PDA

View Full Version : Spyware files show up in SAR's scan but not Spybot's



mhack
2006-10-20, 07:16
Hi, I am wondering if my system is infected with a rootkit. The reason is because I have downloaded Spybot-S&D 1.4, got the latest updates, did a scan and it found some spyware that it cleaned up (Pipas.A among others). Subsequent scans showed nothing. However, my initial problem remained (I do development work with mingw and it's not working properly). So I've been downloading other software, including some rootkit detectors. The Sophos Antirootkit did a scan and reported a number of hidden registry entries and files that I cannot view with Windows Explorer or a DOS box (using the 'show all' option). I believe that some of these hidden files are definitely spyware. The three in my \windows\system32 dir are pppcgm.exe, howiper.exe and kilacln.exe.

At this point, I'm not concerned with removing these spyware programs. What I want to understand is what is preventing me from viewing these files. I suspect that it is a rootkit that is trying to 'protect' various spyware files by hiding them.

I tried another rootkit detector, 'rootkit revealer' from Sysinternals, but it found nothing. So far, only the Sophos Antirootkit ver 1.1 has revealed them.

Below is my HijackThis log. Note: I know that my Windows system files are not up-to-date. I have specifically disabled all Windows updates and will keep it that way, because I would rather learn how to patch the system on my own instead of being helpless and depending on Microsoft.

--------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:13:58 PM, on 10/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\net\umt\vpnclient\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\os\sophos-antirootkit\sargui.exe
C:\net\firefox\firefox.exe
C:\install\virus\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\net\umt\vpnclient\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

mhack
2006-10-21, 00:08
I've been doing some more research on hidden files in NTFS and have learned about Alternate Data Streams (ADS), which are apparently metadata similar to the resource forks in the old Mac OS. An article mentioned an ADS scan option for HijackThis!, which I tried. The only results found were normal 'Thumbs.db' files with 'encryptable (0 bytes)' attributes, and a single 'Zone.Identifier (26 bytes)' attribute for a Firefox setup file. The scan did not report the hidden spyware files mentioned above, that are found with the Sophos Anti-Rootkit.

LonnyRJones
2006-10-21, 04:13
Welcome to the forum mhack.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

mhack
2006-10-22, 03:10
Thanks for the response Lonny. I will check out the Fixwareout program, but before I do, I have a few questions. I understand that you developed the program, and I'm just curious how it works. From what I've been able to find out so far (which isn't much), it fixes the 'Wareout' infection. Is Wareout just a trojan, or does it have 'rootkit' abilities? Could you tell specifically from my HijackThis! log that my system is infected with 'Wareout', or is this just standard operating procedure before trying other things?

Also, would it be possible to give just a brief explanation how malware is able to hide those three spyware files on my system? I verified that they really do exist by booting into GNU/Linux and could list them from there. Finally, what exactly will Fixwareout do when I run it? Are there any additional documents about it?

thanks,

William

LonnyRJones
2006-10-22, 04:09
Usualy an accompaning fake antispyware gets installed along with a rootkit
or to put it better files that can stealth themselves.
wareout, unspypc etc are the fake programs
Both of which will unkindly remove all my runs if i let it.

The stealth part of the infection normal runs from

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"
Its invisible and can rename the file at each PC restart
A run running from HKLM that also changes each time the pc is restarted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Usualy the two start points above are present but it is possible to have either and not the other.


These keys are also involved
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls

mhack
2006-10-22, 04:47
Ok, I ran Fixwareout and it completed ok. Even better, my original problem in mingw now appears to be gone. I also did another Sophos Anti-Rootkit scan and it now only reports a single hidden registry value:

--------------------------------------------
Area: Windows registry
Description: Hidden registry value
Location: \HKEY_LOCAL_MACHINE\SOFTWARE\DeterministicNetworks\DNE\Parameters\SymbolicLinkValue
Removable: No
Notes: (type 6, length 132) "\ R e g i s t r y \ M A C H I N E \ S y s t e m \ C u r r e n t C o n t " ... "t e r s "
---------------------------------------------

Don't know if that is 'normal' or not. Below are the results from Fixwareout and new HijackThis! log:

--------------- report.txt:
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmtqr.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
* csr.exe C:\WINDOWS\System32\CSXJG.EXE

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSXJG.EXE 51,249 2006-08-14

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

----------------------- hijackthis.log:
Logfile of HijackThis v1.99.1
Scan saved at 7:30:41 PM, on 10/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\net\umt\vpnclient\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\TpShocks.exe
C:\install\virus\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\net\umt\vpnclient\cvpnd.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

LonnyRJones
2006-10-22, 04:55
C:\WINDOWS\System32\CSXJG.EXE < delete
Do a file search for dmtqr.exe if it is present i need a copy, was it ?

That Sophos Anti-Rootkit detection must be a false possitive

mhack
2006-10-22, 05:47
Deleted the csxjg.exe file. Searched for dmtqr.exe, not found.

mhack
2006-10-22, 08:31
Everything appears to be back to normal. One more thing: I will be writing up a report of this for the mingw msys wiki, to help others who might experience the same kind of problem. What would be the best description for the type of malware that infected my system? A 'Wareout' trojan?

Once again, thanks for all your help! You are providing a great service to the general public.

William Knight

LonnyRJones
2006-10-22, 08:58
Thats what we call it, SpyBot calls it Pipus.A
Other programs have differant names
You could search the major venders sites, here are a couple.
ive not see a complete report anywhere as yet although it has been around in several varient's for a long time.
http://www.avira.com/en/threats/section/fulldetails/id_vir/1423/tr_dldr.agent.tc.4.html

http://securityresponse.symantec.com/avcenter/venc/data/pf/trojan.flush.f.html

Ewidos wareoutunspypc tool:
http://blog.evilissimo.net/2006/08/07/how-to-remove-trojandownloaderuj/

LonnyRJones
2006-10-29, 01:20
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let one of us know via a PM (personal message).