Jump to content

Antivirus 2009 XP Rogue Yields Persistent Handful of Trojans - Logs Posted, Help Requested For Client's PC


Purple

Recommended Posts

Hello MAB Techs,

(I'm an IT guy).

Client's computer hit with Antivirus XP 2009 rogue.

Several steps later (thanks, Malwarebytes, for the tool!), I'm down to two rootkit leftovers which MAB tool won't remove:

Rootkit.Agent.H c:\windows\system32\drivers\mrxdavv.sys

Trojan.Agent c:\windows\system32\kwave.sys

and a "new" handful of Trojans which Kaspersky detected

===

Client's setup:

AMD PC

Windows XP Home 2002 SP2 (I'm not a big fan of SP3)

IE7

Plenty of RAM and available disk space

===

What I've done thus far:

Several rounds of Malwarebytes' Anti-Malware tool

Spybot Search & Destroy (several times)

Ad-Aware (several times)

Symantec Antivirus (several times)

CoolWebShredder (no problems)

Wise4Disk cleaner

Wise4 Registry Cleaner

Cleaned up MSCONFIG and startup items

ComboFix.exe (renamed as PURPLEComboFix.exe)

ATFCleaner

HijackThis

Uninstalled Symantec, installed AVG 8.0

Turned off automatic MS updates

Microsoft is failing on installing updates, but I believe that's a separate issue specific to MSOfc2003...

===

My logs are posted below:

Malwarebytes Anti-Malware [renamed to PURPLEmbam.exe

HijackThis [renamed to PURPLEHijackThis.exe]

GMER (ran this because problem appears to be rootkit attack) [renamed to PURPLEGmerRootkitScanner.exe]

Kaspersky Online Virus Scanner

I performed these scans on a quiet system, after disablilng AVG and Windows Firewall. (I am accessing client's computer via LogMeIn).

I'd appreciate help on getting rid of this demon. Thank you so much!

Paul

===

Malwarebytes' Anti-Malware (v. 1801) Full Scan [renamed to PURPLEmbam.exe:

Malwarebytes' Anti-Malware 1.34

Database version: 1801

Windows 5.1.2600 Service Pack 2

2/25/2009 6:56:23 AM

2009-02-25mbam-log-(06-55-29).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 134562

Time elapsed: 48 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> No action taken.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> No action taken.

(The above two items persistently remain, despite several attempts to remove them on startup).

Rootkit.Agent.H c:\windows\system32\drivers\mrxdavv.sys

Trojan.Agent c:\windows\system32\kwave.sys

===

HijackThis [renamed to PURPLEHijackThis.exe]:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:41:22 AM, on 2/25/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\java.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Malwarebytes' Anti-Malware\PURPLEmbam.exe

C:\Program Files\Trend Micro\HijackThis\PURPLEHijackThis.exe

C:\IT USE\SECURITY\PURPLEGmerRootkitScanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto

O4 - HKCU\..\Run: [Windows Loader] C:\WINDOWS\system32\config\systemprofile\Application Data\ptssvc.exe -lds

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1235485549750

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 5243 bytes

===

GMER [renamed to PURPLEGmerRootKitScanner.kit]

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2009-02-25 07:00:17

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

Code \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS IoCreateFile

---- Kernel code sections - GMER 1.0.14 ----

.text MREMP50a64.SYS F795A60D 5 Bytes [ 8B, FF, 55, 8B, EC ]

.text MREMP50a64.SYS F795A618 4 Bytes [ 1F, AD, 56, 80 ]

? C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS Access is denied.

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1836] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1836] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1836] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1836] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1836] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1836] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1836] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1836] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----

===

Kaspersky Online Virus Scanner:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Wednesday, February 25, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Wednesday, February 25, 2009 06:01:16

Records in database: 1841906

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

X:\

Y:\

Scan statistics:

Files scanned: 45377

Threat name: 6

Infected objects: 7

Suspicious objects: 5

Duration of the scan: 03:12:10

File name / Threat name / Threats count

C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.Win32.Zbot.dqu 2

C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Downloader.HTML.Agent.km 1

C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 5

C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Dropper.Win32.Agent.vac 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HN1YLDST\cm[1].exe Infected: Trojan-Downloader.Win32.Agent.bipp 1

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HN1YLDST\cm[1].exe Infected: Trojan-Dropper.Win32.Agent.ahud 2

The selected area was scanned.

(PLEASE NOTE: THere are several Trojans detected by Kaspersky that were not detected by MAB and the other tools).

===

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.