• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1092
  • Last Modified:

Infected computer possible Malware

Here are the symtoms:
Explorer opens to site : www.hotboy.com
Outlook leaves mail in outbox and doesn't send
Application logs show computer isn't getting group policy

Symantec picked up this error:

Scan type:  Manual Scan
Event:  Risk Found!
Risk: Downloader
File:  C:\System Volume Information\_restore{E900C247-6AF1-4CB4-8919-93F16F0E4F10}\RP350\A0043290.dll
Location:  C:\System Volume Information\_restore{E900C247-6AF1-4CB4-8919-93F16F0E4F10}\RP350
Computer:  WINADM01
User:  ABACUS-CORP\davidf
Action taken:  Cleaned by Deletion
Date found: 2008-11-04  1:49:24 AM

Combo Fix is in the code snippit

ComboFix 08-11-03.04 - davidf 2008-11-04  1:19:45.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1399 [GMT -6:00]
Running from: c:\documents and settings\davidf\Desktop\ComboFix.exe
 * Created a new restore point
.
 
(((((((((((((((((((((((((   Files Created from 2008-10-04 to 2008-11-04  )))))))))))))))))))))))))))))))
.
 
2008-10-30 10:43 . 2008-10-30 16:26	<DIR>	d--------	c:\documents and settings\davidf\Application Data\Bozteck
2008-10-30 09:01 . 2008-10-30 10:35	18	--a------	C:\qConnect.dat
2008-10-30 08:43 . 2008-10-30 08:43	<DIR>	d--------	C:\fastpush
2008-10-30 08:25 . 2008-10-30 10:39	<DIR>	d--------	c:\program files\Bozteck
2008-10-30 08:24 . 2008-10-30 08:24	0	--a------	c:\windows\vpc32.INI
2008-10-29 23:11 . 2008-10-29 23:11	920,064	--a------	c:\windows\system32\RDPRemoteEnabler.exe
2008-10-28 15:58 . 2008-10-28 15:58	877,756	--a------	C:\state-of-being-3200x1200.JPG
2008-10-27 21:24 . 2008-10-27 21:24	7,709	--a------	C:\oldcmp.20081027-222439.htm
2008-10-27 21:19 . 2008-10-27 21:19	15,116	--a------	C:\oldcmp.20081027-221919.html
2008-10-27 21:18 . 2008-10-27 21:18	225,855	--a------	C:\oldcmp.20081027-221802.html
2008-10-27 09:48 . 2008-10-27 09:48	<DIR>	d--------	c:\program files\Specopssoft
2008-10-27 09:48 . 2008-10-27 09:48	<DIR>	d--------	c:\program files\Common Files\Specopssoft
2008-10-27 09:05 . 2008-10-27 09:06	<DIR>	d--------	C:\[u]0[/u]ef60d18e60f41e02491271e8718ce
2008-10-27 09:04 . 2008-10-27 09:26	<DIR>	d--------	c:\windows\SxsCaPendDel
2008-10-24 13:19 . 2008-10-24 13:19	<DIR>	d--------	c:\windows\system32\PsTools
2008-10-24 13:14 . 2008-10-24 13:14	1,398	--a------	c:\windows\system32\mapisvc.inf
2008-10-24 13:12 . 2003-06-24 01:00	8,192	--a------	c:\windows\system32\drivers\exifsmsg.dll
2008-10-24 13:09 . 2008-10-24 13:09	<DIR>	d--------	c:\program files\Microsoft Integration
2008-10-24 13:09 . 2008-10-24 13:10	<DIR>	d--------	c:\program files\Exchsrvr
2008-10-23 15:31 . 2008-10-23 15:31	<DIR>	d--------	c:\windows\IIS Temporary Compressed Files
2008-10-23 15:29 . 2004-08-04 06:00	268,288	--a--c---	c:\windows\system32\dllcache\httpext.dll
2008-10-23 15:28 . 2008-10-23 15:37	<DIR>	d--------	C:\Inetpub
2008-10-23 12:34 . 2008-10-23 12:34	<DIR>	d--------	c:\program files\IIS
2008-10-17 00:17 . 2008-10-17 00:17	<DIR>	d--------	c:\windows\system32\RemoteStorage
2008-10-13 16:23 . 2008-10-13 16:23	<DIR>	d--------	c:\program files\Common Files\L&H
2008-10-08 14:15 . 2008-10-08 14:15	69,632	--a------	c:\documents and settings\davidf\bench32.exe
2008-10-08 13:30 . 2008-10-08 13:30	<DIR>	d--------	c:\program files\Microsoft Expression
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 07:13	---------	d-----w	c:\program files\Symantec AntiVirus
2008-11-03 20:45	---------	d-----w	c:\program files\TaskbarShuffle
2008-10-28 15:52	433,664	----a-w	c:\windows\system32\AdQueueLoop.exe
2008-10-28 03:31	2,013,184	----a-w	c:\windows\system32\AdFind.exe
2008-10-28 03:16	600,576	----a-w	c:\windows\system32\OldCmp.exe
2008-10-24 19:19	243,072	----a-w	c:\windows\system32\Psinfo.exe
2008-10-24 19:19	234,536	----a-w	c:\windows\system32\psexec.exe
2008-10-24 19:19	207,664	----a-w	c:\windows\system32\psshutdown.exe
2008-10-24 19:19	187,184	----a-w	c:\windows\system32\pssuspend.exe
2008-10-24 19:19	187,184	----a-w	c:\windows\system32\pskill.exe
2008-10-24 19:19	187,184	----a-w	c:\windows\system32\psgetsid.exe
2008-10-24 19:19	125,744	----a-w	c:\windows\system32\pslist.exe
2008-10-24 19:19	113,456	----a-w	c:\windows\system32\psloglist.exe
2008-10-24 19:19	107,560	----a-w	c:\windows\system32\psservice.exe
2008-10-24 19:19	105,264	----a-w	c:\windows\system32\pspasswd.exe
2008-10-24 19:19	105,264	----a-w	c:\windows\system32\psloggedon.exe
2008-10-24 19:19	105,264	----a-w	c:\windows\system32\psfile.exe
2008-10-23 20:36	---------	d-----w	c:\program files\Microsoft Silverlight
2008-10-18 23:01	---------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-18 22:51	---------	d-----w	c:\program files\Microsoft ActiveSync
2008-10-18 22:50	---------	d-----w	c:\program files\Microsoft Works
2008-10-13 00:03	---------	d-----w	c:\program files\Trillian
2008-10-06 21:11	318,976	----a-w	c:\windows\system32\GetUserInfo.exe
2008-09-23 21:06	---------	d-----w	c:\program files\MSBuild
2008-09-23 20:57	---------	d-----w	c:\program files\Microsoft Visual Studio 8
2008-09-22 19:36	---------	d-----w	c:\documents and settings\davidf\Application Data\Windows Desktop Search
2008-09-17 20:17	---------	d-----w	c:\documents and settings\davidf\Application Data\Windows Search
2008-09-15 11:57	1,846,016	----a-w	c:\windows\system32\win32k.sys
2008-09-11 23:58	---------	d-----w	c:\documents and settings\davidf\Application Data\Express Software Manager
2008-09-09 16:28	---------	d-----w	c:\program files\Windows Desktop Search
2008-09-08 08:14	---------	d-----w	c:\program files\AutoHotkey
2008-08-28 08:00	74,752	----a-w	c:\windows\system32\msw3prt.dll
2008-08-28 08:00	104,448	----a-w	c:\windows\system32\win32spl.dll
2008-08-26 07:24	826,368	----a-w	c:\windows\system32\wininet.dll
2008-08-14 09:58	2,136,064	----a-w	c:\windows\system32\ntoskrnl.exe
2008-08-14 09:22	2,015,744	----a-w	c:\windows\system32\ntkrnlpa.exe
.
 
(((((((((((((((((((((((((((((   snapshot@2008-11-03_14.51.47.33   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-03 20:48:19	128,630	----a-w	c:\windows\system32\perfc009.dat
+ 2008-11-03 20:49:05	128,630	----a-w	c:\windows\system32\perfc009.dat
- 2008-11-03 20:48:20	611,168	----a-w	c:\windows\system32\perfh009.dat
+ 2008-11-03 20:49:06	611,168	----a-w	c:\windows\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"Matrox Powerdesk"="c:\windows\system32\PDesk\PDesk.exe" [2004-09-14 684032]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"EMMeter"="c:\windows\system32\wex4962\EMMeter.exe" [2007-11-15 544768]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-15 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-17 c:\windows\SkyTel.exe]
 
c:\documents and settings\davidf\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2008-10-01 1873280]
 
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Barracuda IM Client.lnk - c:\windows\Installer\{505E81CF-00FA-41BF-BE4E-DF7303C766F3}\_3464C1A70F1EF283C2F5D1.exe [2008-05-12 4286]
Taskbar Shuffle.lnk - c:\program files\TaskbarShuffle\taskbarshuffle.exe [2008-08-21 818176]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoNTSecurity"= 1 (0x1)
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
 
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{606427C1-E5F0-4001-832B-BD7DF391ECA7}"= "c:\windows\system32\wex4962\EMMeterHook800.dll" [2007-11-15 147456]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\[u]0[/u]\[u]0[/u]]
"Script"=\\ad1\distribution\Enterprise\Enterprise_Machine_Startup.vbs
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-484763869-839522115-2973\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=whowhere.vbs
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-484763869-839522115-2973\Scripts\Logon\1\[u]0[/u]]
"Script"=bginfo.vbs
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-484763869-839522115-3769\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=whowhere.vbs
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-484763869-839522115-3769\Scripts\Logon\1\[u]0[/u]]
"Script"=bginfo.vbs
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
 
R2 MSExchangeMGMT;Microsoft Exchange Management;c:\program files\Exchsrvr\bin\exmgmt.exe [2003-06-24 3117568]
R2 VPCAppSv;Virtual PC Application Services;c:\windows\system32\DRIVERS\VPCAppSv.sys [2004-05-17 10374]
S3 rexesvr;BeyondLogic RmtExec Server;c:\windows\System32\rexesvr.exe [2008-04-24 61440]
.
Contents of the 'Scheduled Tasks' folder
 
2008-11-03 c:\windows\Tasks\david.job
- c:\program files\Internet Explorer\iexplore.exe [2008-08-22 23:56]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\davidf\Application Data\Mozilla\Firefox\Profiles\8ch0tezf.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 01:21:10
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
Completion time: 2008-11-04  1:22:40
ComboFix-quarantined-files.txt  2008-11-04 07:22:22
ComboFix2.txt  2008-11-03 21:16:44
ComboFix3.txt  2008-11-03 20:52:20
 
Pre-Run: 111,586,185,216 bytes free
Post-Run: 111,675,191,296 bytes free
 
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /execute /fastdetect
 
189	--- E O F ---	2008-10-24 09:02:43

Open in new window

0
LrdKanien
Asked:
LrdKanien
  • 3
  • 2
  • 2
3 Solutions
 
tdorCommented:
Hi

You have a lot of files that are used to take remote control over computers on your HDD

I would recommend that you give a full scan on the HDD with your installed AV
then use the on line AV scanning from trendMicro and Kaspersky
 - http://housecall.trendmicro.com/
 - http://www.kaspersky.com/virusscanner


Then use Use SpyBot/AdAware to remove any components of malware that might download back the virus
(spyBot) http://www.safer-networking.org/en/download/
(AdAware) http://www.lavasoft.com/products/ad_aware_free.php


Use then RootKitRemover to check for any rootkits
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html


Files that if you do not know what they are used for then you can remove them

c:\windows\system32\RDPRemoteEnabler.exe

c:\windows\system32\Psinfo.exe
c:\windows\system32\psexec.exe
c:\windows\system32\psshutdown.exe
c:\windows\system32\pssuspend.exe
c:\windows\system32\pskill.exe
c:\windows\system32\psgetsid.exe
c:\windows\system32\pslist.exe
c:\windows\system32\psloglist.exe
c:\windows\system32\psservice.exe
c:\windows\system32\pspasswd.exe
c:\windows\system32\psloggedon.exe
c:\windows\system32\psfile.exe

c:\windows\system32\GetUserInfo.exe


Regards,
Tdor
0
 
LrdKanienAuthor Commented:
I'm an Administrator.  All of the Pstools are made by microsoft and I put them in the system32 dir.  I use them to do many things across my network, such as remotely executing code.  The getuserinfo is joeware, which is a source that many people trust and you should check out at joeware.net.  

Anyone else?
0
 
tdorCommented:
Hi,

:) I knew about the files, however I did not wanted to start by assuming anything (and I did wanted to know that you are an admin and you work with exchange, psTools, keep an eye on the ADQueue, etc...)

About the error you received it says "Cleaned by Deletion. However, do you keep receiving it? If yes then have you tryied SpyBot ?

I'm intrigued by c:\windows\SxsCaPendDel (see last 4 of entryied in the thread)
http://forums.whatthetech.com/Problem_Removing_Virtumonde_t89176.html


tdor
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
rpggamergirlCommented:

The file that Symantec found is in the System Restore folder, to remove it you just need to turn Off system restore to flush the infected restore points,
Reboot (that should remove all the viruses in that folder along with the restore points), then turn it back on again.

How to turn Off and On System Restore.
http://support.microsoft.com/kb/310405
0
 
LrdKanienAuthor Commented:
Thanks again.
0
 
rpggamergirlCommented:
Thanks!
0
 
LrdKanienAuthor Commented:
I'm still having popups to the gay site.  I downloaded spybot s&d and I'm running that now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now