Expert: Brian Benosky - 1/21/2009

Question
QUESTION: Malware Infection – Jan 2008

 

My computer, an HP Pavilion a1010n, XP Home, is badly infected with malware. I have booted in Safe Mode and deleted some of the files on the list below, but encounter ACCESS DENIED error messages on some files - I left this slightly older list as some of these seem to restore automatically and I thought this might give a clearer picture. Also, some registry entries can't be deleted eg, HKEY LOCAL MACHINE - SYSTEM - CONTROLSET001 - ENUM - ROOT - LEGACY_AFISICX.

 

A list of files I think I’d rather not have on my computer includes:

AFISICX EXE

BUJUSUFE DLL

DLFICV DLL

JUSCHED EXE

LINANOT4 DLL

MABIDWE EXE

MACIDWE EXE

MEJIYOLO DLL

MMCHOST DLL

MSCHCO EXE

MSMBSR EXE

NASIKUNU DLL

NOYTCYR EXE

ROVOYATO DLL

ROYTCTM EXE

SOXPECA EXE

SVCHOSD EXE

SVCHOST DLL

TDYDOWKC EXE

WSLDOEKD EXE





No doubt there are more.

 

Pasted below is a scan result from HijackThis.

 

I’d like two things: First, advice/help on how to cleanup this mess. Second, the names, pictures, and present locations of the developers/enhancers of these files.

 

Thanks.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:01:23 PM, on 1/16/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\mabidwe.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\tcpsvcs.exe

c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\hphmon06.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavili

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavi

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavi

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavi

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavi

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {29f4d765-8dad-4d00-acad-2aa48b87878a} - C:\WINDOWS\system32\nasikunu.dll

O2 - BHO: {e47563ac-b7a6-6acb-e4d4-eaee99501ae8} - {8ea10599-eeae-4d4e-bca6-6a7bca36574e} - C:\WINDOWS\system32\dlficv.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe

O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"

O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

O4 - HKLM\..\Run: [EarthLink Installer] " /C

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [depuzefawu] Rundll32.exe "C:\WINDOWS\system32\linanotu.dll",s

O4 - HKLM\..\Run: [50aed634] rundll32.exe "C:\WINDOWS\system32\rovoyato.dll",b

O4 - HKLM\..\Run: [CPM539de5a8] Rundll32.exe "c:\windows\system32\mejiyolo.dll",a

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [depuzefawu] Rundll32.exe "C:\WINDOWS\system32\linanotu.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [depuzefawu] Rundll32.exe "C:\WINDOWS\system32\linanotu.dll",s (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1DE617C9-D471-4784-9E83-7E4A4001185E}: NameServer = 10.1.1.2

O20 - AppInit_DLLs: C:\WINDOWS\system32\bujusufe.dll dlficv.dll c:\windows\system32\mejiyolo.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\mejiyolo.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\mejiyolo.dll

O23 - Service: afisicx - Unknown owner - C:\WINDOWS\system32\afisicx.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: mabidwe  Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe

O23 - Service: Devices Management Service (mschcosd) - Unknown owner - C:\WINDOWS\system32\mschco.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: noytcyr  Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: roytctm  Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe

O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: soxpeca  Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe (file missing)

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: tdydowkc  Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe

O23 - Service: wsldoekd  Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe (file missing)

 

--

End of file - 10349 bytes



ANSWER: Hi Jim

I wish that I could help you with the latter question, but I lack the forensic tools and government backing.  But I can help you get rid of the infection.
Please download ComboFix from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Save it to your desktop.
Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.  You should now press the number 1 key and then press the enter key to continue.  ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.  If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. ComboFix may also restart your computer.  Do not intervene.  Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.  It will then display the log file automatically for you.  Copy that log into a follow-up to me, along with a new HJT log.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian,

ComboFix gave me a message that it wouldn't run right with Norton Anti-Virus running. I used Process Explorer to kill all processes described as Symantic Norton (I didn't look in svchost.exe to see if they contained any threads) - then I clicked OK for AutoScan to run. AutoScan displayed messages saying: The sacn might take 10 minutes or more; that it changed my clock and would change it back when done; that it completed stage_1 thru 10; that it was deleting files in C:\WINDOWS\system32\tmp0_ and listed about one hundered files, the last one being 851741209291.bk - then it appears to have gotten into a loop. I say because it ran all night with no change: about every 5 seconds there is disk access and mouse/screen worked fine to end the program with an "End Now" termination, after which I had a plain blue screen with cursor that moved, and the disk access continued but the machine would not respond to any function key, to ctl-alt-del, or to the power on/off switch - I pulled the electric plug, after which I reconnected power and restarted the computer - apparantly normally.

Jim

Answer
Hi Jim

ComboFix should take no longer than 20 minutes to run.  Try running it once again, this time in Safe Mode.  Upon powering up the computer, keep tapping the F8 key until a menu appears.  Choose to boot Windows into Safe Mode, then log on as usual.  Now try running the ComboFix scan.

Brian