Behaves Like Win32.irc-backdoor

slesij
slesij
in Malware talk

Dear all,


I'm having problems for several days now with my computer. I have BitDefender internet security 2008. BitDefender reports that "memory dump" (svchost.exe) is infected with Win32.IRC-backdoor. To be more specific, it says behaves like Win32.IRC-backdoor. After the scan BitDefender reports, that system was cleaned, virus deleted. But on the next scan - it's the same story. It goes on for several days now.


Could you please advise?


Thank you!


Stas, Slovenia

Comments

  • Niels
    Niels

    Dear slesij


    svchost.exe is legitimate but there could be malware that is also running. I recommend that you download and install hijackthis. Start hijackthis and press do a system scan and save a log file. Post the output into your next reply.


    To see what modules are currently loaded in svchost please do this go


    to start,run,type cmd press enter type now :


    tasklist /svc /fi "IMAGENAME eq svchost.exe press enter That works only on windows xp professional.


    Otherwise download process explorer


    Unzip it. Double click on procexp agree the disclaimer.


    Now double click on a svchost.exe entry,click on services. Now you will see the services that are currently loaded.


    Now do this go to start,run,type regedit expand hkey_local_machine and the following folders and subfolders:


    system,currentcontrolset,services. You have to expand the folders on the left by clicking on the +-icon you will see a folder called parameter. You will now see which file is being loaded that information is written after ServiceDll.


    Best regards


    Niels

  • slesij
    slesij

    Dear Niels,


    this is the .log file you told me to save:


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 15:44:02, on 23.11.2007


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16544)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE


    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe


    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe


    C:\WINDOWS\RTHDCPL.EXE


    C:\Program Files\DAEMON Tools Pro\DTProAgent.exe


    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe


    C:\Program Files\Bonjour\mDNSResponder.exe


    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe


    C:\WINDOWS\system32\oodag.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe


    C:\totalcmd\TOTALCMD.EXE


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll


    O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


    O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"


    O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe


    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"


    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE


    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


    O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"


    O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe


    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')


    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')


    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html


    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html


    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html


    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab


    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab


    O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols3beta/fscax.cab


    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe


    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe


    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe


    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe


    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe


    O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe


    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 7914 bytes

  • Niels
    Niels

    Dear slesij


    I can't find anything suspecious in your log. Can you please do what I said in my previous post? I mean posting the services that are running under svchost.exe. Because in a hijackthis log we can't see which modules are currently loaded.


    Best regards


    Niels

  • slesij
    slesij

    Dear Niels,


    I did some research as you advised me. I still don't know whether this is malware or not. But it is suspicious. There is a SVCHost proces (not under services!!!!) as you can see in Process explorer printout. PID number 1880. This process is always cleaned with BitDefender but it always comes back. I attach some printscreens and strings saved in .txt files. They are packed in RAR. Can you see anything?


    Thank your for your time and your help!


    Stas

    /applications/core/interface/file/attachment.php?id=1012" data-fileid="1012" rel="">PrintOut.rar

  • Niels
    Niels

    Dear slesij


    Unfortunetaly I can't download attachments in this section only virus researchers can download attachments in this section. You can send me a personal message with the attachment I will take a look at it to see if I can't find anything suspecious. I have some knowledge but it's better that a virus researcher also take a look at it.


    Best regards


    Niels

  • vlad
    vlad

    Embarassing as it may be, I've only seen this thread now.


    The malware is most likely C:\WINDOWS\system32\NTSpool.exe; it appears to be the backdoor Bifrose. There is indeed some malware started by that svchost.exe instance, probably through NTSpool.exe.


    Sorry for the (too) late answer.

  • chuckrobbie
    chuckrobbie
    Embarassing as it may be, I've only seen this thread now.


    The malware is most likely C:\WINDOWS\system32\NTSpool.exe; it appears to be the backdoor Bifrose. There is indeed some malware started by that svchost.exe instance, probably through NTSpool.exe.


    Sorry for the (too) late answer.


    Over the last 4 days I have received 20 incidents of this!


    I am not 100% computer literate!


    What can I do...is there a remove ****** or something?


    PC World said that Bit Defender was the best program..I am slowly regretting that I never renewed my Kaspersky :(

  • alexcrist
    alexcrist

    Please upload here the file in a password-protected ZIP archive.


    Cris.

  • chuckrobbie
    chuckrobbie
    edited July 2008
    Please upload here the file in a password-protected ZIP archive.


    Cris.


    Salut Cris


    I have tried everything to get a copy of the file but cant :(


    I also tried to highlight and copy the info from Bitdefender but it wont let me do that :(


    This is so annoying!


    My MSN is minnier [at] absamail [dot]co [dot]za


    If you wish to call me please do so...I really appreciate your help.


    thanks

  • alexcrist
    alexcrist

    Try to get the file in SafeMode (reboot your computer, keep F8 pressed until the Windows Boot Menu appears and select Safe Mode).


    There get a copy of the file, archive it (with a password), and then reboot normally and attach the archive on your next post. If you can't find the file, read this: http://forum.bitdefender.com/index.php?showtopic=3573


    Cris.

All Time Leaders

Categories

Defenders of the month