PDA

View Full Version : Win32:SysPatch(wrm) Help



cowboy stu
01-08-2009, 12:23 PM
Has anyone got a quick fix to rid of this alert.
Is it a problem ?
XP SP3 Avast

Blam
01-08-2009, 01:35 PM
Disable SR. Right Click My Computer>properties>system restore tab>tick disable SR on all drives.

Download HijackThis and post a log here
http://www.trendsecure.com/portal/en-US/_download/HiJackThis.exe

Then download MBAM and run a full scan.
http://www.malwarebytes.org/mbam-download.php

Also, this might help you remove any leftovers:


TECHNICAL DETAILS
When executed, the worm copies itself as the following files:
%System%\ntpl.bin
%System%\sbmf.ln


It also drops the following files, which are copies of Backdoor.Zapinit:
%System%\cc.ln
%System%\lght.ln
%System%\msnf.ln
%System%\nvrsma.dll
%System%\pryx.ln


It also creates the following log file:
%Windir%\sys.log

Next, the worm modifies the following files so that it changes which registry entries are queried when Windows starts:
%System%\dllcache\user32.dll
%System%\user32.dll


It then creates the following registry entry so that it runs whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"pjpInit_Dlls" = "nvrsma"

Note: The above registry entry is queried by the modified user32.dll files.

Note: The original user32.dll files are copied as the following file:
%System%\[RANDOM FILE NAME]

It also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\"st" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\"mid" = "[HEXADECIMAL CHARACTERS]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\"dwn" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\"ccnt" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\"nhr" = "1"


It also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\1
HKEY_LOCAL_MACHINE\SOFTWARE\6
HKEY_LOCAL_MACHINE\SOFTWARE\7
HKEY_LOCAL_MACHINE\SOFTWARE\8
HKEY_LOCAL_MACHINE\SOFTWARE\9


The worm then attempts to connect to the following URLs:
[http://]66.36.241.45/sdb/gate/[REMOVED]
[http://]66.36.241.45/sdb/gate/data[REMOVED]


The worm spreads by copying itself to network shares using the following logon details:
User name:
Administrator
Password:
One of the following:
!@#
0
00
1
11
1212
123
123456
13
1313
666
777
adm
admin
administrator
asa
pass
password
q
qaz
qazxsw
qqq
qwerty
test
zaq
zaqwsx
zzz
/////////////////////////////
pol

Blam

cowboy stu
01-08-2009, 01:56 PM
Thanks.. underway



Logfile of HijackThis v1.99.1
Scan saved at 12:51:47 p.m., on 01/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\AMT\atchk.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\A-DATA\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Firebird\Firebird_2_0\Bin\FBGuard.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Firebird\Firebird_2_0\Bin\fbserver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\Shareware\FoxitReader.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Google\Picasa3\PicasaPhotoViewer.exe
C:\Downloads\Shareware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bordernet.co.nz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.directlink.co.nz/online/EnterDirectLink.do
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:9202;https=localhost:9202;socks=loc alhost:9203
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ADATA_PLUtil] C:\Program Files\A-DATA\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ShaPlus Bandwidth Meter] "C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" /s
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FirebirdGuardianDefaultInstance - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_0\Bin\FBGuard.EXE
O23 - Service: FirebirdServerDefaultInstance - FirebirdSQL Project - C:\Program Files\Firebird\Firebird_2_0\Bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InterBaseGuardian - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\IBGuard.EXE
O23 - Service: InterBaseServer - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe

cowboy stu
01-08-2009, 03:12 PM
Malwarebytes reports no issues.

All good do you think ??

Blam
01-08-2009, 03:22 PM
Seems like it. HJT log i clean, few unneeded entries but speedy can advice on what is unneeded.

But look in the registry and C drive for files and keys I listed above.

And try running this:
http://www.spywareterminator.com/download/download.aspx

Blam

cowboy stu
01-08-2009, 04:21 PM
thanks will do

Speedy Gonzales
01-08-2009, 06:28 PM
Disable system restore tick these then tick fix checked

Close browsers

Since trojan remover is installed make suire its up to date then scan, then select all options under utils

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

This file will be the prob

O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

If you dont use nero home tick this

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

pctek
01-08-2009, 06:45 PM
C:\Program Files\Intel\AMT\atchk.exe

atchksrv.exe - This service will automatically start when Windows* boots. This service takes care of the administrator privileges needed by the "non-administrator" users to make use of the Intel® AMT Status application.





C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Intel\AMT\LMS.exe
part of Intel(R) Active Management Technology Local Manageability Service. The program listens for or sends data on open ports to LAN or Internet.


C:\WINDOWS\system32\IoctlSvc.exe
Utterly useless and occasionally problematic background service installed when a user installs the CD that comes with some USB thumb drives (Memory sticks / Flash memory / USB memory / Pen Drive). From our tests, and from our experience, despite using very little memory this service performs no function other than seriously impact the performance of some PCs. On some PCs this service will often cause PC slowness or random freezes.

C:\Program Files\Intel\AMT\UNS.exe


O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"


O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ADATA_PLUtil] C:\Program Files\A-DATA\USB Flash Disk Utility\PLBkMon.exe


O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe

O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe

All comletely unnecessary too.
Why do you run all this clutter?

cowboy stu
01-08-2009, 06:49 PM
re clutter ... got no idea will deal to it

Did as Speedy says except my unpaid version of trojan remover is no use .
Still getting warning of Win32:SysPatch [Wrm]
thanks for help
will persist

cowboy stu
01-08-2009, 07:15 PM
What is the best way to edit registry as advised by Blam please ?
Is this is what is required ??

Speedy Gonzales
01-08-2009, 07:30 PM
It doesnt matter if its the trial it will still remove whatever. If HotfixQ0306270.exe is running now kill it. Then run trojan remover. Make sure its up to date, then select all options under the utilities menu. Make sure system restore is disabled. Did you scan the hdd with Avast?? Thats why its there

cowboy stu
01-08-2009, 08:48 PM
Where do i see hotfix running? it is not visible in Task manager /processes.
Have installed Trojan remover but can't get a trial copy to try. Scanning HD again

cowboy stu
01-08-2009, 09:58 PM
I read somewhere else of the same problem. DRWebCure downloaded and seems to have fixed :)
Thanks for help all