A.bat Infected With Zapchast.reg And Dev.exe Infected With W32\sdbot.worm.gen.h


Recommended Posts

One of my users has two infected files on his laptop.

c:\a.bat and c:\winnt\system32

I have run spybot and adware, rebooted, and then created the following log.

Logfile of HijackThis v1.99.1

Scan saved at 11:46:31, on 28/09/2006

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\ibmpmsvc.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe

C:\WINNT\floplock.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\mcshield.exe

C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

C:\program files\notes\ntmulti.exe

C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\TpKmpSVC.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\mspmspsv.exe

C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe

C:\PROGRA~1\Xpoint\agent\Xpagent.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\PROGRA~1\Xpoint\EEClient\xpclient.exe

C:\WINNT\system32\cmd.exe

C:\PROGRA~1\Xpoint\SAS\jre\bin\javaw.exe

C:\WINNT\system32\Ati2evxx.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\ltmsg.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\IBM\Client Access\cwbckver.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\WINNT\AGRSMMSG.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe

C:\WINNT\system32\RunDll32.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Xpoint\PE\pcrecsa.exe

C:\WINNT\system32\TpShocks.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\INTEL\DSLSetup\ProDsl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Program Files\McAfee\Common Framework\UpdaterUI.exe

C:\WINNT\system32\internat.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Documents and Settings\linescj\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.51.87.140:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 213.62.*;170.230.*;*.cpb.com;*.soups.com;62.185.95.179;129.39.225.188;<local>

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9

O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"

O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"

O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN

O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [uC_Start] C:\IBMTools\Updater\ucstartup.exe

O4 - HKLM\..\Run: [Rapid Restore] C:\Program Files\Xpoint\PE\Skin\rrpcsb.exe

O4 - HKLM\..\Run: [bMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [bMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [TpShocks] TpShocks.exe

O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [setupType] Portable

O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O11 - Options group: [JAVA_IBM] Java (IBM)

O14 - IERESET.INF: START_PAGE_URL=about:blank

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ouk.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{3A22ECFD-1D48-4F30-A047-F4AB3D5657DC}: Domain = europe.soups.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{E6B6CEA5-4CF2-4550-9CCB-E7A8F1B20603}: Domain = europe.soups.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ouk.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ouk.com eu.cpb.com cpb.com europe.soups.com soups.com oie.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ouk.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ouk.com eu.cpb.com cpb.com europe.soups.com soups.com oie.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ouk.com eu.cpb.com cpb.com europe.soups.com soups.com oie.com

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe

O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireSvc.exe

O23 - Service: floppylock - Unknown owner - C:\WINNT\floplock.exe

O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

O23 - Service: Multi-user Cleanup Service - Unknown owner - C:\program files\notes\ntmulti.exe

O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE

O23 - Service: Xpoint PCRadmin Server (PCRadminServer) - Unknown owner - C:\PROGRA~1\Xpoint\PE\pcradmin.exe

O23 - Service: PictureTaker - LANovation - C:\WINNT\System32\PCTKRNT.SYS

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINNT\system32\PsaSrv.exe

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINNT\system32\TpKmpSVC.exe

O23 - Service: Xpoint Admin Server (XPadminServer) - Unknown owner - C:\PROGRA~1\Xpoint\xpadmin\xpadmin.exe

O23 - Service: Xpoint Agent Server (xpAgentServer) - Unknown owner - C:\PROGRA~1\Xpoint\agent\Xpagent.exe

Thanks

Link to post
Share on other sites

First download ewido anti-spyware from HERE and save that file to your desktop.

This is a 30 day trial of the program

  1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  2. Once the setup is complete you will need run ewido and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

[*]Under "Reports"

  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

  1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  2. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  4. ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  5. If you have any infections you will prompted, then select "Apply all actions"
  6. Next select the "Reports" icon at the top.
  7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  8. Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...