w- c:\program files\common files\Teleca Shared
2010-06-01 14:53:42 24576 ----a-w- c:\windows\system32\drivers\ANDROIDUSB.sys
2010-06-01 14:53:42 1122664 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-06-01 14:53:33 0 d-----w- c:\program files\Spirent Communications
2010-06-01 14:53:20 0 d-----w- c:\program files\HTC
2010-06-01 14:50:10 0 d-----w- c:\windows\Downloaded Installations
2010-05-12 16:18:08 667648 ----a-w- c:\windows\system32\BCMLogon.dll
2010-05-12 16:18:08 424320 ----a-w- c:\windows\system32\drivers\BCMWL5.SYS
2010-05-12 16:17:54 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
2010-05-12 16:17:54 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2010-05-12 16:17:54 253952 ----a-w- c:\windows\system32\bcmwlu00.exe
2010-05-12 16:17:54 1200128 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2010-05-12 16:17:47 3096576 ----a-w- c:\windows\system32\BCMWLCPL.CPL
2010-05-12 16:17:46 757760 ----a-w- c:\windows\system32\bcm1xsup.dll
2010-05-12 16:17:46 44032 ----a-w- c:\windows\system32\wltrynt.dll
2010-05-12 16:17:46 18944 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2010-05-12 16:17:46 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE
2010-05-12 16:17:45 86016 ----a-w- c:\windows\system32\preflib.dll
2010-05-12 16:17:45 2129920 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
2010-05-12 16:16:20 0 d-----w- C:\DELL
2010-05-04 20:58:17 62196 ---ha-w- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2010-05-28 20:59:56 17920 ----a-w- c:\documents and settings\user\KWDCACHE.DAT
2010-05-28 14:45:29 3584 -c--a-w- c:\documents and settings\user\netcache.dat
2010-05-06 22:17:51 3072 ----a-w- c:\documents and settings\user\cdcache.dat
2010-04-08 19:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 19:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 22:10:56.39 ===============

tashi
2010-06-03, 08:35
Hello capulinflicker, :)


Sadly, this is my work computer which puts me in even more of a bind. I would take this to our IT department, however we no longer have IT support in-house and now have to wait for a remote technician to make a visit. (I had to wait over a month for them just to send someone out to switch the extension on my phone when I moved desks). I would greatly appreciate it if someone could help. Thanks in advance!

I'm afraid our volunteers cannot take this on.

Note:
When the infected computer in question is a company machine in the workplace, or you are an employee.


The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

The majority of the tools used in this forum are only free for Home Users and only tested on Home machines, they may well change settings that are required for a Company network. Another consideration is that company information may show in the logs.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent any possible loss or corruption of company information, please inform your IT Professional or Supervisor when a workplace computer has been infected, immediately.

It's not that we don't want to help, but there are too many issues that could arise from a networked company machine that malware forum volunteers are not experienced in dealing with.
http://forums.spybot.info/showpost.php?p=25712&postcount=5

Best regards,

capulinflicker
2010-06-03, 15:16
I thought this might be the case. Sigh. Oh well, thanks anyway.
Mods, you may delete this thread