Trojan.Proxy.Horst.KM Hijack This Log

Hi again,

We have a virus that is randomly popping up on company machines. It is placing "setup.exe" in random places on hard drives and BitDefender catches it and blocks it. We are trying to track the source of this, but it is elusive. Doing a google search on the trojan is not helping and we keep getting hit with Vlghra spam messages. I am just trying to figure out how to clean one machine, and maybe by process of elimination figure out where the culprit is. Anyway, here is the hijack this log from a machine that just became infected...

Logfile of HijackThis v1.99.1
Scan saved at 2:21:28 PM, on 10/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe
C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Softwin\BitDefender8\bdoesrv.exe
C:\program files\softwin\bitdefender8\bdnagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Firstwave CRM\32-bit\ccare.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
c:\program files\softwin\bitdefender8\bdmcon.exe
C:\Documents and Settings\marks\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mcleodsoftware.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender8\bdoesrv.exe "
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe "
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spark] C:\Program Files\Spark\Spark.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\MS Office 2k\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmscorp.com
O17 - HKLM\Software\..\Telephony: DomainName = tmscorp.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tmscorp.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: BitDefender Local Manager (BDLM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Local Manager\bdlm.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BitDefender Enterprise Update Service (LIVESRV_EM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Enterprise Update Service\livesrv_em.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender8\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

the path of this particular setup.exe is c:/amark/setup.exe

Thank you in advance...we normally keep our machines clean, but somehow this stuff got through.

Thanks,
mtaffer

 

Hi and welcome to WindowsBBS.

I'm afraid there is nothing showing on your system via the log.

I would start with which ever machine is the gateway\server for the others. This is likely where the threat originated\entered the network. Have you tried any online scans at all? Where does Bit Defender say the virus is located and what does it name it?

Here are a couple of links for online scans which you can try.

Panda ActiveScan

• Click the 'Scan your PC' button. ( You may have to disable any pop up blockers)
• Then press the green 'Check Now' button.
• Enter your country and state along with a valid email address.
• Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
• Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
• Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

Then:
Trend Microâ„¢ HouseCall

• Click Scan now. It's free!
• Read and put a Check next to Yes I accept the terms of use.
• Click the Launching HouseCall>> button.
• If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
• Please be patient while it installs, updates, and scans your system.
• Once the scan is complete, it will take you to the summary page.
• Under Cleanup options, choose clean all detected infections automatically.
• Click the Clean now>> button.
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

 

followup

We took an isolated machine and ran the setup.exe file. It installed what Sophos calls Troj/Polbot-D. I have been searching our servers for nvsvcd.exe and smss.exe. So far I have come up with nothing. The description for this trojan does not mention that it replicates itself across the network though. My only thought is that there is a virus that is distributing this virus across the network, and mainly through shares.

It appears that BitDefender is keeping people from opening these files, but I have found the nvsvcd.exe on a few PC's. Do you know of any virus that spreads this one? It seems that i'm not really looking for the Troj/Polbot-D, but it's distributor?

Thanks,
mtaffer

 

Horst Win32 AV-Proxy

Our company recently been hit with the same bug and it appears that we have successfully removed it. It's mode of transportation is unknown to us but I suspect that it was a part of a hack of shared directories on a linux server we have.

NATURE: Infestation with (Numeral)enjis.M.exe This executable was prolific and difficult to remove. It was a part of an auto installer program found on our shares "setup.exe and autorun.ini ". Every user infected showed the following infestation

c:\documents and settings\user profile\local settings\temp\
*enjis.m.exe
domain.txt
names.txt

c:\windows\temp\
*.enjis.m.exe

we found that smss.exe was an effected process as well as nvscvd.exe

PURPOUSE: We belive that this Trojan was made to create mass mailing of V1agra emails. Info available on the web showed that this Trojan also compromises security.

REMEDY:
1. Identify by process information those machines effected. Also infected files can be found on the users temp files in documents and settings.

2. disconnect the infected machine from the shares.

3. 3rd delete the following files
delete all contents of c:\documents and settings\user profile\local settings\temp

and

delete all contents of c:\windows\temp

4. delete smss.exe and nvsvcd.exe Note smss.exe is a process that is used by windows it will effect your automatic updates. When you enable automatic updates after the deletion windows will recreate the file.

5. use a registry cleaner such as regseeker and enable search for old exe's

6. Use a good AV such as Avast (home edition is free) http://www.avast.com/eng/download-avast-home.html
the boot scanner will find any bugs prior to startup.

7. Remember to check the users home folder on the server for infestation of setup.exe if present right click scan and delete if infected.

8. clean server of all occurrences of setup.exe and autorun.ini you can verify the file by the mod date.

Good Luck hope this has been of service

Denny

 

thanks

Appreciate the response

We scanned all of our servers for that setup.exe file and found quite a few of them in shared directories. We deleted all we found and aside from a few setup.exe's on user machines lingering, we appear to have gotten rid of it. We isolated the setup.exe and ran it so we could identify it. The easiest way to find it, is that it starts a service called Windows Log. Also, if that file is run, it does place the smss and nvsvcd files in system and system32. Luckily, we haven't had many people run it. Out of about 175 machines, we have only found it on 2.

I will search for the other file that you mentioned though. Thanks for the info.

mtaffer