Jump to content

Recommended Posts

Hi, this is my 1st post...

I am MCSE/CCNP etc... so consider myself close to expert.... but this new thread has fooled me big time.

On June 2nd, 2010, I was on one of the torrent sites with FireFox 3.6.3 & Java Version 6 Update 20

One of the malware banner installed itself... I noticed it within 10 secs of it installing on my pc. Disconnected my internet & cleared cache & disabled Java plugin. For next few days everything went smooth, however I never rebooted my PC. I had also checked my msconfig, did not found any odd entries. No new processes or at least names were familiar. 3 days later rebooted PC...

Problem started, within few mins I started noticing lot of internet traffic. RUN TcpView from MS. I saw lot of SMTP connections from services.exe & Run Wireshark to see lot of Viagra etc emails been streamed out.

Over the years I have learned some tricks to counter attack this...

I changed default gateway to something else, so connection will be their not no internet traffic. I can still use local network.

I connected to my router & setup filter to block all in/out SMTP 25 port traffic for my home subnet.

Looked into Registry for Run/RunOnce in Current User & local machine.

Nothing.

I submitted sample of

Windows\explorer.exe

Windows\system32\alg.exe

Windows\system32\svchost.exe

Windows\system32\services.exe

came out clean.

I also went into registry for

I did not find any new dll or other files listed in system32 folder sorted by date [DIR /OD]

Only connections I am seeing is from during startup of PC is svchost.exe to internet & later non-stop services.exe connectiing & once a while explorer.exe connecting. I have also installed Zone Alarm free version to block these programs from connecting outside.

I have also scanned PC with Norton AV, Trend, Malwarebytes, Superspyware, spybot, PCtool Spyware doctor.

None of them able to detect this unknown virus so far. Since doing all this now I am only seeing port 80 connections from services.exe

Here is a attached Zone Alarm Log file. Please ignore PCtools & "google update" blocking in it.

Help Please

ZALog2010.06.04.txt

ZALog2010.06.05.txt

Link to post
Share on other sites

any help guys?

well, none of the AV & other scanners detecting anything yet... however I was able to find the file that is doing this.

file was located at C:\Windows\System32\drivers\dleanxk.sys

I was unable to rename, copy or delete it.

same in Safe mode & Windows recovery DOS mode.

I was finally able to rename it with booting from CD & going to Windows recovery DOS mode. No services.exe connection anymore... nothing in firewall logs so far.

However as I was trying to upload it to Virustotal, file got deleted, by some unknown process. Anyway, here is registry it creates.... it's partial list.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DLEANXK]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DLEANXK\0000]
"Service"="dleanxk"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="dleanxk"
"Capabilities"=dword:00000000
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\\0036"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DLEANXK\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DLEANXK\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dleanxk]
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000000
"Group"="Boot Bus Extender"
"tW3ulj7"=hex:fb,d8,d9,85,0a,22,76,b9
"yNd7b4kG8"=hex:02,06,3c,ce,aa,bc,05,e3,0a,09,e8,79,03,02,b5,38,e8,ab,86,87,cb,\
2c,4f,ea,98,c3,09,dc,9d,c0,c4,b8,a7,06,1f,01,ba,72,19,c4,42,4b,eb,01,28,3e,\
ce,08,17,0d,25,00,fa,e0,a8,1d,45,72,f3,0e,34,fa,b5,2d,65,13,38,f8,75,dd,f3,\
7d,54,f3,57,13,43,52,96,ee,a2,ea,b1,8c,c5,f6,34,08,52,b8,7a,d9,58,6d,55,4d,\
fa,89,e9,28,ef,15,97,a4,4a,62,b7,d3,f4,7e,c4,ca
"ldM0n4w4"=hex:2c,2d,4e,49

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dleanxk\Enum]
"0"="Root\\LEGACY_DLEANXK\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

I hope someone can explain this.

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.