Trojan-Spy.Win32@mx

tcarver · February 15, 2007, 01:00:47 AM

This is all it came up with! There were some other things under application that you did not specify for me to check so I unchecked them. I hope that was correct.

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-14 18:57:05
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT 83F4E418 ZwConnectPort
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- EOF - GMER 1.0.12 ----

Corrine · February 15, 2007, 11:10:21 PM

Thanks, tcarver. That's not what I was looking for but we'll go a different route. I am looking to see if there is anything more than the two files I spotted.

I want you to first remove ComboFix. There is a malicious program on the loose that when attempts are made to remove it with ComboFix, the results are not good. As a result, the developer has taken the software off the download sites and asked that it not be used until he finds a way around the problem. Although your son's computer doesn't have the particular infection that causes the problem, it would be best to play it safe.

So, let's take this route.

A. Please download the free beta trial of Blacklight from F-Secure from http://www.f-secure.com/blacklight/try_blacklight.html

Doubleclick on bibeta.exe to run it.
Click the *I accept* button near the bottom of that page.
Download and run blacklite
Click Scan > Next > Next > Exit
Post the text file text file named fsbl.#######.log (the #'s stand for numbers)
Do not rename any files

B. Please download Rootkit Revealer from the bottom of the page at http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running - leave the PC idle)
When it is complete, select File > Save
Choose to save it to your desktop.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here as a reply

Thanks, tcarver and my apology for dragging this out. I just don't want to take any unnecessary chances.

tcarver · February 16, 2007, 04:51:06 AM

Corrine, I deleted the ComboFix, and then ran the Blacklight. When I ran bibeta.exe, it never gave me the second next. It went straight to an exit and said nothing found. When I ran rootkitrevealer.exe, and after it fiinished(approx 1-1/2hrs) I went to save and it said the desktop was not available so I tried to save to my Documents and also to save it in another folder, but now I cant find it anywhere. What might have happened, and where might I retrieve it? I have run a search to find it, but I can't find it anywhere. Any suggestions?

Paddy · February 24, 2007, 01:23:07 AM

Hello tcarver

I've been looking at this for a bit I'm not a HjT expert but this file don't look right to me .

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

I know you have been waiting for some time for a reply, but this does seem to be a root kit problem..
and bye the nature of the problems that come with them need to be researched kinda big time ..
so can you give some of the HjT team some time to do more research..

numbnuts

tcarver · February 24, 2007, 02:29:45 AM

You bet! Thanks for doing the check on this. I sure appreciate your time.

Corrine · March 04, 2007, 01:17:53 AM

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
- Scan Options:
  Scan Archives
  Scan Mail Bases
Click OK
Now under select a targ1et to scan:
My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

[/list][/list]

Corrine · March 06, 2007, 10:40:44 PM

Hi, tcarver. One more thing, please submit the files below to free-olli@f-prot.com . Make the "subject" "Per Corrine".

You may need to change your settings to show hidden files. You can change the setting back after.

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Search for new_drv.sys and ntio256.sys . Ideally, zip the files and attach to the email to free-olli@f-prot.com

\??\C:\WINDOWS\new_drv.sys
\??\C:\WINDOWS\system32\ntio256.sys

Thanks.

tcarver · March 07, 2007, 03:25:55 AM

I am having trouble with the Kaspersky. It keeps telling me that I do not have Administrator priviledges.
What do I need to do?

Assarbad · March 07, 2007, 10:52:22 AM

Is it Windows XP Home? Who else is using the machine?

Paddy · March 07, 2007, 11:38:22 AM

Hello, tcarver please provide the information Assarbad has asked for!
Also can you post a fresh HjT logfile to see how we stand with this please ..

numbnuts..

Assarbad · March 07, 2007, 03:40:00 PM

Didn't receive any files yet. If the mail server on your side rejects sending, please ZIP them in a password-protected file and send me that file and the password in two separate mails. Thanks.

Assarbad · March 08, 2007, 08:46:48 PM

Hmm, cut off from the internet by these nasties?

tcarver · March 09, 2007, 12:03:30 AM

Yes I am running XP, and it says that I have Administrator Priviledges, and then when I go to run Kapersky it says I dont have them. It also told me to set my security or something to medium. I have it set at Med - High.

Paddy · March 09, 2007, 12:29:46 AM

Hi , again tcarver

Post a fresh logfile please I / we wolud like to see a lofile have you sent the files requsted to Assarbad??
are you having problems sending them ??

Follow his instructions for Emailing them to him please this is his job Rootkits / research ..

numbnuts ..

Assarbad · March 09, 2007, 01:33:10 AM

Quote from: numbnuts on March 09, 2007, 12:29:46 AM
have you sent the files requsted to Assarbad??

Nope :-\

It could be a problem to even copy them, but it is hard to tell from remote. I think I seriously need to write some stuff that can at least report certain system parameters and also copy such potentially hidden or locked files.