win32/medbot.dc [Archive] - Safer-Networking Forums

swistak

2006-11-27, 23:54

Hi

My NOD32 is informing me of an infection with madbot.dc. The trojan creates setup.exe on all ma hard drives.

i run win xp x64 edition

here is ma hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:53:21, on 2006-11-27
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
D:\Program Files (x86)\Gadu-Gadu\gg.exe
D:\Program Files (x86)\GetRight\getright.exe
D:\WINDOWS\SysWOW64\ctfmon.exe
D:\Program Files (x86)\Java\jre1.5.0_09\bin\jusched.exe
D:\Program Files (x86)\Eset\nod32kui.exe
d:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files (x86)\Eset\nod32krn.exe
D:\Program Files (x86)\Mozilla Firefox\firefox.exe
D:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
D:\Documents and Settings\Administrator\Desktop\systemowe\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files (x86)\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files (x86)\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files (x86)\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files (x86)\Gadu-Gadu\gg.exe" /tray
O4 - Global Startup: GetRight - Tray Icon.lnk = D:\Program Files (x86)\GetRight\getright.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Konwertuj do Adobe PDF - res://D:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Konwertuj do istniejącego pliku PDF - res://D:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Konwertuj miejsce docelowe łącza do Adobe PDF - res://D:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Konwertuj miejsce docelowe łącza do istniejącego pliku PDF - res://D:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Konwertuj wybrane łącza do Adobe PDF - res://D:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Konwertuj wybrane łącza do istniejącego pliku PDF - res://D:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Konwertuj zaznaczenie do Adobe PDF - res://D:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Konwertuj zaznaczenie do istniejącego pliku PDF - res://D:\Program Files (x86)\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files (x86)\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files (x86)\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - d:\Program Files (x86)\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - D:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - D:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - D:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - D:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - D:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - D:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - D:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files (x86)\Eset\nod32krn.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - D:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - D:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Visibroker Activation Daemon (oad) - Unknown owner - D:\PROGRA~2\Borland\vbroker\bin\oad.exe
O23 - Service: VisiBroker Smart Agent (osagent) - Unknown owner - D:\PROGRA~2\Borland\vbroker\bin\osagent.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - D:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - D:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - D:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - D:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - D:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - D:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - D:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - D:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - D:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

LonnyRJones

2006-12-02, 15:41

Hi

Do you have more than one windows installed on that PC ?
I assume you have scaned with Nod32 while in safe mode ?

swistak

2006-12-02, 17:04

I have only one OS on my PC. I performed sys scan i safe mode

LonnyRJones

2006-12-02, 17:33

Is there also a setup.inf created next to the setuo,exe ?

Post atleast one of these free online scan reports please

Please run the F-Secure Online Scanner (http://support.f-secure.com/enu/home/ols3.shtml#)
Note: This Scanner is for Internet Explorer Only!

Follow the Instruction Here (http://support.f-secure.com/enu/home/ols3.shtml) for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

Computer Associates eTrust AV Web Scanner: http://www3.ca.com/virusinfo/virusscan.aspx
select all drives, scan, Try to cure/repair, if it cannot choose delete! If it cannot delete tell us the files names and locations.

swistak

2006-12-02, 20:10

F-Secure scan as requested

Scanning Report
Saturday, December 02, 2006 18:49:21 - 20:09:22

Computer name: SWISTAKOWY
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\
Result: 14 malware found
Exploit.HTML.Mht (virus)

* E:\S³AWEK\STARY\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\QUARANTINE\356D1B73.HTM (Renamed & Submitted)
* E:\S³AWEK\STARY\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\QUARANTINE\4900552E.HTM (Renamed & Submitted)
* E:\S³AWEK\STARY\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\QUARANTINE\541F7888.HTM (Submitted)

Tracking Cookie (spyware)

* System (Disinfected)
* System
* System
* System
* System
* System
* System

Trojan-Downloader.JS.Small.d (virus)

* E:\S³AWEK\STARY\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\QUARANTINE\54361E6F.HTM (Renamed & Submitted)

W32/Smalldoor.HBW (virus)

* D:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\DESKTOP\SYSTEMOWE\KILLBOX.EXE (Submitted)
* E:\STARY D\DOCUMENTS AND SETTINGS\DESKTOP\SYSTEMOWE\KILLBOX.EXE (Submitted)
* E:\PEN BACKUP\SYSTEMOWE\KILLBOX.EXE (Submitted)

Statistics
Scanned:

* Files: 63331
* System: 4196
* Not scanned: 1

Actions:

* Disinfected: 1
* Renamed: 3
* Deleted: 0
* None: 10
* Submitted: 7

Files not scanned:

* C:\PAGEFILE.SYS

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2006-12-01
* F-Secure AVP: 7.0.171, 2006-12-01
* F-Secure Orion: 1.2.37, 2006-12-01
* F-Secure Blacklight: 1.0.31, 0000-00-00
* F-Secure Draco: 1.0.35, 0260-02-44
* F-Secure Pegasus: 1.19.0, 2006-08-29

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

LonnyRJones

2006-12-03, 07:23

Is there also a setup.inf created next to the setupexe ?
You didnt see the question ?

* System (Disinfected)
Hopefully that got it, are you still seeing setup.exe when scanning with your av program ?

Is that pc networked and are they also showing the same signs of that infection ?

swistak

2006-12-03, 11:05

No other pc in the LAN are not infected,
no there is no setup.ini and
I still get the alert.

LonnyRJones

2006-12-03, 14:34

Try the Sophos tool SAV32CLI
http://www.sophos.com/support/disinfection/trojan.html#q4

When finished post the C:\LOGFILE.TXT
There are other similur tools so if there are problems with this let us know.

LonnyRJones

2006-12-11, 11:44

Hows that PC swistak ?

tashi

2006-12-20, 08:21

This topic is closed due to lack of a response.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.