Jump to content

Recommended Posts

Our corporate computers were running Kaspersky when we were hit by a virus from an infected web page located here: hxxp://www.simetric.co.uk/si_cc2hp.htm. Kaspersky did not stop it and it propagated to about 30 pc's across 2 subnets. Noticable damage was an instant loss of remote desktop connectivity to or from the infected computers. If the infected computer is rebooted, it stops at the Windows' loading screen and then cycles infinately. Safe mode and last known good configuration do the same thing. Running MBAM on an infected test machine removed the malware files but the reboot and remote desktop connectivity were still broken.

Then I test infected another computer and followed the prep directions at the top of this forum. After following all the steps, the computers were rebootable and remote desktop functionality was restored.

My remaining problem is fixing the computers that were shut down and are no longer bootable. Here are the logs...including the Spybot S&D log (the check and fix logs together):

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

30.11.2008 15:14:19 - ##### check started #####

30.11.2008 15:14:19 - ### Version: 1.6.0

30.11.2008 15:14:19 - ### Date: 11/30/2008 3:14:19 PM

30.11.2008 15:14:22 - ##### checking bots #####

30.11.2008 15:18:05 - found: Win32.Agent.pz Settings

30.11.2008 15:18:05 - found: Win32.Agent.pz Settings

30.11.2008 15:18:05 - found: Win32.Agent.pz Settings

30.11.2008 15:22:06 - found: Win32.Agent.icb Settings

30.11.2008 15:32:46 - found: Win32.Agent.jg Program directory

30.11.2008 15:32:46 - found: Win32.Agent.jg File

30.11.2008 15:32:46 - found: Win32.Agent.jg File

30.11.2008 15:32:46 - found: Win32.Agent.jg File

30.11.2008 15:32:48 - found: Win32.TDSS.rtk Settings

30.11.2008 15:32:48 - found: Win32.TDSS.rtk Data

30.11.2008 15:34:00 - ##### check finished #####

Win32.Agent.pz: [sBI $7EC6899E] Settings (Registry value, nothing done)

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

Win32.Agent.pz: [sBI $8980C6CD] Settings (Registry value, nothing done)

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

Win32.Agent.pz: [sBI $0F1C75F7] Settings (Registry value, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID

Win32.Agent.icb: [sBI $1E3889AA] Settings (Registry value, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\kfpInit_Dlls

Win32.Agent.jg: [sBI $AFA60660] Program directory (Directory, nothing done)

C:\WINDOWS\system32\twain_32\

Win32.Agent.jg: [sBI $D2B4E1D7] File (File, nothing done)

C:\WINDOWS\system32\twain_32\local.ds

Win32.Agent.jg: [sBI $48DFF879] File (File, nothing done)

C:\WINDOWS\system32\twain_32\user.ds

Win32.Agent.jg: [sBI $5E9C320C] File (File, nothing done)

C:\WINDOWS\system32\twext.exe

Win32.TDSS.rtk: [sBI $1C88479D] Settings (Directory, nothing done)

C:\Documents and Settings\LocalService\Application Data\twain_32\

Win32.TDSS.rtk: [sBI $5A2B8A3C] Data (File, nothing done)

C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds

2008-07-07 blindman.exe (1.0.0.8)

2008-07-07 SDFiles.exe (1.6.0.4)

2008-07-07 SDMain.exe (1.0.0.6)

2008-07-07 SDShred.exe (1.0.2.3)

2008-07-07 SDUpdate.exe (1.6.0.8)

2008-07-07 SDWinSec.exe (1.0.0.12)

2008-07-07 SpybotSD.exe (1.6.0.30)

2008-09-16 TeaTimer.exe (1.6.3.25)

2008-11-30 unins000.exe (51.49.0.0)

2008-07-07 Update.exe (1.6.0.7)

2008-10-22 advcheck.dll (1.6.2.13)

2007-04-02 aports.dll (2.1.0.0)

2008-06-14 DelZip179.dll (1.79.11.1)

2008-09-15 SDHelper.dll (1.6.2.14)

2008-06-19 sqlite3.dll

2008-10-22 Tools.dll (2.1.6.8)

2008-11-04 Includes\Adware.sbi (*)

2008-11-25 Includes\AdwareC.sbi (*)

2008-06-03 Includes\Cookies.sbi (*)

2008-09-02 Includes\Dialer.sbi (*)

2008-09-09 Includes\DialerC.sbi (*)

2008-07-23 Includes\HeavyDuty.sbi (*)

2008-11-18 Includes\Hijackers.sbi (*)

2008-11-18 Includes\HijackersC.sbi (*)

2008-09-09 Includes\Keyloggers.sbi (*)

2008-11-18 Includes\KeyloggersC.sbi (*)

2004-11-29 Includes\LSP.sbi (*)

2008-11-18 Includes\Malware.sbi (*)

2008-11-25 Includes\MalwareC.sbi (*)

2008-11-03 Includes\PUPS.sbi (*)

2008-11-25 Includes\PUPSC.sbi (*)

2007-11-07 Includes\Revision.sbi (*)

2008-06-18 Includes\Security.sbi (*)

2008-11-25 Includes\SecurityC.sbi (*)

2008-06-03 Includes\Spybots.sbi (*)

2008-06-03 Includes\SpybotsC.sbi (*)

2008-11-04 Includes\Spyware.sbi (*)

2008-11-11 Includes\SpywareC.sbi (*)

2008-06-03 Includes\Tracks.uti

2008-11-04 Includes\Trojans.sbi (*)

2008-11-26 Includes\TrojansC.sbi (*)

2008-03-04 Plugins\Chai.dll

2008-03-05 Plugins\Fennel.dll

2008-02-26 Plugins\Mate.dll

2007-12-24 Plugins\TCPIPAddress.dll

Link to post
Share on other sites

NOTE: I did not reboot between scans because of the reboot damage done by the virus.

-----------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.30

Database version: 1439

Windows 5.1.2600 Service Pack 3

11/30/2008 4:18:14 PM

mbam-log-2008-11-30 (16-18-10).txt

Scan type: Quick Scan

Objects scanned: 59328

Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 13

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\nvaux32.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb2648 (Backdoor.Bot) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd1281 (Backdoor.Bot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga1371 (Backdoor.Bot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc8469 (Backdoor.Bot) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb8026 (Backdoor.Bot) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd782 (Backdoor.Bot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga8521 (Backdoor.Bot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc3075 (Backdoor.Bot) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb8976 (Backdoor.Bot) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd253 (Backdoor.Bot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga7008 (Backdoor.Bot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc1065 (Backdoor.Bot) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twext.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,) Good: (userinit.exe) -> No action taken.

Folders Infected:

C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> No action taken.

Files Infected:

C:\Documents and Settings\Administrator\Local Settings\Temp\1BA.tmp (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Administrator\Local Settings\Temp\res.exe (Trojan.Agent) -> No action taken.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\85AZCDI3\res[1].exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> No action taken.

C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> No action taken.

C:\WINDOWS\system32\nvaux32.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> No action taken.

C:\WINDOWS\system32\aston.mt (Trojan.FakeAlert) -> No action taken.

Link to post
Share on other sites

PandaActive Scan Log

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-11-30 18:46:22

PROTECTIONS: 0

MALWARE: 5

SUSPECTS: 5

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.HEBRONBRICK\Cookies\administrator@statse.webtrendslive[2].txt

03491464 W32/Patched.D Virus Yes 0 Yes No C:\WINDOWS\system32\USER32.dll

03491464 W32/Patched.D Virus No 0 Yes No C:\WINDOWS\system32\dllcache\user32.dll

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\drivers\ucpfsvy.sys

04195277 Trj/Downloader.MDW Virus/Trojan Yes 2 Yes No C:\WINDOWS\system32\nvaux32.dll

04198074 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\Documents and Settings\Administrator\Local Settings\Temp\manun.exe

04198074 Trj/Downloader.MDW Virus/Trojan Yes 2 Yes No C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\manun.exe

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location !1

;===============================================================================

================================================================================

=

===================

No C:\Documents and Settings\Administrator\Desktop\a.exe !1

No C:\Documents and Settings\Administrator\Local Settings\Temp\wJQs.exe !1

No C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\STM3GH23\CA05S5WN.gif

No C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\STM3GH23\CANOTJHY.gif

No C:\WINDOWS\system32\paso.el !1

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description !1

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:47:24 PM, on 11/30/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SYSTEM32\astsrv.exe

C:\WINDOWS\system32\PMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\manun.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [EPA_EZ_GPO_Tool] C:\WINDOWS\system32\EZ_GPO_Tool.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [uIUCU] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\RunOnce: [spybotDeletingA1371] command /c del "C:\WINDOWS\system32\twain_32\local.ds"

O4 - HKLM\..\RunOnce: [spybotDeletingC8469] cmd /c del "C:\WINDOWS\system32\twain_32\local.ds"

O4 - HKLM\..\RunOnce: [spybotDeletingA8521] command /c del "C:\WINDOWS\system32\twain_32\user.ds"

O4 - HKLM\..\RunOnce: [spybotDeletingC3075] cmd /c del "C:\WINDOWS\system32\twain_32\user.ds"

O4 - HKLM\..\RunOnce: [spybotDeletingA7008] command /c del "C:\WINDOWS\system32\twext.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingC1065] cmd /c del "C:\WINDOWS\system32\twext.exe"

O4 - HKLM\..\RunOnce: [spybotDeletingA8805] command /c del "C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds"

O4 - HKLM\..\RunOnce: [spybotDeletingC2634] cmd /c del "C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds"

O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKCU\..\RunOnce: [spybotDeletingB2648] command /c del "C:\WINDOWS\system32\twain_32\local.ds"

O4 - HKCU\..\RunOnce: [spybotDeletingD1281] cmd /c del "C:\WINDOWS\system32\twain_32\local.ds"

O4 - HKCU\..\RunOnce: [spybotDeletingB8026] command /c del "C:\WINDOWS\system32\twain_32\user.ds"

O4 - HKCU\..\RunOnce: [spybotDeletingD782] cmd /c del "C:\WINDOWS\system32\twain_32\user.ds"

O4 - HKCU\..\RunOnce: [spybotDeletingB8976] command /c del "C:\WINDOWS\system32\twext.exe"

O4 - HKCU\..\RunOnce: [spybotDeletingD253] cmd /c del "C:\WINDOWS\system32\twext.exe"

O4 - HKCU\..\RunOnce: [spybotDeletingB4209] command /c del "C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds"

O4 - HKCU\..\RunOnce: [spybotDeletingD3422] cmd /c del "C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds"

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1202915539203

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1224695352881

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{10F61D57-37AB-43EE-8971-AAFFD4994307}: NameServer = 198.41.0.4,216.239.0.76

O17 - HKLM\System\CS1\Services\Tcpip\..\{10F61D57-37AB-43EE-8971-AAFFD4994307}: NameServer = 198.41.0.4,216.239.0.76

O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe

O23 - Service: Energy Star EZ GPO Power Management Configuration Tool (EPA_GPO_PMService) - TerraNovum - C:\WINDOWS\system32\PMService.exe

--

End of file - 6906 bytes

Link to post
Share on other sites

Then I test infected another computer and followed the prep directions at the top of this forum. After following all the steps, the computers were rebootable and remote desktop functionality was restored.

I need to correct and clarify my statement above; the test computer that I infected and then applied these steps to will (re)boot. The computers that were infected by this outbreak in my office will not (re)boot if I run Spybot S&D and MBAM scan and fix. The difference is that Kaspersky took first swipe at them and removed *some* of the files and signatures. And, yes, I am pausing Kaspersky when I run SBS&D and MBAM on infected desktops.

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.