Other > Viruses and worms

something trying to allow _qbotnti.exe hijack this logfile attached

(1/4) > >>

rockstar_not:
I've had some strange things occur this week.

I have a lenovo thinkpad - had it for about a year.

From the day that I received the computer, it's been running Windows Defender, All windows XP updates, and Avast home on updates, scanning everything, as far as I am aware.

Avast is warning, right after logging in, that something is trying to get to a file on a website that has Win32:Agent_SXR[wrm].  It offers to abort the connection, which I do, but pretty persistently, the thing that's on this laptop will try to access that file again, several times, and then it seems to quit.

Also, windows sometimes does Data Execution Protection shutting down Windows Explorer.

I did a thorough scan with avast and found no viruses.

In a similar thread, I saw advice to run Hijack This and post a log file.  It's posted here.  Can anyone see what might be the suspect item in the logfile or give me recommended further action to take?

DavidR:
What is your firewall ?
As you don't appear to have an active firewall it should be capable of blocking unauthorised outbound Internet Connections. That should also be able to stop it getting out to that page (hopefully).

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode. This is good as an anti-spyware clean-up before running the likes of combofix (if needed).

SUPERantispyware On-Demand only in free version.

Ensure you have the latest version of JRE (JAVA Runtime Environment), yours is out of date, older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp
Or JRE version 6 update 5 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html

Suspect:
C:\documents and settings\all users\_qbothome\_qbotinj.exe
O4 - HKLM\..\Run: [IBM Warranty Notification] "c:\documents and settings\all users\_qbothome\_qbotinj.exe" "c:\documents and settings\all users\_qbothome\_qbot.dll" /c "c:\program files\ibm\acp\erts0749\erts0749.exe /nointro"

I see this may be trying to masquerade as a Legit IBM Warranty Notification but there many hits on google relating to this being malware. Upload the referenced files in the above entries to VirusTotal, see below, for analysis.

Also See - http://spywarefiles.prevx.com/RRFBGJ29452751/_QBOTINJ.EXE.html and http://www.wilderssecurity.com/showthread.php?t=156461

Suspect:
O21 - SSODL: Srvucbit - {97D331BA-41A8-4704-867F-BE3B2DC272BE} - C:\WINDOWS\system32\dxotms.dll

There are no hits on a google search for this file name, which in itself is suspisious, upload to virustotal with the others and report results.

####
- Upload to VirusTotal - Multi engine on-line virus scanner and report the findings of these files here. If any are detected by multiple scanners send example to avast, see below.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
####

That is all that I can see which are obvious.

rockstar_not:
David,

First of all, I'm using the firewall that's part of XP Professional.  I just checked and it reports that it is turned on.  I had heard that the XP firewall was just as good as something like ZoneAlarm so I never bothered installing anything else.

The fact that I think I'm running the XP firewall - and this reports that it's not turned on, that's probably an issue in and of itself, correct?

oldman:
Hi, welcome to the forum.  There a couple of nasties, we'll see if we can root them out.

DavidR's comment about the firewall is right on. Windows firewall does not monitor/block outbound traffic.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install.  The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool.  Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.  Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.  When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
[*]Please, never rename Combofix unless instructed.
[*]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
-----------------------------------------------------------[/list]
[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[*]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[*]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
[/list]
-----------------------------------------------------------[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you. 
[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
[/list]
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

DavidR:

--- Quote from: rockstar_not on April 06, 2008, 08:26:59 PM ---<snip>
The fact that I think I'm running the XP firewall - and this reports that it's not turned on, that's probably an issue in and of itself, correct?

--- End quote ---

There are a number of viruses/malware that a) try to disable your AV, avast 4.8 is much less prone to that, b) try to turn off your firewall.

I will leave you in the capable hands of oldman for the SDFix and combofix analysis, he is much more familiar with this than I.

So when you have a brief respite in the battle a third party firewall is a must. Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

- There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

Navigation

[0] Message Index

[#] Next page

Go to full version