PDA

View Full Version : IS2010.exe/IS15.exe



linw
03-02-2010, 08:37 PM
Got a client's machine that has had both these trojans picked up by Malwarebytes. The offending exe's have been deleted but there is something still active. FF is now occasionally getting a new tab created with sites related to gambling and adsmarket.

I am getting the machine tomorrow so am going to run TrojanRemover and I will check the registry entries connected with IS15 but if anyone has any specific advice it will be welcomed. At the end of the day, I just may have to wipe the disk and start again but I am trying to avoid that!

I will post a HJT log tomorrow as well.

TIA.

Speedy Gonzales
03-02-2010, 08:50 PM
double post

Speedy Gonzales
03-02-2010, 08:51 PM
Looks like it belongs to this (http://www.bleepingcomputer.com/virus-removal/remove-internet-security-2010). I would take it off the net till you fix it

linw
03-02-2010, 09:55 PM
Yep, that is certainly what it was/is. I think this comp was attacked via a script in an mp3 file that loaded a trojan loader. The rest (including a password copier) got loaded from there.

Malwarebytes and MSE found and deleted several baddies but there is still something else lurking.

Speedy Gonzales
03-02-2010, 11:37 PM
Disable system restore then do a scan with TR. And reset everything after. Under the utils menu

linw
04-02-2010, 08:42 AM
HJT log shows a peculiar service (GVYGFFBH.exe). This doesn't show in Task Manager.

TR didn't find anything, incl file above.

MSE - nothing.

MBAM - nothing.

Current symptoms are tabs with mainly gambling sites spontaneously appear in FF. Will run FF in safe mode to see whether this still occurs.

Out for a few hours so will check back then.


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:02:10 a.m., on 4/02/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Samsung\Emodio\SMSTray.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\devnz\gbpvr\GBPVRTray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\zabkat\xplorer2_lite\xplorer2.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Emodio\SMSTray.exe
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: GB-PVR Tray.lnk = C:\Program Files\devnz\gbpvr\GBPVRTray.exe
O4 - Startup: pvr150-1.bat - Shortcut.lnk = J:\GB Recorder\pvr150-1.bat
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GB-PVR Recording Service - WelltonWay - C:\Program Files\Devnz\GBPVR\GBPVRRecordingService.exe
O23 - Service: Google Update Service (gupdate1c9d45e61575d92) (gupdate1c9d45e61575d92) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: GVYQFFBH - Sysinternals - www.sysinternals.com - C:\Users\Rob\AppData\Local\Temp\GVYQFFBH.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 6348 bytes

linw
04-02-2010, 08:50 AM
Ah, that GVYQFFBH.exe is sysinternal's rootkit revealer which I ran earlier.

Speedy Gonzales
04-02-2010, 08:52 AM
Did you select all options under utilities in TR as well?? After updating it then clicking on scan? Trojan remover does scan for rootkits

Uninstall all versions of java, then update it. Its out of date

What does this do?

O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup

Is it a search program for windows?

inphinity
04-02-2010, 08:56 AM
I encountered a PC with this the other day, scanned & cleaned with MBAM and NOD32, then had to edit the userinit registry key, found in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Cu rrentVersion\Winlogon
The infection had changed the value of UserInit to winlogon32.exe instead of userinit.exe

However there were a handful of other infections on that PC also so this may or may not have been a direct result of the IS2010.

linw
04-02-2010, 09:51 PM
Speedy, everything.exe is a VERY efficient file indexer so is kosher. Updated Java.

I didn't click the utilities options but have done that now.

I have checked for all the known files created e.g. smss32.exe, helper32.dll, winlogon32.exe etc but none are there.

I have checked the known changes to registry and only found one entry that shouldn't have been there. HKCU\Software\8636065b-fef0 .... etc. Deleted that (it was supposed to load smss32.exe on startup but I have never found this exe).

No bogus sites loaded for an hour so that is good but I am not convinced the problem has gone away yet. Time will tell.

Chikara
05-02-2010, 04:14 AM
Yep, that is certainly what it was/is. I think this comp was attacked via a script in an mp3 file that loaded a trojan loader. The rest (including a password copier) got loaded from there.

Malwarebytes and MSE found and deleted several baddies but there is still something else lurking.

Not trying to hijack this thread or anything, but I'm curious about how a mp3 file can run a script...(not being sarcastic, I genuinely don't understand how this works)...
Do you mean it's a fake double-extension file, eg filename.mp3.exe?? If so, I could understand it doing dodgy things.

But it the file extension was indeed just .mp3, wouldn't it just try and load through the default media player and not play if it's not a valid music file? How does it actually run a script??

fred_fish
05-02-2010, 08:38 AM
That would be a good question for the WMP devs....:xmouth:

Speedy Gonzales
05-02-2010, 08:53 AM
If he means something like this (http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=207600502) then its not an MP3 at all. Its fake

linw
05-02-2010, 09:15 AM
See here:- http://www.dslreports.com/forum/r20444683-Rogue-MP3-Trojan-streaks-across-P2P-networks

Seems like wmp can execute a script file in an mp3.

In the case I have at the moment, indeed, IE did get run around the right timeframe but my friend only uses FF so it was likely IE was called by rougue software.

Anyway, this system is still loading gambling sites. I am now looking at add-ons/plugins but it is tedious as the nasties don't appear reliably.

linw
05-02-2010, 03:08 PM
Combofix didn't even fix it in spite of deleting about 20 files (numerically named exes from system32 directory).

Guess it is a hopeless case if all the scanners I have run can't find the rogues. Damn, I really didn't want to reinstall everything!

Speedy Gonzales
05-02-2010, 03:10 PM
Get teamviewer if you want, then boot into safe mode / networking. And I'll check it out. Send the ID and pw to me in a PM

linw
08-02-2010, 12:30 AM
Thanks, Speedy, for the help on Friday night - much appreciated.

I am pretty sure I now know what is wrong with the infected machine. The malware scanners got rid of pretty much all the nasties but couldn't see the TDSS rootkit installed. This rootkit uses a google redirect scheme to fire up advertising sites.

Kaspersky has a TDSSKiller exe to detect and remove this bad boy. It did detect files and registry entries and hopefully removed it.

So a warning to keep an eye out for this one.

Will test it for a while but am not sure the setup can be trusted anymore.

The 'fix' is here as well as a severe warning!

http://www.bleepingcomputer.com/forums/index.php?showtopic=289566&hl=google+redirect