Jump to content

Very Nasty Trojan at Work


Recommended Posts

I posted this in one of the other forums. A Trojan of some type that has appeared on my machine after attempting to watch a streaming video.

The trojan in question hijacks the Windows Automatic Updates alerts and sends constant messages that the firewall and update alerts are off. It also has rooted itself somewhere so that it can still activate when the computer is in safe mode. It is not possible to remove it with System Restore as no matter how far back one takes it, it insists that no changes are made to the system. It also refuses to allow a browser to open and rewrites the registry so that the computer will no longer recognise the file associations when you double click on them. The File Manager showed that a program known as owu.exe was in operation during the worst of these.

I have run every virus scan under the sun from Malwarebytes, Adaware, AVG, Iobit and SuperAntiSpyware. Some of these have picked up problems and removed them. They have cleaned various things up. The owu.exe is removed, the web accessible, the file associations restored and the worst of the numerous pop-ups about windows alerts gone. However, there is still a persistent taskbar icon that says that windows alerts are turned off and I cannot use system restore.

I am at wits end regarding trying to get rid of this. Can someone out there please help with some suggestions as to what else I might be able to do?

To this I would add a couple of things. People have suggested that the little red shield pop-up that keeps appearing at the bottom of the taskbar is simply Windows wanting me to turn back on the firewall and automatic updates. This is not the case as:-

1) this is the exact same error message that first appeared when the trojan did

2) no matter how many times I click on them on via Security Center under Control Panel, the firewall will not turn up, while the System under Control Panel insists that Automatic Updates are already turned on

3) It is still not possible to conduct a System Restore

I have followed the instructions given and the log is posted. HOWEVER, after conducting a GMER rootkit search twice, at the point when the scan was completed the program informed me that it was unable to complete the scan, all data had been lost and the computer then froze up.

The remaining virus is also causing problems with the browsers. It will not allow IE Explorer to open and Firefox now has a bad habit of intermittently crashing when you open tabs.

The Trojan also appears to be associated with wscntfy.exe in the Task Manager. Whenever one quits this particular process, the shield with the automatic updates warning does disappear but reappears a few seconds later. I have done a search on where wscntfy.exe is located in the system. There are several of these located at c:\1386 (two of them here), windows\$NTServicePackUninstall$ (three here), three under Windows/Prefetch, two under Windows/ERDNT/cache, Windows/ServicePack/Files/1386, three under Windows/System32, also two entitled WSCNTFY.EXE-0B14C27D.pf under Windows/Prefetch.

I have included the log files that I am able to as requested all except for the GMRE rootkit scan.

Please somebody help with this!!

DDS.txt

Attach.txt

mbam-log-2011-08-01 (09-00-53).txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

In the future, please post all logs directly into your reply instead of attaching them.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

I ran ComboFix first and this appears to have cleared everything up. Immediately after ComboFix finished its run, Windows started to automatically update.

There was also a number of errors reports that kept popping up during the ComboFix run that said "16 Bit MSDOSSubsystem. The NTVDM CPU has encountered an illegal instruction. CS:06e IP:0147 OP:63 68 61 72 73". This appeared maybe 30 times or more during the ComboFix run. Don't know if this is significant.

Logs are as follows:-

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7384

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

05/08/2011 6:42:04 AM

mbam-log-2011-08-05 (06-42-04).txt

Scan type: Quick scan

Objects scanned: 201914

Time elapsed: 31 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\Winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

ComboFix 11-08-05.01 - Everyone Else 05/08/2011 5:16.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.502.120 [GMT -7:00]

Running from: c:\documents and settings\Everyone Else\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

/wow section - STAGE 6A

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

The process cannot access the file because it is being used by another process.

.

ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat

to: http://www.bleepingcomputer.com/submit-malware.php?channel=4

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Everyone Else\Application Data\PriceGong

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\1.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\1.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\a.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\a.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\b.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\b.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\c.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\c.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\d.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\d.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\e.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\e.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\f.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\f.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\g.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\g.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\h.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\h.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\i.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\i.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\j.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\J.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\k.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\k.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\l.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\l.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\m.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\m.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\n.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\n.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\o.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\o.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\p.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\p.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\q.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\q.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\r.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\r.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\s.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\s.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\t.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\t.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\u.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\u.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\v.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\v.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\w.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\w.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\wlu.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\x.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\x.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\y.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\y.xml

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\z.txt

c:\documents and settings\Everyone Else\Application Data\PriceGong\Data\z.xml

c:\documents and settings\Everyone Else\Local Settings\Application Data\aqnj.exe

c:\documents and settings\Everyone Else\Local Settings\Application Data\dlnq.exe

c:\documents and settings\Everyone Else\Local Settings\Application Data\pnaf.exe

c:\documents and settings\Everyone Else\Local Settings\Application Data\ycxq.exe

c:\windows\iun6002.exe

c:\windows\system32\system

.

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\userinit.exe

.

Infected copy of c:\windows\system32\user32.dll was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\user32.dll

.

Infected copy of c:\windows\system32\lsass.exe was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\lsass.exe

.

Infected copy of c:\windows\system32\ws2help.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\ws2help.dll

.

Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\ws2_32.dll

.

Infected copy of c:\windows\system32\drivers\kbdclass.sys was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\kbdclass.sys

.

c:\windows\system32\usp10.dll . . . is infected!!

.

Infected copy of c:\windows\system32\msimg32.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\msimg32.dll

.

Infected copy of c:\windows\Winlogon.exe was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\winlogon.exe

.

c:\windows\explorer.exe . . . is infected!!

.

Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected

Restored copy from - c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe

.

Infected copy of c:\windows\system32\lpk.dll was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\lpk.dll

.

Infected copy of c:\windows\system32\comres.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\comres.dll

.

Infected copy of c:\windows\system32\mfc40u.dll was found and disinfected

Restored copy from - c:\windows\$hf_mig$\KB2387149\SP3QFE\mfc40u.dll

.

Infected copy of c:\windows\system32\svchost.exe was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\svchost.exe

.

Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\msgsvc.dll

.

Infected copy of c:\windows\system32\uxtheme.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\uxtheme.dll

.

Infected copy of c:\program files\internet explorer\iexplore.exe was found and disinfected

Restored copy from - c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\iexplore.exe

.

Infected copy of c:\windows\system32\midimap.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\midimap.dll

.

Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\wuauclt.exe

.

c:\windows\system32\comctl32.dll . . . is infected!!

.

c:\windows\system32\debug.exe . . . is infected!!

.

Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\acpiec.sys

.

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\ndis.sys

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_RKHIT

.

.

((((((((((((((((((((((((( Files Created from 2011-07-05 to 2011-08-05 )))))))))))))))))))))))))))))))

.

.

No new files created in this timespan

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\mswsock.dll ... is infected !!

.

c:\windows\system32\svchost.exe ... Infected -- Win32.Qhost !!

-c----w- 14,336 2004-08-04 10:00 c:\windows\$NtServicePackUninstall$\svchost.exe

----a-w- 14,336 2008-04-14 00:12 c:\windows\ERDNT\cache\svchost.exe

----a-w- 31,166 2011-08-05 07:13 c:\windows\Prefetch\SVCHOST.EXE-2D5FBD18.pf

------w- 14,336 2008-04-14 00:12 c:\windows\ServicePackFiles\i386\svchost.exe

----a-w- 14,336 2008-04-14 00:12 c:\windows\system32\svchost.exe

.

Entries: 5 (5)

Directories: 0 Files: 5

Bytes: 88,510 Blocks: 173

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-05-28 412560]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-29 98304]

"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-07-20 4393816]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

.

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]

.

[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]

.

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]

backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

.

.

------- Supplementary Scan -------

.

TCP: DhcpNameServer = 192.168.1.254 192.168.1.254

FF - ProfilePath - c:\documents and settings\Everyone Else\Application Data\Mozilla\Firefox\Profiles\se7t3lqv.default\

FF - prefs.js: browser.startup.homepage - www.google.com

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe

HKLM-Run-AVG9_TRAY - Disable_By_c:\progra~1\AVG\AVG9\avgtray.exe

HKLM-Run-dellsupportcenter - Disable_By_c:\program files\Dell Support Center\bin\sprtcmd.exe

AddRemove-Eusing Free Registry Cleaner - c:\progra~1\EUSING~1\UNWISE.EXE

AddRemove-{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 - c:\program files\Spybot - Search & Destroy\unins000.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-08-05 05:43

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2f,7d,33,ea,23,7e,39,44,98,a7,7c,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2f,7d,33,ea,23,7e,39,44,98,a7,7c,\

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\brss01a.exe

c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe

c:\program files\IObit\Advanced SystemCare 4\ASCService.exe

c:\program files\AVG\AVG9\avgwdsvc.exe

c:\program files\AVG\AVG9\avgfws9.exe

c:\windows\system32\Brmfrmps.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-08-05 06:03:57 - machine was rebooted

ComboFix-quarantined-files.txt 2011-08-05 13:03

ComboFix2.txt 2010-03-29 07:46

.

Pre-Run: 5,011,218,432 bytes free

Post-Run: 6,990,737,408 bytes free

.

- - End Of File - - 2DA0D26EF1E3C0F69D2EB92A9AA09E04

Link to post
Share on other sites

  • Staff

Hi,

Please upload this file...

C:\ComboFix_error.dat

...to this location:

http://www.bleepingc...e.php?channel=4

For Link to topic where this file was requested: put:

http://forums.malwarebytes.org/index.php?showtopic=91460

Under Leave any comments, further information about this file, or contact information: put:

"For sUBs from screen317"

Link to post
Share on other sites

  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.