Win32/Alman.NAB virus question

silverstar · June 26, 2008

Win XP home, NOD32 3.0.650.0 antivirus. I got infected with Win32/Alman.NAB virus. My antivirus show some executable files where infected, also when use Internet Explorer, windows periodically popup error mesages called RUNDLL:

"Error loading C:\Windows\AppPatch\Jview.dll

The specified module could not be found."

(by default I use Firefox).

After running whole computer scan, NOD32 isolated the infected files in a Quarantine folder. I removed the Jview.dll

As far I know, Win32/Alman.NAD is infector, downloader and it has got his own driver. If it sit inside some legit process (IE), then it will add new registry key again. Then removing will be harder.

Then I downloaded and run DSS utility, and got the following report, I browsed though logfile, but not sure which processess and keys are legitimate.

Deckard's System Scanner v20071014.68

Run by User on 2008-06-26 12:28:36

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --

51: 2008-06-26 09:28:42 UTC - RP650 - Deckard's System Scanner Restore Point

50: 2008-06-20 09:36:28 UTC - RP649 - Software Distribution Service 3.0

49: 2008-06-18 14:40:47 UTC - RP648 - System Checkpoint

48: 2008-06-16 14:22:43 UTC - RP647 - System Checkpoint

47: 2008-06-11 09:32:32 UTC - RP646 - Software Distribution Service 3.0

-- First Restore Point --

1: 2008-03-25 07:01:53 UTC - RP600 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:29:44, on 2008.06.26.

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\User\Desktop\dss.exe

C:\PROGRA~1\HIJACK~1\User.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 84.252.140.138:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NetMeter] C:\Program Files\HooTech\NetMeter\HooNetMeter.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll (file missing)

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 3553 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2008-05-26 and 2008-06-26 -----------------------------

2008-06-25 12:52:34 148 --a------ C:\WINDOWS\system32\unxxx.bat

2008-06-17 19:07:04 0 d-------- C:\Documents and Settings\User\Application Data\NCH Swift Sound

2008-06-02 12:19:01 0 d-------- C:\Program Files\xmplay342

-- Find3M Report ---------------------------------------------------------------

2008-06-19 14:57:39 0 d-------- C:\Documents and Settings\User\Application Data\Mozilla

2008-06-02 17:07:14 0 d-------- C:\Program Files\Star Downloader

2008-05-26 20:38:02 0 d-------- C:\Documents and Settings\User\Application Data\Orbit

2008-04-24 13:19:56 1160192 --a------ C:\WINDOWS\system32\Gareks.scr <Not Verified; Xara Group Ltd.; Xara3D Screen Saver>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Cmaudio"="cmicnfg.cpl" []

"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003.04.06. 19:19]

"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003.04.06. 19:07]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001.07.09. 10:50]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008.01.11. 23:16]

"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008.03.13. 16:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004.08.04. 00:56]

"NetMeter"="C:\Program Files\HooTech\NetMeter\HooNetMeter.exe" [2006.10.09. 02:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"RunNarrator"=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007.03.28. 19:13:36]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"JavaView"= {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

-- End of Deckard's System Scanner: finished at 2008-06-26 12:30:30 ------------

Deckard's System Scanner v20071014.68

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0

Architecture: X86; Language: English

CPU 0: Intel

JeanInMontana · June 26, 2008

Please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936

silverstar · June 27, 2008

Please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936

I have NOD32 antivirus.

I already posted detailed HijackThis and Deckard's System Scanner logs. I consider this logs contains enough information to determine malware, and there is no needs to install new and new spyware removers, all they works same way. In addition, I posted list of my drivers.

Microsoft Windows XP [Version 5.1.2600]

C:\Documents and Settings\User> drivers

Drivers - DiamondCS Freeware Console Tools (www.diamondcs.com.au)

---

ADDRESS: IMAGE PATH:

804D7000: \WINDOWS\system32\ntoskrnl.exe

806EC000: \WINDOWS\system32\hal.dll

F7AD6000: \WINDOWS\system32\KDCOM.DLL

F79E6000: \WINDOWS\system32\BOOTVID.dll

F7587000: ACPI.sys

F7AD8000: \WINDOWS\System32\DRIVERS\WMILIB.SYS

F7576000: pci.sys

F75D6000: isapnp.sys

F7B9E000: pciide.sys

F7856000: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

F7ADA000: intelide.sys

F75E6000: MountMgr.sys

F7557000: ftdisk.sys

F785E000: PartMgr.sys

F75F6000: VolSnap.sys

F753F000: atapi.sys

F7606000: disk.sys

F7616000: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

F751F000: fltmgr.sys

F750D000: sr.sys

F74F6000: KSecDD.sys

F7469000: Ntfs.sys

F743C000: NDIS.sys

F7421000: Mup.sys

F6BE3000: \SystemRoot\System32\DRIVERS\intelppm.sys

F6BAC000: \SystemRoot\System32\DRIVERS\ialmnt5.sys

F6B98000: \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS

F7926000: \SystemRoot\System32\DRIVERS\usbuhci.sys

F6B75000: \SystemRoot\System32\DRIVERS\USBPORT.SYS

F792E000: \SystemRoot\System32\DRIVERS\usbehci.sys

F7936000: \SystemRoot\System32\DRIVERS\RTL8139.SYS

F6BD3000: \SystemRoot\System32\DRIVERS\i8042prt.sys

F793E000: \SystemRoot\System32\DRIVERS\mouclass.sys

F7946000: \SystemRoot\System32\DRIVERS\kbdclass.sys

F6BC3000: \SystemRoot\System32\DRIVERS\imapi.sys

F7646000: \SystemRoot\System32\DRIVERS\cdrom.sys

F7656000: \SystemRoot\System32\DRIVERS\redbook.sys

F6B52000: \SystemRoot\System32\DRIVERS\ks.sys

F6A8B000: \SystemRoot\system32\drivers\cmuda.sys

F6A67000: \SystemRoot\system32\drivers\portcls.sys

F7666000: \SystemRoot\system32\drivers\drmk.sys

F794E000: \SystemRoot\System32\DRIVERS\fdc.sys

F7676000: \SystemRoot\System32\DRIVERS\serial.sys

F7AAE000: \SystemRoot\System32\DRIVERS\serenum.sys

F7956000: \SystemRoot\System32\DRIVERS\irsir.sys

F7AB2000: \SystemRoot\System32\DRIVERS\irenum.sys

F6A53000: \SystemRoot\System32\DRIVERS\parport.sys

F7ABA000: \SystemRoot\System32\DRIVERS\gameenum.sys

F7C58000: \SystemRoot\system32\drivers\msmpu401.sys

F7C59000: \SystemRoot\System32\DRIVERS\audstub.sys

F795E000: \SystemRoot\System32\DRIVERS\rasirda.sys

F7966000: \SystemRoot\System32\DRIVERS\TDI.SYS

F7686000: \SystemRoot\System32\DRIVERS\rasl2tp.sys

F7AC2000: \SystemRoot\System32\DRIVERS\ndistapi.sys

F6A3C000: \SystemRoot\System32\DRIVERS\ndiswan.sys

F7696000: \SystemRoot\System32\DRIVERS\raspppoe.sys

F76A6000: \SystemRoot\System32\DRIVERS\raspptp.sys

F6A2B000: \SystemRoot\System32\DRIVERS\psched.sys

F76B6000: \SystemRoot\System32\DRIVERS\msgpc.sys

F796E000: \SystemRoot\System32\DRIVERS\ptilink.sys

F7976000: \SystemRoot\System32\DRIVERS\raspti.sys

F76C6000: \SystemRoot\System32\DRIVERS\termdd.sys

F7B02000: \SystemRoot\System32\DRIVERS\swenum.sys

F6996000: \SystemRoot\System32\DRIVERS\update.sys

F7ACE000: \SystemRoot\System32\DRIVERS\mssmbios.sys

EE902000: \SystemRoot\system32\drivers\ialmkchw.sys

EE8E6000: \SystemRoot\system32\drivers\ialmsbw.sys

F76E6000: \SystemRoot\System32\Drivers\NDProxy.SYS

F7706000: \SystemRoot\System32\DRIVERS\usbhub.sys

F7B04000: \SystemRoot\System32\DRIVERS\USBD.SYS

F797E000: \SystemRoot\System32\DRIVERS\flpydisk.sys

F7B06000: \SystemRoot\System32\Drivers\Fs_Rec.SYS

F7CD7000: \SystemRoot\System32\Drivers\Null.SYS

F7B08000: \SystemRoot\System32\Drivers\Beep.SYS

F798E000: \SystemRoot\System32\drivers\vga.sys

F7B0A000: \SystemRoot\System32\Drivers\mnmdd.SYS

F7B0C000: \SystemRoot\System32\DRIVERS\RDPCDD.sys

F7996000: \SystemRoot\System32\Drivers\Msfs.SYS

F799E000: \SystemRoot\System32\Drivers\Npfs.SYS

F7A66000: \SystemRoot\System32\DRIVERS\rasacd.sys

EE863000: \SystemRoot\System32\DRIVERS\ipsec.sys

EE80B000: \SystemRoot\System32\DRIVERS\tcpip.sys

EE7E3000: \SystemRoot\System32\DRIVERS\netbt.sys

F7726000: \SystemRoot\system32\DRIVERS\epfwtdir.sys

EE7C1000: \SystemRoot\System32\drivers\afd.sys

F7736000: \SystemRoot\System32\DRIVERS\netbios.sys

EE796000: \SystemRoot\System32\DRIVERS\rdbss.sys

EE727000: \SystemRoot\System32\DRIVERS\mrxsmb.sys

F7756000: \SystemRoot\System32\Drivers\Fips.SYS

EE706000: \SystemRoot\System32\DRIVERS\ipnat.sys

F7766000: \SystemRoot\System32\DRIVERS\wanarp.sys

F7776000: \SystemRoot\system32\DRIVERS\easdrv.sys

F77C6000: \SystemRoot\System32\Drivers\Cdfs.SYS

EE6C6000: \SystemRoot\System32\Drivers\dump_atapi.sys

F7B14000: \SystemRoot\System32\Drivers\dump_WMILIB.SYS

BF800000: \SystemRoot\System32\win32k.sys

EE8D2000: \SystemRoot\System32\drivers\Dxapi.sys

F79CE000: \SystemRoot\System32\watchdog.sys

BF9C3000: \SystemRoot\System32\drivers\dxg.sys

F7BBC000: \SystemRoot\System32\drivers\dxgthk.sys

BF9E2000: \SystemRoot\System32\ialmdnt5.dll

BF9D5000: \SystemRoot\System32\ialmrnt5.dll

BFA04000: \SystemRoot\System32\ialmdev5.DLL

BFA32000: \SystemRoot\System32\ialmdd5.DLL

BFFA0000: \SystemRoot\System32\ATMFD.DLL

EE4A8000: \SystemRoot\System32\DRIVERS\irda.sys

EE5BE000: \SystemRoot\System32\DRIVERS\ndisuio.sys

EE19B000: \SystemRoot\system32\drivers\wdmaud.sys

EE2F0000: \SystemRoot\system32\drivers\sysaudio.sys

EDF67000: \SystemRoot\System32\DRIVERS\mrxdav.sys

F7B62000: \SystemRoot\System32\Drivers\ParVdm.SYS

EDEF2000: \SystemRoot\system32\DRIVERS\eamon.sys

EDE78000: \SystemRoot\System32\DRIVERS\srv.sys

EDB8F000: \SystemRoot\System32\Drivers\HTTP.sys

ED843000: \SystemRoot\System32\Drivers\Fastfat.SYS

F78E6000: \SystemRoot\system32\DRIVERS\usbccgp.sys

F78FE000: \SystemRoot\system32\DRIVERS\HPZius12.sys

EE592000: \SystemRoot\system32\drivers\hpfxbulk.sys

F7906000: \SystemRoot\system32\drivers\HPFXGEN.SYS

EE1E0000: \SystemRoot\system32\DRIVERS\HPZid412.sys

EDA04000: \SystemRoot\system32\DRIVERS\Dot4Scan.sys

EDA18000: \SystemRoot\system32\DRIVERS\HPZipr12.sys

ED818000: \SystemRoot\system32\drivers\kmixer.sys

7C900000: \WINDOWS\system32\ntdll.dll

124 drivers detected.

C:\Documents and Settings\User>

If this info is helpful, than OK, if not - than I will look for better solutions.

JeanInMontana · June 27, 2008

Good luck.. you either follow instructions or your on your own.

Sign In

Win32/Alman.NAB virus question

Recommended Posts

silverstar

Link to post

Share on other sites

JeanInMontana

Link to post

Share on other sites

silverstar

Link to post

Share on other sites

JeanInMontana

Link to post

Share on other sites

Recently Browsing 0 members

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information