Need Help!

niallmcl · July 18, 2006

I did what you said and i cant find it...

Any other ideas?

LS CalamityJane · July 18, 2006

From the RootkitRevealer log (which shows some legitimate items as well, so not all are bad), this entry:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll 10/07/2006 19:26 60.00 KB Visible in Windows API, but not in MFT or directory index.

The presence of that file indicates that what you downloaded on July 10th was a backdoor trojan with a rootkit which give it stealth capability to hide from you. This trojan has the capability of doing much damage to a computer, some of which is hidden and can't be seen or corrected. This trojan is much more than Adaware is designed to handle, in fact most AVs cannot handle rootkits correctly or repair the damage done. You should probably consider a reformat/ reinstall on this system, as it may not be trustworthy at this point.

Here is the trojan involved (or one similar to it). Many of the Torpig trojan variant install keyloggers, password stealers, and other really nasty activity in addition to the damage done to a PC.

http://www.sophos.com/virusinfo/analyses/trojtorpigai.html

Troj/Torpig-AI is a Trojan for the Windows platform.

Troj/Torpig-AI includes functionality to

- capture keystrokes

- steal email login information

- steals information from protected storage areas

- access the internet and communicate with a remote server via HTTP.

When Troj/Torpig-AI is installed the following files are created:

<Common Files>\Microsoft Shared\Web Folders\ibm00001.dll

<Common Files>\Microsoft Shared\Web Folders\ibm00001.exe

<Common Files>\Microsoft Shared\Web Folders\ibm00002.dll

These files are also detected as Troj/Torpig-AI.

The following registry entry is created to run ibm00001.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Shell

<Common Files>\Microsoft Shared\Web Folders\ibm00001.exe

The following registry entry is changed to run ibm00001.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Shell

explorer.exe <spaces> "<Common Files>\Microsoft Shared\Web Folders\ibm00001.exe"

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

The following registry entries are also set:

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control\

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control\

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control\

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control\

There are 4 pages of possible variants in the database provided at Sophos, you could have had any one of them.

http://www.sophos.com/security/analyses/se...p;x=60&y=12

........................

If a reformat/reinstall isn't possible for you, I think you should try the free trial evaluation version of this tool is one place to start:

http://www.greatis.com/unhackme/download.htm

Also the Microsoft Malicious Software Removal tool might be worth a try.

http://www.microsoft.com/security/malwareremove/default.mspx

Save any reports from those to post back here if you are not going to follow the recommendation to reformat/reinstall your operating system.

And if you do, I suspect many of the programs you downloaded are infected. I would not recommend saving those infected files, lest you infect yourself again as you did here in this instance.

niallmcl · July 18, 2006

I am not sure i know where my restore factory setting CD is. or my software for windows. Can i reboot my system without these?

niallmcl · July 18, 2006

I ran the microsoft tool and it said that there were no infected files...

niallmcl · July 18, 2006

That also said everything was fine....

Any Advice on how to reboot my system??

niallmcl · July 18, 2006

That is UNHACKME said there were no infections

LS CalamityJane · July 18, 2006

No, you can't reformat/reinstall without your original install CDs. You need to be aware of the risk though. I would change all accounts and passwords, take caution with any sensitive data you may have stored on that PC.

Delete this file (if found)

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll

The output message from Rootkit revealer indicates the file may have already been deleted.

Run an free online scan at both of these (save the log from each at the end to post back here with results, if any infections are found)

eTrust Antivirus Web Scanner

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)

It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.

Ewido free online scanner

http://www.ewido.net/en/onlinescan/

.................................

Then can you run the scan with Blacklight again and post a fresh log

Also post a fresh HijackThis log after the two online scans

niallmcl · July 18, 2006

That took a little while...

Here is Back light

07/18/06 21:30:15 [info]: BlackLight Engine 1.0.42 initialized

07/18/06 21:30:15 [info]: OS: 5.1 build 2600 (Service Pack 2)

07/18/06 21:30:16 [Note]: 7019 4

07/18/06 21:30:16 [Note]: 7005 0

07/18/06 21:30:20 [Note]: 7006 0

07/18/06 21:30:20 [Note]: 7011 1744

07/18/06 21:30:21 [Note]: 7026 0

07/18/06 21:30:29 [Note]: FSRAW library version 1.7.1019

07/18/06 21:32:58 [info]: Hidden file: c:\WINDOWS\system32\protector.exe.ren

07/18/06 21:32:58 [Note]: 7002 0

07/18/06 21:32:58 [Note]: 7003 1

07/18/06 21:32:58 [Note]: 10002 1

07/18/06 21:36:07 [Note]: 7007 0

niallmcl · July 18, 2006

HJT

Logfile of HijackThis v1.99.1

Scan saved at 21:37:35, on 18/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\S3hotkey.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

C:\Program Files\UnHackMe\hackmon.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Do######ents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Ã¿_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\RunServices: [Ã¿_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Ã¿_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKCU\..\Run: [unHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: BZK - Sysinternals - www.sysinternals.com - C:\DO######E~1\NIALLM~1\LOCALS~1\Temp\BZK.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

niallmcl · July 18, 2006

Ewido did find some things but i saved the file and i dont know where it is

niallmcl · July 18, 2006

I know this has turned in to a bigger problem that you thought. Thanks for all you patience

LS CalamityJane · July 18, 2006

I can deal with some rootkits but am no rootkit expert by any means.

That renamed file should show in windows, and since it doesn't I can't examine to see if it is legit or not.

The Ewido log would be named: ewido-report.log

Please search for that file. It should open up in Notepad so you can copy the results back here.

I have to shut down at the moment for an approaching lightning storm. So I may be absent for a bit.

niallmcl · July 19, 2006

I ran ewido again this morning and it siad there was nothing found.

niallmcl · July 19, 2006

Any ideas today? is there anyone you know that could help me get rid of this?

LS CalamityJane · July 19, 2006

I'm waiting to see the ewido-report.log from the scan you did yesterday.

You said you couldn't find it, so I gave you the name to search for: ewido-report.log

You had posted that it found some things yesterday. That's what I want to see

niallmcl · July 19, 2006

I am sorry CJ i could find that log when i searched for it...

so i ran it again this morning and it didnt show up with anything. I will scan it edwido again and post a log

niallmcl · July 19, 2006

I am sorry CJ i could find that log when i searched for it...

so i ran it again this morning and it didnt show up with anything. I will scan it edwido again and post a log

Sorry i meant to say couldn't find it when i searched for the log

LS CalamityJane · July 19, 2006

Darn, would have really helped to know what it found.

Let's try this tool next please:

Download haxfix.exe

and save it to your desktop.

Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon"
Click "Next"
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
Click "Finish"

A red "dos window" (dos box) will open with options:

1. Make logfile

2. Run auto fix

3. Run manual fix

E. Exit Haxfix

Select option 1. Make logfile by typing 1 and then pressing Enter
Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)

niallmcl · July 19, 2006

here is result, it removed whatever it found last night

i will try next tool now.

Thanks CJ

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

+ Created at: 21:29:38 19/07/2006

+ Scan result:

Nothing found.

::Report end

niallmcl · July 19, 2006

HAXFIX logfile - by Marckie

______________

version 3.07

19/07/2006 21:33:27.32

checking for haxdoor

--------------------

checking for a3d files....

a3d files not found

checking for matching notify keys....

no matching notify keys found

checking for matching services....

matching services found

CmBatt

checking for matching safeboot services....

no matching safeboot services found

Checking for goldun

-------------------

checking for notify keys....

no notify keys found

checking for services....

ddirectxt

LS CalamityJane · July 19, 2006

Option 2: Autofix

Double click on My Computer -> C:\ -> Program Files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot
Select option 2. Run auto fix by typing 2 and then pressing Enter

If an infection is found, you'll get a message to close all other open windows.

Close all open windows except the red dos window from haxfix and then press Enter
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
Post the contents of that logfile along with a new HijackThis log.

niallmcl · July 19, 2006

There was no infection found....

Here is HJT

Logfile of HijackThis v1.99.1

Scan saved at 22:22:54, on 19/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\system32\S3hotkey.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\UnHackMe\hackmon.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe