STMPDRV.sys Trojan Causing mass malier to operate

Viruses and worms
1

Ok as Oldman requested heres a new post.

This is what I was getting.

Every reboot or second reboot I got a virus detected when I went online
Avast showed :

Sign of “Win32:Agent-LNK[Wrm]” has been found in C:\windows\system32\drivers\smtpdrv.sys

Avast would delete the file and it would come back on a reboot

However, even though the file had been deleted, i noticed the Avast mail scanner going loopy, and further investigation revealed it was scanning tons of outbound emails… I WAS A SPAMMER!!!

The file actually accessing the network was the SVCHOST.EXE, however this was clean. Scanned multiple time with different providers.

Zone alarm already had svchost as a clean file ( hadnt been changed ) and so the mail was getting out of the system.

If I totally locked down SVCHOST.exe, I couldnt get a dhcp lease.( dont ya just hate the same program being used for EVERYTHING)

So, I tried various different tacks, eventually putting svchost on a “ask” setting with zone alarm.

Then I found your collegues thread about “WAR INSIDE MY PC” and used a similar tack to try and lock down what was happening.

Combofix looks like its cured it as it hasnt flagged a smtpdrv.sys trojan and its been rebooted several times since.

I’ll try posting the combofix in the next reply

2

ComboFix 08-01-15.1 - chris 2008-01-14 21:33:18.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.609 [GMT 0:00]
Running from: C:\Documents and Settings\chris\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\3_exception.nls
C:\WINDOWS\system32\drivers\Cin06.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CIN06
-------\Cin06
-------\nm
-------\runtime
-------\smtpdrv

((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-14 21:32 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 20:51 . 2008-01-14 20:51 d-------- C:\winpfind3u
2008-01-14 20:49 . 2008-01-14 20:50 404,656 --a------ C:\winpfind3u.exe
2008-01-13 15:59 . 2008-01-13 15:59 2,211,328 --a------ C:\s300xp152usZ.exe
2008-01-13 15:58 . 2008-01-13 18:05 71,120,818 --a------ C:\valentinegift-large.wmv
2008-01-13 15:30 . 2002-01-17 11:48 36,864 --a------ C:\WINDOWS\system32\CNMCP38.EXE
2008-01-13 15:30 . 2002-02-12 14:00 5,632 --a------ C:\WINDOWS\system32\CNMVS38.DLL
2008-01-13 15:29 . 2008-01-13 15:29 d-------- C:\bjdrv
2008-01-13 15:27 . 2008-01-13 15:27 4,673,536 --a------ C:\b2515enx.exe
2008-01-13 08:11 . 2008-01-13 08:11 528 -r-hs---- C:\WINDOWS\PCGWIN32.LI4
2008-01-09 21:21 . 2008-01-09 21:21 d-------- C:\Documents and Settings\All Users\Application Data\Alfac
2008-01-09 21:16 . 2008-01-09 21:16 d-------- C:\Program Files\DAEMON Tools Lite
2008-01-09 21:16 . 2008-01-09 21:16 d-------- C:\Documents and Settings\chris\Application Data\DAEMON Tools
2008-01-09 20:17 . 2008-01-09 20:17 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-09 20:15 . 2008-01-09 20:16 3,573,192 --a------ C:\daemon4112-lite.exe
2008-01-09 19:45 . 2008-01-09 19:45 d-------- C:\BusinessCard
2008-01-09 19:44 . 2008-01-09 19:44 d-------- C:\Brittney
2008-01-07 10:51 . 2008-01-07 10:52 4,824,224 --a------ C:\visbuscards.exe
2007-12-30 15:41 . 2007-12-30 15:42 3,916,992 --a------ C:\MG Rover Parts & Accessories.pdf
2007-12-29 23:05 . 2007-12-29 23:05 d-------- C:\Program Files\Windows Defender
2007-12-29 23:04 . 2007-12-29 23:04 5,154,304 --a------ C:\WindowsDefender.msi
2007-12-29 22:50 . 2007-07-09 13:09 584,192 -----c— C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-29 22:43 . 2007-12-29 22:43 401,720 --a------ C:\HiJackThis.exe
2007-12-29 20:36 . 2004-08-04 00:56 10,752 --------- C:\WINDOWS\system32\smtpapi.dll
2007-12-29 20:36 . 2004-08-04 00:56 9,728 --------- C:\WINDOWS\system32\rwnh.dll
2007-12-29 20:34 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS[u]0[/u]00001_.tmp
2007-12-29 19:28 . 2006-07-20 10:56 278,927,592 --a------ C:\WindowsXP-KB835935-SP2-ENU.exe
2007-12-29 16:26 . 2007-12-29 18:36 d-------- C:\Documents and Settings\chris.housecall6.6
2007-12-29 09:56 . 2008-01-14 21:26 27,904 --a------ C:\WINDOWS\Cin06.sys
2007-12-20 22:04 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-12-17 21:16 . 2007-12-17 21:16 d-------- C:\WINDOWS\system32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 21:42 --------- d-----w C:\Program Files\LogMeIn
2008-01-15 21:42 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2008-01-15 21:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2008-01-14 20:50 --------- d-----w C:\Documents and Settings\chris\Application Data\Azureus
2008-01-11 22:13 1,359,872 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-05 20:36 --------- d-----w C:\Documents and Settings\chris\Application Data\VMware
2007-12-28 14:26 --------- d-----w C:\Program Files\Azureus
2007-12-11 20:01 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-06 13:30 19,755,376 ----a-w C:\aaw2007.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-10 06:37 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
“{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}”= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-10 06:37 262144]

[HKEY_CLASSES_ROOT\clsid{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“PcSync”=“C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” [2006-06-27 16:21 1449984]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 16:24 1694208]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:56 15360]
“H/PC Connection Agent”=“C:\PROGRA~1\MICROS~4\wcescomm.exe” [2005-11-15 18:44 1200128]
“DAEMON Tools Lite”=“C:\Program Files\DAEMON Tools Lite\daemon.exe” [2008-01-03 13:54 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IgfxTray”=“C:\WINDOWS\system32\igfxtray.exe” [2005-06-21 16:48 155648]
“HotKeysCmds”=“C:\WINDOWS\system32\hkcmd.exe” [2005-06-21 16:44 126976]
“Smapp”=“C:\Program Files\Analog Devices\SoundMAX\SMTray.exe” [2003-05-05 08:57 143360]
“DrvLsnr”=“C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe” [2003-05-08 11:34 69632]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 13:00 79224]
“LogMeIn GUI”=“C:\Program Files\LogMeIn\x86\LogMeInSystray.exe” [2007-04-17 13:03 63048]
“PCSuiteTrayApplication”=“C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe” [2006-06-15 12:36 229376]
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 10:50 155648]
“VMware hqtray”=“C:\Program Files\VMware\VMware Player\hqtray.exe” [2007-05-01 21:46 56112]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 19:51 39792]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 19:20 866584]
“ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-11-14 16:05 919016]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-21 19:42:22]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56]
WlanUtility.lnk - C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe [2006-04-19 09:56:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-21 17:23 87352 C:\WINDOWS\system32\LMIinit.dll

R2 BrekekeSIP;Brekeke SIP Server;“C:\Program Files\Brekeke\proxy\bin\tomcat5.exe” [2006-08-15 15:21]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 13:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-04-05 10:55]
R3 iKeyEnum;Rainbow iKey Enumerator;C:\WINDOWS\system32\DRIVERS\ikeyenum.sys [2003-07-31 10:42]
R3 iKeyIFD;Rainbow iKey Virtual Reader;C:\WINDOWS\system32\DRIVERS\ikeyifd.sys [2003-07-31 10:41]
R3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2005-07-12 00:00]
R3 radpms;Driver for RADPMS Device;C:\WINDOWS\system32\DRIVERS\radpms.sys [2007-04-17 13:00]
R3 vmkbd;VMware kbd;C:\WINDOWS\system32\drivers\VMkbd.sys [2007-05-01 21:46]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 03:39]
S3 RnbToken;Rainbow iKey Token Service;C:\WINDOWS\system32\DRIVERS\rnbtoken.sys [2003-07-31 10:41]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-15 21:42:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job”

  • C:\Program Files\Windows Defender\MpCmdRun.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 21:51:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-15 21:54:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 21:53:56
.
2007-09-12 20:42:21 — E O F —

3

Ok have added the “C:\windows\cin06.sys” file to my Avast chest, as this is a different path from the one that was running ,. but i figure is better to be safe then sorry.

Had to remove some of the folders from the combofix log, did the ones I thought were safe ( Known changes etc )

4
Had to remove some of the folders from the combofix log, did the ones I thought were safe ( Known changes etc

I’m not sure what you meant.

We can have a look in this folder C:\bjdrv if you create and run this script. Unless of, course you created this folder.

Open a new notepad and copy and paste the following into it

@echo off
dir “C:\bjdrv” >> look.txt
start look.txt

Click file, save as. Set save it to desktop, name it look.bat, and set the file type as all files click ok You should have a file on your desktop with the icon shown at the bottom of this post.

Double click it, a note pad will appear, save it to your desktop so you can attach it to your next reply.

This file can go

C:\WINDOWS\000001_.tmp

C:\windows\cin06.sys could be a copy of the other one. You should create a folder on your desktop, called infected , bad, anything you want. Then open the chest, click the user section button, right click the file and select extract. Set the destination to the folder you created. Submit that file to www.virustotal.com

Please note, moving a file to the chest,does not remove the file from it’s orignal location.

5

I had to remove some lines from the combofix log as it was too large to fit on the thread. - thats all

I took out directories that I had created and files that I was aware of, left as much as I could.

The “C:\bjdrv” is one of mine, I downloaded new drivers for my s300 printer this folder contains the downloaded file.

Sorry, still a DOS man as heart, keep saving things off root and using 8.3 format… my hangup!

I’ll get shot of the tmp file.

I assume if I put a filename into the chest, avast will flag if this is accessed?

I’ll move the c:\windows\cin06.sys into a folder and try www.virustotal.com

I like the batch file,am I right in assuming it gets a file listing without windows trying excessive access commands on the contents of the folder…sneaky

Any particular reason i should put the folder on the desktop, its just that my desktop is a tad cluttered!

Thanks for your help on this.

Chris

6

Submitted to Virustotal: Results here.

File has already been analysed:

MD5: 1f1c533ecb63e5f547019476b086855d
Date: 01.13.2008 20:40:26 (CET) [>3D]
Results: 21/32
Permalink: analisis/511aa92924f3679b94a58188b7f96c69

looks like I was only a couple of days late!

7

Putting the folder on the desktop is just an easy way to find it, it’s visible in case you forget the name, sight recognition might kick in. :wink:

When you add to the chest, you are placing an actual copy of the file in the chest. The original remains where you found it. Avast will only warn you if the original is indeed infected.

I just viewed the results, if the original still exists at C:\windows, please get rid of it. and the copy that you submited. The one in the chest is safe, it can’t be accessed from out side the chest.

Send the one in the chest to avast. you can send it directly from the chest, no need to password protct it. Just right click the file, select mail to.

8

Anything that helps me remember where I put things is beneficial ;D

Thanks oldman.

File in c:\windows was still there. now deleted.

The one in chest sent to avast via email feature.

have performed a boot time scan, no problems found… so far

9

Good! Lot of users don’r realize moving a file to the chest (not a detected file,), doesn’t remove the file from the original location.

Everything else looked good. ;D

10

Cool

Yipppeee looks like I’m virus free… time for a system backup me thinks!

Thanks for your help Oldman.

11

You’re welcome. Don’t forget to make a new system restore point and turf the old ones. :wink: