CrniAngeo Posted June 7, 2010 ID:263460 Share Posted June 7, 2010 Hello , recently i got this worm which disabled my latest sophos. User don't have admin rights, it seems it spreads and exploits any bug in spooler service.. I uploaded these files to virusscan.jotti.org , noone of these AV didn't recognised it. I really don't know what to do - worm infected 7 computers right now. It is unable to start these programs:-hijackthis-spybotsd-combofix (BSOD) -sdfix doesn't found anything-antibytes malware is unable to start (intermediteally killed) -process which always runs is wmpkpl.exe (it is possibly to kill that, but it always starts up) - it infects all other drives like usb keys or smth.. hosts file is always changed from normal kbs to some 5 MegaBytesProcess 'c:\WINDOWS\system32\nxts02.exe@' exhibiting suspicious behavior pattern 'HIPS/FileMod-001'. No action taken. Please send a sample to Sophos.Process 'C:\WINDOWS\system32\svchost.exe' exhibiting suspicious behavior pattern 'Buffer Overflow'. No action taken. Please send a sample to Sophos.Process 'C:\WINDOWS\system32\svchost.exe' exhibiting suspicious behavior pattern 'Buffer Overflow'. No action taken. Please send a sample to Sophos.Process 'C:\WINDOWS\system32\svchost.exe' exhibiting suspicious behavior pattern 'Buffer Overflow'. No action taken. Please send a sample to Sophos.Process 'C:\WINDOWS\system32\svchost.exe' exhibiting suspicious behavior pattern 'Buffer Overflow'. No action taken. Please send a sample to Sophos.Process 'c:\WINDOWS\system32\wmpkpl.exe' exhibiting suspicious behavior pattern 'HIPS/RegMod-007'. No action taken. Please send a sample to Sophos.Attach.txt log:==== Disabled Device Manager Items =============Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}Description: PS/2 Compatible MouseDevice ID: ACPI\PNP0F13\4&1117367&0Manufacturer: MicrosoftName: PS/2 Compatible MousePNP Device ID: ACPI\PNP0F13\4&1117367&0Service: i8042prt==== System Restore Points ===================x==== Image File Execution Options =============IFEO: Ad-Aware.exe - ntsd -dIFEO: Ad-AwareAdmin.exe - ntsd -dIFEO: AvastSvc.exe - ntsd -dIFEO: avastUI.exe - ntsd -dIFEO: avp.exe - ntsd -dIFEO: bdagent.exe - ntsd -dIFEO: ccSvcHst.exe - ntsd -dIFEO: conime.exe - wmpkph.exeIFEO: AutorunsDisabled - wmpkph.exeIFEO: egui.exe - ntsd -dIFEO: ekrn.exe - ntsd -dIFEO: KAV32.exe - ntsd -dIFEO: KAVSVC.exe - ntsd -dIFEO: livesrv.exe - ntsd -dIFEO: mbam.exe - ntsd -dIFEO: mrt.exe - ntsd -dIFEO: mrtstub.exe - ntsd -dIFEO: msascui.exe - ntsd -dIFEO: msmpeng.exe - ntsd -dIFEO: PREVX.exe - ntsd -dIFEO: seccenter.exe - ntsd -dIFEO: symlcsvc.exe - ntsd -dIFEO: vsserv.exe - ntsd -d==== Installed Programs ======================32 Bit HP BiDi Channel Components InstallerAcrobat.comActivCard SmartReaderActivClient 6.1 x86Adobe AIRAdobe Flash Player 10 ActiveXAdobe Flash Player 9 ActiveXAdobe Reader 9Broadcom Management ProgramsBroadcom NetXtreme Ethernet ControllerBufferChmCompatibility Pack for the 2007 Office systemCreaSignClientIECutePDF Writer 2.7Destination ComponentDeviceManagementQFolderDiagnostics for WindowsDocProcDocProcQFolderEasy CD & DVD Creator 6eSupportQFoldergetPlus® for AdobeHighMAT Extension to Microsoft Windows XP CD Writing WizardHijackThis 2.0.2Hotfix for Windows XP (KB915865)HP Imaging Device Functions 9.0hp L1730 INF and ICM softwareHP OCR Software 9.0HP Photosmart EssentialHP Scanjet 5530 9.0HP Solution Center 9.0HP Updatehpg5530hpg5530QFolderHPProductAssistantIntel® Graphics Media Accelerator DriverInterVideo WinDVDJava 2 Runtime Environment, SE v1.4.2_05Java 6 Update 7Macromedia Flash PlayerMalwarebytes' Anti-MalwareMicrosoft .NET Framework 1.1Microsoft Data Access Components KB870669Microsoft Internationalized Domain Names Mitigation APIsMicrosoft National Language Support Downlevel APIsMicrosoft Office 2000 SR-1 PremiumMicrosoft Office Professional Edition 2003Microsoft Visual C++ 2005 RedistributablePanoStandAlonePDFCreatorPrevious Versions ClientPrevxRegScrubXP 3.25Remote Diagnostics Enabling AgentScanScannerCopySecurity Update for Windows Media Player 9 (KB911565)Security Update for Windows XP (KB890046)Security Update for Windows XP (KB893066)Security Update for Windows XP (KB893756)Security Update for Windows XP (KB896358)Security Update for Windows XP (KB896422)Security Update for Windows XP (KB896423)Security Update for Windows XP (KB896424)Security Update for Windows XP (KB896428)Security Update for Windows XP (KB896688)Security Update for Windows XP (KB899587)Security Update for Windows XP (KB899589)Security Update for Windows XP (KB899591)Security Update for Windows XP (KB900725)Security Update for Windows XP (KB901017)Security Update for Windows XP (KB901214)Security Update for Windows XP (KB902400)Security Update for Windows XP (KB904706)Security Update for Windows XP (KB905414)Security Update for Windows XP (KB905749)Security Update for Windows XP (KB908531)Security Update for Windows XP (KB911562)Security Update for Windows XP (KB912812)Security Update for Windows XP (KB917422)Security Update for Windows XP (KB918899)Security Update for Windows XP (KB919007)Security Update for Windows XP (KB920683)Security Update for Windows XP (KB920685)Security Update for Windows XP (KB921398)Security Update for Windows XP (KB921883)Security Update for Windows XP (KB922616)Security Update for Windows XP (KB923191)Security Update for Windows XP (KB923414)Skypebla.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 17, 2010 ID:269349 Share Posted June 17, 2010 Hello,It's been just over 10 days since your post in this sub-forum. Please tell us if the issues have been resolved? or if you still are seeking guided help?If the latter, please then run a new (fresh) DDS run & reply with copy of DDS.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 22, 2010 ID:271933 Share Posted June 22, 2010 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts