?
Solved

Infected computer possible Malware

Posted on 2008-11-04
7
Medium Priority
?
1,069 Views
Last Modified: 2013-12-09
Here are the symtoms:
Explorer opens to site : www.hotboy.com
Outlook leaves mail in outbox and doesn't send
Application logs show computer isn't getting group policy

Symantec picked up this error:

Scan type:  Manual Scan
Event:  Risk Found!
Risk: Downloader
File:  C:\System Volume Information\_restore{E900C247-6AF1-4CB4-8919-93F16F0E4F10}\RP350\A0043290.dll
Location:  C:\System Volume Information\_restore{E900C247-6AF1-4CB4-8919-93F16F0E4F10}\RP350
Computer:  WINADM01
User:  ABACUS-CORP\davidf
Action taken:  Cleaned by Deletion
Date found: 2008-11-04  1:49:24 AM

Combo Fix is in the code snippit

ComboFix 08-11-03.04 - davidf 2008-11-04  1:19:45.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1399 [GMT -6:00]
Running from: c:\documents and settings\davidf\Desktop\ComboFix.exe
 * Created a new restore point
.
 
(((((((((((((((((((((((((   Files Created from 2008-10-04 to 2008-11-04  )))))))))))))))))))))))))))))))
.
 
2008-10-30 10:43 . 2008-10-30 16:26	<DIR>	d--------	c:\documents and settings\davidf\Application Data\Bozteck
2008-10-30 09:01 . 2008-10-30 10:35	18	--a------	C:\qConnect.dat
2008-10-30 08:43 . 2008-10-30 08:43	<DIR>	d--------	C:\fastpush
2008-10-30 08:25 . 2008-10-30 10:39	<DIR>	d--------	c:\program files\Bozteck
2008-10-30 08:24 . 2008-10-30 08:24	0	--a------	c:\windows\vpc32.INI
2008-10-29 23:11 . 2008-10-29 23:11	920,064	--a------	c:\windows\system32\RDPRemoteEnabler.exe
2008-10-28 15:58 . 2008-10-28 15:58	877,756	--a------	C:\state-of-being-3200x1200.JPG
2008-10-27 21:24 . 2008-10-27 21:24	7,709	--a------	C:\oldcmp.20081027-222439.htm
2008-10-27 21:19 . 2008-10-27 21:19	15,116	--a------	C:\oldcmp.20081027-221919.html
2008-10-27 21:18 . 2008-10-27 21:18	225,855	--a------	C:\oldcmp.20081027-221802.html
2008-10-27 09:48 . 2008-10-27 09:48	<DIR>	d--------	c:\program files\Specopssoft
2008-10-27 09:48 . 2008-10-27 09:48	<DIR>	d--------	c:\program files\Common Files\Specopssoft
2008-10-27 09:05 . 2008-10-27 09:06	<DIR>	d--------	C:\[u]0[/u]ef60d18e60f41e02491271e8718ce
2008-10-27 09:04 . 2008-10-27 09:26	<DIR>	d--------	c:\windows\SxsCaPendDel
2008-10-24 13:19 . 2008-10-24 13:19	<DIR>	d--------	c:\windows\system32\PsTools
2008-10-24 13:14 . 2008-10-24 13:14	1,398	--a------	c:\windows\system32\mapisvc.inf
2008-10-24 13:12 . 2003-06-24 01:00	8,192	--a------	c:\windows\system32\drivers\exifsmsg.dll
2008-10-24 13:09 . 2008-10-24 13:09	<DIR>	d--------	c:\program files\Microsoft Integration
2008-10-24 13:09 . 2008-10-24 13:10	<DIR>	d--------	c:\program files\Exchsrvr
2008-10-23 15:31 . 2008-10-23 15:31	<DIR>	d--------	c:\windows\IIS Temporary Compressed Files
2008-10-23 15:29 . 2004-08-04 06:00	268,288	--a--c---	c:\windows\system32\dllcache\httpext.dll
2008-10-23 15:28 . 2008-10-23 15:37	<DIR>	d--------	C:\Inetpub
2008-10-23 12:34 . 2008-10-23 12:34	<DIR>	d--------	c:\program files\IIS
2008-10-17 00:17 . 2008-10-17 00:17	<DIR>	d--------	c:\windows\system32\RemoteStorage
2008-10-13 16:23 . 2008-10-13 16:23	<DIR>	d--------	c:\program files\Common Files\L&H
2008-10-08 14:15 . 2008-10-08 14:15	69,632	--a------	c:\documents and settings\davidf\bench32.exe
2008-10-08 13:30 . 2008-10-08 13:30	<DIR>	d--------	c:\program files\Microsoft Expression
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 07:13	---------	d-----w	c:\program files\Symantec AntiVirus
2008-11-03 20:45	---------	d-----w	c:\program files\TaskbarShuffle
2008-10-28 15:52	433,664	----a-w	c:\windows\system32\AdQueueLoop.exe
2008-10-28 03:31	2,013,184	----a-w	c:\windows\system32\AdFind.exe
2008-10-28 03:16	600,576	----a-w	c:\windows\system32\OldCmp.exe
2008-10-24 19:19	243,072	----a-w	c:\windows\system32\Psinfo.exe
2008-10-24 19:19	234,536	----a-w	c:\windows\system32\psexec.exe
2008-10-24 19:19	207,664	----a-w	c:\windows\system32\psshutdown.exe
2008-10-24 19:19	187,184	----a-w	c:\windows\system32\pssuspend.exe
2008-10-24 19:19	187,184	----a-w	c:\windows\system32\pskill.exe
2008-10-24 19:19	187,184	----a-w	c:\windows\system32\psgetsid.exe
2008-10-24 19:19	125,744	----a-w	c:\windows\system32\pslist.exe
2008-10-24 19:19	113,456	----a-w	c:\windows\system32\psloglist.exe
2008-10-24 19:19	107,560	----a-w	c:\windows\system32\psservice.exe
2008-10-24 19:19	105,264	----a-w	c:\windows\system32\pspasswd.exe
2008-10-24 19:19	105,264	----a-w	c:\windows\system32\psloggedon.exe
2008-10-24 19:19	105,264	----a-w	c:\windows\system32\psfile.exe
2008-10-23 20:36	---------	d-----w	c:\program files\Microsoft Silverlight
2008-10-18 23:01	---------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-18 22:51	---------	d-----w	c:\program files\Microsoft ActiveSync
2008-10-18 22:50	---------	d-----w	c:\program files\Microsoft Works
2008-10-13 00:03	---------	d-----w	c:\program files\Trillian
2008-10-06 21:11	318,976	----a-w	c:\windows\system32\GetUserInfo.exe
2008-09-23 21:06	---------	d-----w	c:\program files\MSBuild
2008-09-23 20:57	---------	d-----w	c:\program files\Microsoft Visual Studio 8
2008-09-22 19:36	---------	d-----w	c:\documents and settings\davidf\Application Data\Windows Desktop Search
2008-09-17 20:17	---------	d-----w	c:\documents and settings\davidf\Application Data\Windows Search
2008-09-15 11:57	1,846,016	----a-w	c:\windows\system32\win32k.sys
2008-09-11 23:58	---------	d-----w	c:\documents and settings\davidf\Application Data\Express Software Manager
2008-09-09 16:28	---------	d-----w	c:\program files\Windows Desktop Search
2008-09-08 08:14	---------	d-----w	c:\program files\AutoHotkey
2008-08-28 08:00	74,752	----a-w	c:\windows\system32\msw3prt.dll
2008-08-28 08:00	104,448	----a-w	c:\windows\system32\win32spl.dll
2008-08-26 07:24	826,368	----a-w	c:\windows\system32\wininet.dll
2008-08-14 09:58	2,136,064	----a-w	c:\windows\system32\ntoskrnl.exe
2008-08-14 09:22	2,015,744	----a-w	c:\windows\system32\ntkrnlpa.exe
.
 
(((((((((((((((((((((((((((((   snapshot@2008-11-03_14.51.47.33   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-03 20:48:19	128,630	----a-w	c:\windows\system32\perfc009.dat
+ 2008-11-03 20:49:05	128,630	----a-w	c:\windows\system32\perfc009.dat
- 2008-11-03 20:48:20	611,168	----a-w	c:\windows\system32\perfh009.dat
+ 2008-11-03 20:49:06	611,168	----a-w	c:\windows\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"Matrox Powerdesk"="c:\windows\system32\PDesk\PDesk.exe" [2004-09-14 684032]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"EMMeter"="c:\windows\system32\wex4962\EMMeter.exe" [2007-11-15 544768]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-15 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-17 c:\windows\SkyTel.exe]
 
c:\documents and settings\davidf\Start Menu\Programs\Startup\
Trillian.lnk - c:\program files\Trillian\trillian.exe [2008-10-01 1873280]
 
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Barracuda IM Client.lnk - c:\windows\Installer\{505E81CF-00FA-41BF-BE4E-DF7303C766F3}\_3464C1A70F1EF283C2F5D1.exe [2008-05-12 4286]
Taskbar Shuffle.lnk - c:\program files\TaskbarShuffle\taskbarshuffle.exe [2008-08-21 818176]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoNTSecurity"= 1 (0x1)
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
 
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{606427C1-E5F0-4001-832B-BD7DF391ECA7}"= "c:\windows\system32\wex4962\EMMeterHook800.dll" [2007-11-15 147456]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\[u]0[/u]\[u]0[/u]]
"Script"=\\ad1\distribution\Enterprise\Enterprise_Machine_Startup.vbs
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-484763869-839522115-2973\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=whowhere.vbs
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-484763869-839522115-2973\Scripts\Logon\1\[u]0[/u]]
"Script"=bginfo.vbs
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-484763869-839522115-3769\Scripts\Logon\[u]0[/u]\[u]0[/u]]
"Script"=whowhere.vbs
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1220945662-484763869-839522115-3769\Scripts\Logon\1\[u]0[/u]]
"Script"=bginfo.vbs
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
 
R2 MSExchangeMGMT;Microsoft Exchange Management;c:\program files\Exchsrvr\bin\exmgmt.exe [2003-06-24 3117568]
R2 VPCAppSv;Virtual PC Application Services;c:\windows\system32\DRIVERS\VPCAppSv.sys [2004-05-17 10374]
S3 rexesvr;BeyondLogic RmtExec Server;c:\windows\System32\rexesvr.exe [2008-04-24 61440]
.
Contents of the 'Scheduled Tasks' folder
 
2008-11-03 c:\windows\Tasks\david.job
- c:\program files\Internet Explorer\iexplore.exe [2008-08-22 23:56]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\davidf\Application Data\Mozilla\Firefox\Profiles\8ch0tezf.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 01:21:10
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
Completion time: 2008-11-04  1:22:40
ComboFix-quarantined-files.txt  2008-11-04 07:22:22
ComboFix2.txt  2008-11-03 21:16:44
ComboFix3.txt  2008-11-03 20:52:20
 
Pre-Run: 111,586,185,216 bytes free
Post-Run: 111,675,191,296 bytes free
 
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /execute /fastdetect
 
189	--- E O F ---	2008-10-24 09:02:43

Open in new window

0
Comment
Question by:LrdKanien
  • 3
  • 2
  • 2
7 Comments
 
LVL 3

Assisted Solution

by:tdor
tdor earned 1000 total points
ID: 22880564
Hi

You have a lot of files that are used to take remote control over computers on your HDD

I would recommend that you give a full scan on the HDD with your installed AV
then use the on line AV scanning from trendMicro and Kaspersky
 - http://housecall.trendmicro.com/
 - http://www.kaspersky.com/virusscanner


Then use Use SpyBot/AdAware to remove any components of malware that might download back the virus
(spyBot) http://www.safer-networking.org/en/download/
(AdAware) http://www.lavasoft.com/products/ad_aware_free.php


Use then RootKitRemover to check for any rootkits
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html


Files that if you do not know what they are used for then you can remove them

c:\windows\system32\RDPRemoteEnabler.exe

c:\windows\system32\Psinfo.exe
c:\windows\system32\psexec.exe
c:\windows\system32\psshutdown.exe
c:\windows\system32\pssuspend.exe
c:\windows\system32\pskill.exe
c:\windows\system32\psgetsid.exe
c:\windows\system32\pslist.exe
c:\windows\system32\psloglist.exe
c:\windows\system32\psservice.exe
c:\windows\system32\pspasswd.exe
c:\windows\system32\psloggedon.exe
c:\windows\system32\psfile.exe

c:\windows\system32\GetUserInfo.exe


Regards,
Tdor
0
 

Author Comment

by:LrdKanien
ID: 22880622
I'm an Administrator.  All of the Pstools are made by microsoft and I put them in the system32 dir.  I use them to do many things across my network, such as remotely executing code.  The getuserinfo is joeware, which is a source that many people trust and you should check out at joeware.net.  

Anyone else?
0
 
LVL 3

Assisted Solution

by:tdor
tdor earned 1000 total points
ID: 22880823
Hi,

:) I knew about the files, however I did not wanted to start by assuming anything (and I did wanted to know that you are an admin and you work with exchange, psTools, keep an eye on the ADQueue, etc...)

About the error you received it says "Cleaned by Deletion. However, do you keep receiving it? If yes then have you tryied SpyBot ?

I'm intrigued by c:\windows\SxsCaPendDel (see last 4 of entryied in the thread)
http://forums.whatthetech.com/Problem_Removing_Virtumonde_t89176.html


tdor
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1000 total points
ID: 22882096

The file that Symantec found is in the System Restore folder, to remove it you just need to turn Off system restore to flush the infected restore points,
Reboot (that should remove all the viruses in that folder along with the restore points), then turn it back on again.

How to turn Off and On System Restore.
http://support.microsoft.com/kb/310405
0
 

Author Closing Comment

by:LrdKanien
ID: 31513357
Thanks again.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22883893
Thanks!
0
 

Author Comment

by:LrdKanien
ID: 22886414
I'm still having popups to the gay site.  I downloaded spybot s&d and I'm running that now.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question