something trying to allow _qbotnti.exe hijack this logfile attached

[rockstar_not]

I've had some strange things occur this week.

I have a lenovo thinkpad - had it for about a year.

From the day that I received the computer, it's been running Windows Defender, All windows XP updates, and Avast home on updates, scanning everything, as far as I am aware.

Avast is warning, right after logging in, that something is trying to get to a file on a website that has Win32:Agent_SXR[wrm].  It offers to abort the connection, which I do, but pretty persistently, the thing that's on this laptop will try to access that file again, several times, and then it seems to quit.

Also, windows sometimes does Data Execution Protection shutting down Windows Explorer.

I did a thorough scan with avast and found no viruses.

In a similar thread, I saw advice to run Hijack This and post a log file.  It's posted here.  Can anyone see what might be the suspect item in the logfile or give me recommended further action to take?

[DavidR]

What is your firewall ?
As you don't appear to have an active firewall it should be capable of blocking unauthorised outbound Internet Connections. That should also be able to stop it getting out to that page (hopefully).

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode. This is good as an anti-spyware clean-up before running the likes of combofix (if needed).

SUPERantispyware On-Demand only in free version.

Ensure you have the latest version of JRE (JAVA Runtime Environment), yours is out of date, older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.
Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp
Or JRE version 6 update 5 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html

Suspect:
C:\documents and settings\all users\_qbothome\_qbotinj.exe
O4 - HKLM\..\Run: [IBM Warranty Notification] "c:\documents and settings\all users\_qbothome\_qbotinj.exe" "c:\documents and settings\all users\_qbothome\_qbot.dll" /c "c:\program files\ibm\acp\erts0749\erts0749.exe /nointro"

I see this may be trying to masquerade as a Legit IBM Warranty Notification but there many hits on google relating to this being malware. Upload the referenced files in the above entries to VirusTotal, see below, for analysis.

Also See - http://spywarefiles.prevx.com/RRFBGJ29452751/_QBOTINJ.EXE.html and http://www.wilderssecurity.com/showthread.php?t=156461

Suspect:
O21 - SSODL: Srvucbit - {97D331BA-41A8-4704-867F-BE3B2DC272BE} - C:\WINDOWS\system32\dxotms.dll

There are no hits on a google search for this file name, which in itself is suspisious, upload to virustotal with the others and report results.

####
- Upload to VirusTotal - Multi engine on-line virus scanner and report the findings of these files here. If any are detected by multiple scanners send example to avast, see below.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.
####

That is all that I can see which are obvious.

[rockstar_not]

David,

First of all, I'm using the firewall that's part of XP Professional.  I just checked and it reports that it is turned on.  I had heard that the XP firewall was just as good as something like ZoneAlarm so I never bothered installing anything else.

The fact that I think I'm running the XP firewall - and this reports that it's not turned on, that's probably an issue in and of itself, correct?

[oldman]

Hi, welcome to the forum.  There a couple of nasties, we'll see if we can root them out.

DavidR's comment about the firewall is right on. Windows firewall does not monitor/block outbound traffic.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install.  The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool.  Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.  Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.  When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
  
  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
  
• When finished, it will produce a report for you. 
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[DavidR]

<snip>
The fact that I think I'm running the XP firewall - and this reports that it's not turned on, that's probably an issue in and of itself, correct?

There are a number of viruses/malware that a) try to disable your AV, avast 4.8 is much less prone to that, b) try to turn off your firewall.

I will leave you in the capable hands of oldman for the SDFix and combofix analysis, he is much more familiar with this than I.

So when you have a brief respite in the battle a third party firewall is a must. Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

- There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

[rockstar_not]

Well,

I've made some progress - I downloaded, updated and ran the superantispyware in safe mode and it did flag the qbot files as malicious and quarantined them.

Also found 236 adware files and quarantined those.

Next login to XP and access to internet did not flag the attempt to go download the worm virus.

Should I still upload the quarantined files to the site you recommended?

I'll have a look at 3rd party firewalls now.

Also, regarding oldman's recommendations - do those (SDfix and combofix) now need to be done as well or should I leave well enough alone?

Thanks for the help.

Finally, what about windows defender - is it useful or not?  I'm running that, but there is something that periodically will stop the process from running.  I'm suspicious it was this malware qbot thing.

[oldman]

How's your system running. SAS may very well of gotten it.

[DavidR]

If they are in the SAS quarantine, I don't know if you will be able to upload (you migh have to copy them to a temporary location), though you could try.

The main reason for doing that is that if avast doesn't detect it the sample would eventually be sent to them. But sending direct to avast may circumvent that delay.

[oldman]

I don't know how you would get them out of quaratine. Only 2 choices, remove and restore. The quaratine folder itself is encrypted.

I suppose back to the original location, but I won't want to do that.

This part of the 04 entry is legitamate as is the entry name

c:\program files\ibm\acp\erts0749\erts0749.exe

It's part of IBM's warrenty notification.

The rest is malware.

[DavidR]

I wouldn't want to put malware back in its original location, suicide.

Now that is something I haven't seen before, piggy backing on to a legit entry, as HJT doesn't have a means of editing the entry just fixing the whole entry. So the user would have to manually edit the registry key ?

[oldman]

Exactly my thoughts on replacing the file. 

Now you got me thinking. Looking at the HJT line, it appears both files are set to run from the same key. The removal tool, SAS in this case, may remove that value from the key. I know some tools will, the key is gone from HJT, rather than badfile.exe (file missing).

But if that doesn't happen, I'd think you are correct a manul edit or a reg fix would be needed. I would also think a file missing error should be generated if the key can't find the file.

[oldman]

@rockstar_not

Do you mind posting another HJT log. We got caught up in the one file so much, I forgot about the other possible infection I was concerned about.

Thanks

[rockstar_not]

When I am back on that machine, I will run HJT again and post.

That machine appears to work without making the request to the website with the worm virus. (I'm not putting the website address here so that nobody mistakenly goes there).

Any ideas on what process may defeat Windows Defender from launching on startup?  I think SAS may have cured that as well, but I am not sure.

[rockstar_not]

Here is the latest hjt log file.  Windows Defender would not run on startup with this configuration.

[oldman]

Hi
I don't know why Windows defender won't run, but I do believe there is still something there. Please go ahead with SDFix and combofix.