peerbot trojan horse....

Hey all.

Just happened to do a spyware scan with spysweeper and it found peerbot. I believe it was under a registry entry.... I'll need to get the event log over on my wife's account when Iam done.

Details: Win XP Pro with up-to-date SP's. I run Pc-cillian, spysweeper, and free zonealarm. About once a week I also run adware SE and spybot S&D. No IM's, PSP, although my son download some itunes songs about 4-5 months ago. None since.

From the spysweeper website
http://research.spysweeper.com/search.php?serialnumber=9jgkxzgs&lang=en&loc=USA&category=Trojan%20Horse&rc=1
It looks very serious. Spysweeper identified it as "peerbot" but if you do a search on google there are other varaints ie: peerbot.b which aren't to serious according to http://secunia.com/virus_information/30516/peerbot.b/

On the spysweeper site it doesn't identify when it was first reported. But the other variants were reported in July 06.
So, Iam a little confused. Is this a new trojan horse or a old one. Have all my protection let me down? Trend- Micro has no mention of it.

Okkk, sorry for rambling...Of course Iam leaving for a 10 days in the morning.
Questions:
1. Can anyone find out if this is a new or old variant. (Maybe the event log will tell us more.)
2. Should I contact my banks and change all important info?

Let me get that log......

Here's the spysweeper log.

8:50 PM: Removal process completed. Elapsed time 00:00:01
8:50 PM: Quarantining All Traces: peerbot
8:50 PM: Removal process initiated
8:46 PM: Traces Found: 1
8:46 PM: Full Sweep has completed. Elapsed time 00:04:46
8:46 PM: File Sweep Complete, Elapsed Time: 00:01:03
8:46 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || NeroCheck (ID = 0)
8:46 PM: Found Trojan Horse: peerbot
8:45 PM: Starting File Sweep
8:45 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:45 PM: Starting Cookie Sweep
8:45 PM: Registry Sweep Complete, Elapsed Time:00:00:19
8:45 PM: Starting Registry Sweep
8:45 PM: Memory Sweep Complete, Elapsed Time: 00:03:18
8:41 PM: Starting Memory Sweep
8:41 PM: Sweep initiated using definitions version 778
8:41 PM: Spy Sweeper 5.0.7.1608 started
8:41 PM: | Start of Session, Tuesday, October 10, 2006

Should I run HJT?
Thanks a bunch
Heath
ps: Awhile back I had posted here about being identified as a spammer. Could it have been peerbot?

Ran HJT:
Logfile of HijackThis v1.99.1
Scan saved at 11:18:16 PM, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Trend Micro\Antivirus\Tmntsrv.exe
E:\Trend Micro\Antivirus\tmproxy.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
e:\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Trend Micro\Antivirus\PCClient.exe
E:\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\KMaestro\KMaestro.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
E:\Webroot\Spy Sweeper\SpySweeperUI.exe
E:\Trend Micro\Antivirus\pccguide.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\system32\devldr32.exe
e:\Webroot\Spy Sweeper\SSU.EXE
F:\Heath\hijack this\HijackThis.exe

N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://e%3A%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Heath\Application Data\Mozilla\Profiles\default\rt8tnxgg.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [PCClient.exe] "E:\Trend Micro\Antivirus\PCClient.exe "
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [USRpdA] "C:\WINDOWS\SYSTEM32\USRmlnkA.exe" RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SpySweeper] "E:\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "E:\Trend Micro\Antivirus\pccguide.exe "
O4 - Startup: StickIt Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A1AE6E1E-DC99-4D8A-B8D0-B00C51E9BCC0}: NameServer = 198.59.109.7 206.165.6.11
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - E:\Adobe Suite\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\iPod\bin\iPodService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - E:\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - E:\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - e:\Webroot\Spy Sweeper\SpySweeper.exe

 

Hi and welcome back

I notice that SS does not identify any file, nor remove any file just the reg entry, which looks to be perhaps part of Nero. So I'm 99.9%sure that's a false\positive related to the Nero Driver Monitor:
http://www.liutilities.com/products/wintaskspro/processlibrary/nerocheck/

Do you have any Nero software on your system?

The log looks fine, btw.

 

Hi
I do have Nero Burning Rom installed.
I hope you're correct.

Before bed, I went through all file downloads since July and scanned them with both SS and Pc-cillian and nothing came back. In all user accounts. Should I post my wife account log file? Iam leaving in 3 hrs...maybe I should.

017 entry looks ok in the above HJT log?

Thanks Heath

 

wife's account HJT log..

Logfile of HijackThis v1.99.1
Scan saved at 6:29:49 AM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Trend Micro\Antivirus\Tmntsrv.exe
E:\Trend Micro\Antivirus\tmproxy.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
e:\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
e:\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Trend Micro\Antivirus\PCClient.exe
E:\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\KMaestro\KMaestro.exe
E:\Webroot\Spy Sweeper\SpySweeperUI.exe
E:\Trend Micro\Antivirus\pccguide.exe
E:\Acrobat 7.0\Reader\reader_sl.exe
F:\Heath\hijack this\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [PCClient.exe] "E:\Trend Micro\Antivirus\PCClient.exe "
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [USRpdA] "C:\WINDOWS\SYSTEM32\USRmlnkA.exe" RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SpySweeper] "E:\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "E:\Trend Micro\Antivirus\pccguide.exe "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - E:\Adobe Suite\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\iPod\bin\iPodService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - E:\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - E:\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - e:\Webroot\Spy Sweeper\SpySweeper.exe


Thanks a bunch. Hopefully its a false/positive. Was not looking forward to contacting my banks and changing everything.

Heath

 

Son's account HJT log...

For peace of mind here's my son's log file

Logfile of HijackThis v1.99.1
Scan saved at 6:42:38 AM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Trend Micro\Antivirus\PCClient.exe
E:\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\KMaestro\KMaestro.exe
E:\Webroot\Spy Sweeper\SpySweeperUI.exe
E:\Trend Micro\Antivirus\pccguide.exe
E:\Acrobat 7.0\Reader\reader_sl.exe
F:\Heath\hijack this\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [PCClient.exe] "E:\Trend Micro\Antivirus\PCClient.exe "
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [USRpdA] "C:\WINDOWS\SYSTEM32\USRmlnkA.exe" RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SpySweeper] "E:\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "E:\Trend Micro\Antivirus\pccguide.exe "
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - E:\Adobe Suite\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\iPod\bin\iPodService.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - E:\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - E:\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - e:\Webroot\Spy Sweeper\SpySweeper.exe

Again Thanks
Heath

 

Not seeing anything in those logs.

That 017 entry is ok.

 

Thanks TeMerc. Been stressing all night.
Time to head to DC.
If any other info passes your way let me know, I'll be checking in while in DC.

Thanks
Heath