Jump to content

lkckclckl1i1i.com communications


Recommended Posts

Our firewall picked up Spyeye C&C traffic from a pc. Ran Malwarebytes two days ago and deleted some trojan files, ran it a second time and deleted one more file. That resolved the Spyeye issue. In Websense we tracked massive web browsing from this pc that was not coming from the user. This website (http://lkckclckl1i1i.com) played a prominent, repeating role in the destinations. Google led me to a thread in this forum. Following the lead in the thread, I ran ComboFix on the pc and it would reboot partway through the scan. Decided to follow the instructions provided in the forum. Ran Malwarebytes again (no hits), DeFogger, DDS, and Gmer (pc restarted at least 3 times before we completed a scan and captured the log). Logs are attached. The DDS log follows. Thank you!

Craig

DDS (Ver_10-03-17.01) - NTFSx86

Run by RMILLHOLLIN at 11:48:10.49 on Thu 07/29/2010

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.981.505 [GMT -7:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\AMT\atchksrv.exe

C:\WINDOWS\SYSTEM32\DWRCS.EXE

C:\Program Files\Intel\AMT\LMS.exe

C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Microsoft SQL Server\MSSQL$JJKA_KDS\Binn\sqlservr.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\TIREMOTE\TIRemoteService.exe

C:\Program Files\Intel\AMT\UNS.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SYSTEM32\DWRCST.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Documents and Settings\rmillhollin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intranet.cachecreek.com/

mDefault_Page_URL = hxxp://intranet.cachecreek.com/

uInternet Connection Wizard,ShellNext = hxxp://intranet.cachecreek.com/

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [xgukxzrvux.exe] c:\xgukxzrvux.exe\xgukxzrvux.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe

dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bginfo~1.lnk - c:\cachecreek\bginfo\bginfo.bat

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: cachecreek.com\intranet

Trusted Zone: cachecreek.com\mail

Trusted Zone: cccr-dw01

Trusted Zone: cccr.com\archivemanager

Trusted Zone: cccr.com\cccr-dw01

Trusted Zone: cccr.com\intranet2

Trusted Zone: cccr.com\utaapp01

Trusted Zone: cachecreek.com\intranet

Trusted Zone: cachecreek.com\mail

Trusted Zone: cccr-dw01

Trusted Zone: cccr.com\archivemanager

Trusted Zone: cccr.com\cccr-dw01

Trusted Zone: cccr.com\intranet2

Trusted Zone: cccr.com\utaapp01

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200366114062

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxp://eatec01/crystalreportviewers10/activeXcontrols/activexviewer.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-18 343664]

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\EngineServer.exe [2009-10-22 21256]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-3-10 103744]

R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-10-22 146448]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-10-22 66896]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-11-18 70728]

R2 MSSQL$JJKA_KDS;MSSQL$JJKA_KDS;c:\program files\microsoft sql server\mssql$jjka_kds\binn\sqlservr.exe -sjjka_kds --> c:\program files\microsoft sql server\mssql$jjka_kds\binn\sqlservr.exe -sJJKA_KDS [?]

R2 TIRmtSvc;Track-It! Workstation Manager;c:\windows\tiremote\TIRemoteService.exe [2009-11-28 210944]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2008-1-14 2521880]

R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-18 91672]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-18 43288]

S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys --> c:\program files\mcafee\virusscan enterprise\mferkdk.sys [?]

S2 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2010-7-29 256512]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-11-18 65448]

S3 SQLAgent$JJKA_KDS;SQLAgent$JJKA_KDS;c:\program files\microsoft sql server\mssql$jjka_kds\binn\sqlagent.exe -i jjka_kds --> c:\program files\microsoft sql server\mssql$jjka_kds\binn\sqlagent.EXE -i JJKA_KDS [?]

=============== Created Last 30 ================

2010-07-29 18:43:01 0 ----a-w- c:\documents and settings\rmillhollin\defogger_reenable

2010-07-29 17:46:10 0 d-s---w- C:\ComboFix

2010-07-29 17:31:34 0 d-sha-r- C:\cmdcons

2010-07-29 17:29:53 77312 ----a-w- c:\windows\MBR.exe

2010-07-29 17:29:50 256512 ----a-w- c:\windows\PEV.exe

2010-07-29 17:29:50 161792 ----a-w- c:\windows\SWREG.exe

2010-07-29 17:29:49 98816 ----a-w- c:\windows\sed.exe

2010-07-27 16:28:29 0 d-----w- c:\docume~1\rmillh~1\applic~1\Malwarebytes

2010-07-27 16:23:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-27 16:23:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-27 16:23:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-27 16:23:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-07 15:26:32 0 d-----w- c:\program files\MSECache

==================== Find3M ====================

============= FINISH: 11:48:45.49 ===============

Attach.zip

mbam_log_2010_07_27__10_21_29_.zip

Link to post
Share on other sites

This appears to be a Corporate owned machine. As a business computer you need to have a license for use of MBAM. Please send me a private message with your Cleverbridge order reference number and we can assist you from the Corporate Support.

Thank you.

It very much is. Thanks for the clarification. I'll see what I can arrange.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.