Trickiest Spyware Yet!

bengbrewer · Jul 13, 2005

Hey guys, first post. This is the first time i've had some spyware that I couldn't remove. When I login explorer.exe has a cpu usage of at least 95% if I end task it I can bring up task manager and run programs. Im running Antivir, Sophos, Ad-Aware, and MS Antispyware. Ive tried all of the different tools like xclean, wmav, killbox, drdelete, sysclean. None work. These 2 files in the c:\windows\sytem32 folder are suspicious to me. kudcr.dll 408k, mkdrv.dll 408k The only thing I haven't done is boot into recovery console and tried removing these. There is also a file called b.com that keeps showing up in the c:\windows\temp folder. Well here is my hijackthis log. It must just be something new thats not caught yet or something. HELP!@!@ Thanks

Edit by chaslang: Unrequested inline HJT log removed

Using process explorer for XP I can see whats going on with explorer.exe when its running at freakin 98 cpu. Heres the log I got:

Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a 0.20 Hardware Interrupts
DPCs n/a 0.20 Deferred Procedure Calls
System 4 0.39
smss.exe 548 Windows NT Session Manager Microsoft Corporation
csrss.exe 624 0.39
winlogon.exe 648 2.54 Windows NT Logon Application Microsoft Corporation
services.exe 692 0.59 Services and Controller app Microsoft Corporation
svchost.exe 860 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 904 0.20
svchost.exe 964 Generic Host Process for Win32 Services Microsoft Corporation
SavService.exe 1004
svchost.exe 1164
svchost.exe 1220
spoolsv.exe 1344 Spooler SubSystem App Microsoft Corporation
AVWUPSRV.EXE 1452 AntiVir Software Update Service for Windows H+BEDV Datentechnik GmbH, Germany
SAVAdminService.exe 1616 Sophos Administrator Service Sophos plc
ALsvc.exe 1692 Sophos plc
svchost.exe 1728 Generic Host Process for Win32 Services Microsoft Corporation
wdfmgr.exe 1768
lsass.exe 704 2.74 LSA Shell (Export Version) Microsoft Corporation
taskmgr.exe 988 0.20 Windows TaskManager Microsoft Corporation
procexp.exe 2732 2.74 Sysinternals Process Explorer Sysinternals
explorer.exe 2224 89.04 Windows Explorer Microsoft Corporation
csrss.exe 2004 0.20
winlogon.exe 2040 0.59 Windows NT Logon Application Microsoft Corporation

Process: explorer.exe Pid: 2224

Type Name
Desktop \Default
Directory \Windows
Directory \BaseNamedObjects
Directory \KnownDlls
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event
Event \BaseNamedObjects\crypt32LogoffEvent
Event
Event
Event
Event
Event
Event \BaseNamedObjects\WinMMConsoleAudioEvent
Event
Event
Event \BaseNamedObjects\userenv: User Profile setup event
Event
Event
Event
Event
Event
Event
Event
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \Device\NamedPipe\lsass
File C:\Documents and Settings\Administrator\Desktop
File C:\Documents and Settings\All Users\Desktop
File C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\CD Burning
File \Device\Tcp
File \Device\Tcp
File \Device\Ip
File \Device\Ip
File \Device\Ip
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \Device\NamedPipe\ROUTER
File C:\WINDOWS\system32
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
File C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat
File C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\index.dat
File C:\Documents and Settings\Administrator\Local Settings\Temp\History\History.IE5\index.dat
File C:\WINDOWS\system32
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \Device\KsecDD
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File C:\new\ProcessExplorerNt
IoCompletion
IoCompletion
IoCompletion
IoCompletion
Key HKCR\CLSID
Key HKCR
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKCR\CLSID
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Microsoft\Plus!\Themes\Apply
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKLM
Key HKCR\http\shell
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
Key HKCU\Software\Classes
Key HKCU\Software\Microsoft\Windows\ShellNoRoam
Key HKCU\Software\Microsoft\Internet Explorer\Security\P3Global
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key HKCU\Software\Classes\CLSID
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Key
Key HKCR\CLSID\{8EF84A48-765C-4095-B573-55972A264D35}
Key HKCU\Software\Microsoft\Internet Explorer\Security\P3Sites
Key HKCR\CLSID\{8EF84A48-765C-4095-B573-55972A264D35}
Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Key HKCU\Software\Classes
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Key HKCU\Software\Classes
Key HKCU\Software\Classes
Key HKCU
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Key HKCU\Software\Classes
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
Key HKCR
Key HKCU\Software\Classes
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKU
Key HKCR
Key HKU
Key HKLM\SOFTWARE\Microsoft\COM3
Key HKLM\SOFTWARE\Microsoft\COM3
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Mutant
Mutant
Mutant
Mutant
Mutant \BaseNamedObjects\_!MSFTHISTORY!_
Mutant \BaseNamedObjects\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Mutant \BaseNamedObjects\c:!docume~1!admini~1!locals~1!temp!temporary internet files!content.ie5!
Mutant \BaseNamedObjects\c:!docume~1!admini~1!locals~1!temp!history!history.ie5!
Mutant \BaseNamedObjects\c:!docume~1!admini~1!locals~1!temp!cookies!
Mutant \BaseNamedObjects\WininetStartupMutex
Mutant \BaseNamedObjects\WininetConnectionMutex
Mutant
Mutant \BaseNamedObjects\WininetProxyRegistryMutex
Mutant
Mutant
Mutant \BaseNamedObjects\ExplorerIsShellMutex
Mutant \BaseNamedObjects\ShimCacheMutex
Port
Port
Port
Port \RPC Control\OLE7F24CB1CCCE54EEF99B4C0F1D3DD
Port
Port
Port
Section \BaseNamedObjects\__R_00000000000f_SMem__
Section
Section \BaseNamedObjects\C:_DOCUME~1_ADMINI~1_LOCALS~1_Temp_Temporary Internet Files_Content.IE5_index.dat_425984
Section \BaseNamedObjects\C:_DOCUME~1_ADMINI~1_LOCALS~1_Temp_Cookies_index.dat_49152
Section \BaseNamedObjects\C:_DOCUME~1_ADMINI~1_LOCALS~1_Temp_History_History.IE5_index.dat_65536
Section \BaseNamedObjects\UrlZonesSM_Administrator
Section
Section \BaseNamedObjects\ShimSharedMemory
Semaphore \BaseNamedObjects\shell.{090851A5-EB96-11D2-8BE4-00C04FA31A66}
Semaphore
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore
Semaphore \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}
Semaphore
Semaphore
Semaphore \BaseNamedObjects\shell._ie_sessioncount
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore
Semaphore \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
Thread explorer.exe(2224): 2256
Thread explorer.exe(2224): 2236
Thread explorer.exe(2224): 2272
Thread explorer.exe(2224): 2272
Thread explorer.exe(2224): 2360
Thread explorer.exe(2224): 2060
Thread explorer.exe(2224): 2392
Thread explorer.exe(2224): 2392
Thread explorer.exe(2224): 2272
Thread explorer.exe(2224): 2324
Thread explorer.exe(2224): 2328
Timer
Timer
WindowStation \Windows\WindowStations\WinSta0
WindowStation \Windows\WindowStations\WinSta0

chaslang · Jul 13, 2005

Please read the announcement and sticky threads. HJT logs should only be posted when requested and then they must be attachments to your message. Also do not post any other long inline logs like that either. Please run the steps below.

- you must only run one antiviru application. Pick the one you prefer and uninstall the other.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

Now reboot into normal mode and download the following tool and save it where you will be able to find it.

L2MeFix Tool

Please print out these instructions now or save locally so that you can operate with All Browser Windows CLOSED.

Exit Browsers now before continuing

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Now reconnect and come back here and post as an attachment the l2mfix log.

Also make sure you follow the directions below exactly and post a new HJT log as an attachment.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

Please DO NOT REBOOT after scanning for these logs!! Otherwise potential problems may mutate and spread. Wait for me to get back to you with the next steps.

Log in or Sign up

Trickiest Spyware Yet!

bengbrewer Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member