Avatar of pzilioli
pzilioli
 asked on

big infection?

Hi guys,
I have a little big problem on many PC's of my office.
It's difficult to exactly explain what happens but I try to ask your help.
I find in winnt directory (windows 2000 professional) a file named as random sequence of characters .exe, that is started on windows boot.
Infact when I search in registry I find this exe, present in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(example: hrzucas C:\WINNT\system32\ikrgyoe.exe r).
When I kill from taskmanager this file, at once it create a new one with a different name.
So, even if I remove the "infected" key from registry, when windows restarts, this key is created again and the "infected" process live.
- We have Symantec Antivirus running on all the PC's, daily updated.
- I analized and clean the PC's with hijackthis, RootkitRevealer, Prevx Gromozon Removal...
- I booted windows from setup CD and under C:\winnt I didn't find the "infected" executable.
I presume that this malware is created on windows startup but I'm not able to discover the creator.
Can Anyone help me?
Thanks in advance

PS. Sorry for my poor english

Security

Avatar of undefined
Last Comment
younghv

8/22/2022 - Mon
paradoxengine

Can you post some more details about the process and the file?
Something like exact size, details (obtain them throught right click-properties) and such.
WHEN exactly the worm/virus recreates itself? Exactly after you've killed it?
pzilioli

ASKER
It seems the worm recreates itself exactly after I've killed it: if I monitor the processes list with procexp (a very nice program), I see this:
- Kill A process (iodjiqdj.exe)
- B process born (djqwdqf.exe)
- A process (iodjiqdj.exe) die

A File Info
Directory: C:\winnt\system32
Size: 85.504 byte
File Version: 1.1.0.9
Build: 1666
Creation Date: 14/02/2000 06:34:14

B File is exactly the same ...



paradoxengine

Ok I could not find any well-known worm/virus of that size, how pity.
Can you post a complete list of processes running on your machine? Maybe we can see something suspect.
you could try the hard way and delete the file via http://www.softpedia.com/get/System/System-Miscellaneous/Unlocker.shtml (the unlocker) WHILE it's still running.
For sure there is some other copy of it hiding somewhere ready to be launched at boot time, but there are many places in the registry to look and it might take a while for you to look in all of them...
What did hijackthis say about autorunning programs?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
younghv

Have you turned off the 'System Restore' function, then booted to Safe Mode to do your system scans.

Safe Mode gives a much better finding and cleaning of malware.

Many of the malware programs out there will 'hide' in the System Restore files and then just come back and re-infect your computer on re-boot.

Good Luck,
Vic
rsivanandan

First it would be better to see if there is something 'running' bad on the machine.

www.hijackthis.de

Go there, download the tool, run the analysis. It will post the log. Copy the log and go back to www.hijackthis.de and paste it there and click Analyse. Let it find out what is wrong.

If you see some nasty entries you can remove that, as well post the analyzed log here and others will take a look at it too.

Cheers,
Rajesh
pzilioli

ASKER
Logfile of HijackThis v1.99.1
Scan saved at 18:12:49, on 19/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Programmi\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Programmi\Symantec AntiVirus\DefWatch.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\Programmi\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\stisvc.exe
C:\Programmi\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Programmi\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINNT\system32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\WINNT\SYSTEM32\DwAgent.EXE
C:\WINNT\System32\NMSSvc.exe
C:\Programmi\File comuni\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Programmi\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programmi\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Programmi\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Programmi\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
C:\Programmi\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Programmi\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\system32\internat.exe
C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programmi\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Administrator.IEODOM\Impostazioni locali\Temp\HijackThis.exe
\pcsis004\temp\procexp.exe

---->>  C:\WINNT\system32\bbhzpwq.exe <<---- THIS IS THE MALWARE!!!!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.ieo.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://it.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0410/bl8.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://it.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.ieo.it:8080;https=proxy.ieo.it:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ieo.it;172.33.*;172.28.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - C:\Programmi\Webshots\WSToolbar4IE.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Programmi\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [DwAgent] C:\WINNT\SYSTEM32\DwAgent.EXE
O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [CreateCD50] "C:\Programmi\File comuni\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programmi\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Opware12] "C:\Programmi\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Programmi\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Programmi\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Programmi\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PrevxRootkitRemovalTool] "C:\Documents and Settings\z00096\Desktop\prevxremovaltool.exe" -scan
---->>  O4 - HKLM\..\Run: [ydiivo] C:\WINNT\system32\bbhzpwq.exe r <<----- Even if I remove this key the malware starts on next windows boot

O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Collegamento a AU.lnk = C:\Programmi\AU\AU.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb001
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://intranet.ieo.it
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Programmi\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Programmi\Symantec AntiVirus\DefWatch.exe
O23 - Service: Servizio amministrativo di Gestione disco logico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Programmi\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Programmi\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Programmi\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\WINNT\system32\WinVNC.exe" -service (file missing)

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
younghv

pzilioli,
From your initial description, we know that you have malware.
The key is in clearing it from your machine.
The stopping the System Restore and a 'Safe Mode' scan will be a good starting point.
Vic
younghv

Also, this advice from the Virus Page Editor:
rpggamergirl

Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
rsivanandan

This is the analysis result of your hijackthis log;

http://www.hijackthis.de/logfiles/9959e7cf459e3b76134ebe4604459535.html

As you can see, there are some 'Unknown' processes and some 'nasty' stuff too.

1. First make sure the unknown stuff are valid for you (Browse and make sure that it is part of the application installed by YOU). Or even temporarily uninstall those programs.

2. You need to remove the ones which are 'Nasty'. I see that you've 'mywebsearch' which is one of the mess.

So I would suggest you to download these 2 tools and try to clean the machine;

Ewido -> http://free.grisoft.com/doc/1

and

Adaware ->www.lavasoftusa.com (download the personal edition)

Run both the tools when you are in safe mode and remove whatever it finds as nasty.

Then disable the system-restore so that you don't bring back those things when you go back at some other time.

Let me know how it goes.

Cheers,
Rajesh
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
younghv

Hi Rajesh,
"Then disable the system-restore"

Shouldn't he disable the system-restore PRIOR to the scans?

Regards,
Vic
rsivanandan

No, he should first scan and clean everything and then disable system-restore, again run everything. Once made sure he can turn it on.

Cheers,
Rajesh
Mohamed Osama

hi there , here is my analysis of your Hijack this Log , I am good at this , Trust me :)

I am assuming you didnt install those remote control clients yourself (Dameware NT Utilities & Ultra VNC)
you will first have to copy this to a txt file , save it , close all Internet explorer & windows explorer windows then reboot into safe mode
run the same hijack this scan again.
tick the following entries for fixing.

this is a full cleanup , not just for the malware

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

O4 - HKLM\..\Run: [DwAgent] C:\WINNT\SYSTEM32\DwAgent.EXE

O4 - HKLM\..\Run: [WinVNC] "C:\WINNT\system32\WinVNC.exe" -servicehelper

O4 - HKLM\..\Run: [PrevxRootkitRemovalTool] "C:\Documents and Settings\z00096\Desktop\prevxremovaltool.exe" -scan  (Typical trojan behavious , poses as something useful while it keeps a low profile)

O4 - HKLM\..\Run: [ydiivo] C:\WINNT\system32\bbhzpwq.exe r

provided you booted insto safe mode they are not active in memory

to uninstall dameware remote control
start>run>cmd and type DNTUS26.EXE  -remove

as forvnc its already gone but try to go to start>run>services.msc and set the properties
of the service called WinVNC to disabled

fix checked then reboot
you can also use hijack this to delete several  file on reboot from the misc tools section

I would recomend
create a new txt file , make sure you are showing file extensions from
my computer>TOOLS>Folder options>view> and uncheck hide extensions for known file types if it wasnt unchecked already )
type the following in notepad

@echo off
del C:\Documents and Settings\z00096\Desktop\prevxremovaltool.exe /Q
del C:\WINNT\system32\bbhzpwq.exe r /Q

del C:\WINNT\system32\bbhzpwq.exe  /Q

del C:\WINNT\SYSTEM32\DwAgent.EXE /Q

Net Stop "DameWare Mini Remote Control"

Net Stop "DameWare NT Utilities 2.6"

cd system32

DNTUS26.EXE  -remove

DWRCS.EXE  -remove

Pause

save all as cleanup.bat and run it both before and after reboot if you want to .

Good Luck :)

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
younghv

The Altiris is also a resource hog and problem creator.
If you don't need it (or didn't install it), try to uninstall it through Add/Remove programs, but you will probably have to use something like CCleaner (www.ccleaner.com) to really clean it out of your registry.
ASKER CERTIFIED SOLUTION
rpggamergirl

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
rpggamergirl

I see you already tried Process Explorer.

Have you tried it this way?
1.  Canned for Process Explorer:
Open your C:\Windows\System32-folder and locate "bad process"
Don't delete it yet, because you can't for the moment.
Leave your system32-folder open with the view on that bad file.

Now, doubleclick on "procexp.exe"

You'll see all the running processes there.
Search for bad process
Doubleclick on bad process

A new window will open.
You'll see several tabs on top.
Make sure the "Threads" is selected.
(normally that one will open by default)
You'll see two instances of that bad process in there.
Select the first one and click Kill
Answer YES at the prompt.

Now delete bad process in your system32-folder.


2.  Here's another way from malware Experts.
Download APT: http://www.diamondcs.com.au/index.php?page=apt
Open APT and search in the window for the "bad process".
Open your system32-folder and search for the bad file. Don't delete it yet, just leave the system32-folder open so you can see the bad file.
In APT again, Select the bad process and Click "Kill3"

Then immediately delete the bad file in your system32-folder.
And Fix the O4 in hijackthis.

rpggamergirl


Thank you very much!
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
younghv

"Huntress" strikes again!