New pest: BAOHII.EXE (xadz)

Discussion in 'malware problems & news' started by BigDaddy, Apr 30, 2004.

Thread Status:
Not open for further replies.
  1. BigDaddy

    BigDaddy Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    13
    Hi,

    A new nasty is entering the realm, and is not show in a HijackThis scan. Yesterday when my girlfriend closed down her XP machine it said it was unable to terminate a program called BAOII.EXE so we canceled the closedown process and looked for the process (taskmgr/HJthis etc), which was not found. We planned on going to bed, and take a look at it today so we forced the process to close and shut down the pc.

    Today I took a look at the regestry and found out that on 3 places in the 'services' part of LocalMachine a new key was made named XADZ with reference to the file c:\windows\baohii.exe. I took the risk and tried to rename the file, which succeeded.

    But, after rebooting the computer, I was no longer able to run ANY program (no IE, no regedit or whatsoever, giving an error it could not find the file), so the EXE is probably loaded on every shell command. I luckily was able to rename the file again so after reboot the computer can open regedit again.

    Problem now is the I do only find references to the file in 3 services keys... what happens if I completely remove all 3 xadz entries with its sub-entries? I could try and save these registry entries first, but if after a reboot again I am unable to open any program I fear I cannot reset the items in regedit.

    A way to see that the program is running (besides from the error message when shutting down) is that in taskmanager long filenames are changed into the dos-representatives, eg spyswe~1.exe for spysweeper.exe.

    Any help would be much appreciated, and please let me know if I posted this one in the correct place.


    Paul Zandstra
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hello Big Daddy,

    Please go through the instructions given here and do what is said. It will be easier for us to get to the situation more easily with the help of HijackLog.

    Regards

    EDIT : Follow these instructions after you follow Pieter's advice and if he says to go through this.
     
    Last edited: Apr 30, 2004
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  4. BigDaddy

    BigDaddy Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    13
    Okay, we will send the file... for now her is the Hijack-log...

    Logfile of HijackThis v1.97.7
    Scan saved at 16:42:09, on 30-4-2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RunDll32.exe
    C:\PROGRA~1\COMMON~1\SYMANT~1\ccApp.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\PROGRA~1\Icons\Seticon.exe
    C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpotdd01.exe
    C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
    C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
    C:\PROGRA~1\Winamp\winampa.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\Webroot\SPYSWE~1\SPYSWE~1.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\WinZip\WZQKPICK.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\INTERN~1\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\DOCUME~1\RIAJAN~1\MIJNDO~1\DOWNLO~1\HIJACK~1.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.nl
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://linkburst.com/click-home.php?id=101572
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nu.nl
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nu.nl
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: OpinionBar IE monitor - {6607C683-AE7C-11D4-ACD7-0050DAC291A2} - C:\PROGRA~1\OPINIO~1\MYIEMO~1.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\Seticon.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
    O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Onderzoek (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
    O16 - DPF: {0EB73E39-8AD4-43E8-8FBA-0165C2CCDB8B} (GameControl Class) - http://www.midasplayer.com/midasa.cab
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38021.3243981482
    O16 - DPF: {A9FD89D6-C839-11D3-B0FE-0050044B8FE9} (OBInstallRunner Control) - http://www.opinionbar.com/download/resources/OBInstallCabinet.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4333/mcfscan.cab

    This entry: O2 - BHO: OpinionBar IE monitor is correct... it is a tool we installed with no known problems.

    Paul
     
  5. BigDaddy

    BigDaddy Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    13
    And this is the result when sumbitting the file to kaspery:

    Current object: baohii.zip

    baohii.zip Archive: ZIP
    baohii.zip/baohii.exe Ok


    Statistics:
    Known viruses: 87852 Updated: 30.04.2004
    File size (Kb): 36 Scan time: 00:00:01
    Speed (Kb/sec): 36 Virus bodies: 0
    Archives: 1 Packed: 0
    Folders: 0 Files: 2
    Suspicious: 0 Warnings: 0

    So it does not seem to be a know virus. I expect it to be of aan advert kind because of the XADZ entry in the registry I mentionned.


    Paul
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Paul,

    I will PM you my email-address.
    Can you zip up and send me a copy of thet file.
    I have a collection of addresses to send it to. ;)

    Regards,

    Pieter
     
  7. BigDaddy

    BigDaddy Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    13
    Pieter,


    You have new mail..... many thanks in advance :)



    Paul
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    At least one of my scanners thinks this one is bad news. NOD heuristics kicked in:

    Time Module Object Name Virus Action User Info
    30-4-2004 20:05:24 IMON email message from: "Paul Zandstra" <pieter@wilders> with subject Gevraagde bestandje in baohii.zip dated Fri, 30 Apr 2004 20:06:47 +0200 probably unknown NewHeur_PE virus

    I'll keep you posted on the results.

    Regards,

    Pieter
     
  9. BigDaddy

    BigDaddy Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    13
    Ok,

    Many thanks so far. Problem is I do not want to risk a virus scan... if this scan only deletes the file without restoring registry settings I'm in bad **** after a reboot (as mentioned in the first post).

    If you find out what registry entries have to be restored, please inform me/us :) Again many thanks for spending the time on this.

    Paul
     
  10. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    Hello Big Daddy,

    You said you have "found out that on 3 places in the 'services' part of LocalMachine" there were keys referencing your file. Could you copy/paste the exact names of the keys.

    As far as I know, the following keys can be involved in "automatic startup" of malware :

    - "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" (or RunServicesOnce)
    This one is by far the most popular. Exe files listed here will start as services at startup.

    - "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\name_of_the_service". This key is for example used by the Welchia worm. If they belong to groups listed in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost, these services are launched through scvhost at startup, you can list them using the tlist (win2k) or tasklist (winXP) command line utility that is provided with Windows debugging tools, using the "-s" switch.
    Windows debugging tools can be found here : http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx

    - Moreover, the following key is used by backdoors Hackdoor.b and Hackdoor.e : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices

    Moreover, since you cannot run .exe files anymore, you should
    check the value of the following keys :
    HKEY_CLASSES_ROOT\exefile\shell\open\command
    HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command

    Both values should be equal to "%1" %* (and nothing else).

    You should also check that there is no hidden files that have a name more or less similar to you .exe files and that are in the same directory (companion virus).

    Last but not least, You can send me your .exe file in a password protected .zip archive at the following address : tweakie-at-mail.nu (do not forget to mention the zip password in the email).

    Hope this helps,

    --
    Tweakie
     
  11. BigDaddy

    BigDaddy Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    13
    Thanks for the reply tweakie..

    I was allready thinking about that shell start entries but could not remember their place. But I will look things up tomorrow... for today is my birthday and we're going out to the theatre and have dinner out there... so withing an hour or so I will be out for the rest of the day.

    But tomorrow, when my mind is clear again ( :p ) I will surely look after these things and post the corresponding keys tomorrow.... many thanks !

    Paul

    *edit*

    Well in HKEY_CLASSES_ROOT\exefile\shell\open\command there was in fact a redirect to "baohii" so that we've fixed allready... but our taxi is arriving within moments so next step tomorrow will be to rename te file, reboot and see if we can open our exe-files again. Many thanks!
     
    Last edited: May 1, 2004
  12. BigDaddy

    BigDaddy Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    13
    Okay... so far so good...

    After a very good day yesterday I have been doing bits and pieces ont he computer again. Withe the HKEY_CLASSES_ROOT\exefile\shell\open\command entry corrected I renamed the baohii.exe into baohii2.exe and rebooted the pc. All programms loaded correctly, and no dos-abbreviated process names were left (were all full filenames now).

    I was able to open Internet Explorer again, as well as regedit and so on. So the service is no longer running. Now I will continue and remove the services entries I found.

    HKLM\System\Controlset001\Services\Xadz
    HKLM\System\Controlset002\Services\Xadz
    HKLM\System\CurrentControlset\Services\Xadz

    But first a break and something to eat :)


    Everyone so far thanks for the help, and keep me informed on what virus this is.

    Paul
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Paul,

    This is the answer I got from BoClean's Kevin:

    To help you I attached a txt version of the regfile Kevin wants you to use.
    Download fix.txt and save it as fix.reg, then doubleclick the file and confirm you want to merge it with the registry.

    Regards,

    Pieter
     

    Attached Files:

    • fix.txt
      File size:
      73 bytes
      Views:
      23
  14. BigDaddy

    BigDaddy Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    13
    Pieter,

    Thanks again to you and Kevin (would like to know how to obtain BOclean as this tool seems to properly detect and correct this nasty) because in fact (as BOclean states) it is XADZ because that is the name of the key entered in the services part of the registry.

    With the help of Tweaky I allready was able to fix the registry for the shell part. After that I renamed the nasty file again, rebooted and the sytem now is running smooth again.

    But again, I would still like to know (when Kevine or someone has the time) what the nasty was doing. Fact is that the 'shell' trick is an old one, but I'd forgotten were in registry to look.

    System is running fine now, even gets into full sleep mode again :)


    Regards,

    Paul
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi BigDaddy,

    Information on BoClean and other Anti-trojans can be found here:
    http://www.wilders.org/anti_trojans.htm

    I want to add that Kaspersky also let me know they added detection and I am sure others will as well.

    Regards,

    Pieter
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Thanks to Pieter for the file, yes this is a new backdoor variant

    If you have problems with the REG fix Kevin provided, a similar fix is permanently available here

    http://www.diamondcs.com.au/cleanrun.reg
     
  17. big slipper

    big slipper Registered Member

    Joined:
    May 5, 2004
    Posts:
    4
    Location:
    Italy
    hi
    I have the same problem, i tried the patch for the registry and i deleted all the files and the keys in the registry, but the problem at the restart is present.
    There is anotther file present that create new version with different names of the file exe that i find in the services of windows.
    I hve searched in Internet and to my antivirus Trendmicro the type of backdoor with this information but I dont't find nothing.
    I send my file to kaspersky website and the reply is similar to BigDaddy's reply.
    In Internet there is only this site that know this Backdoor .
    My questions are :

    what type of virus is o_O
    If I dont' want to use BOclean and similar where I find the solution ??

    Thank for all replies an suggestions
    Best Regards
    Alex

    PS. the back door try to connect to some websites and when it's connected, it send a lots of data, I have sniffered the traffic from my host and this website ... It is legal o_O
     
  18. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    As I previously said, I'd like to have a look at this malware when I have time. You can send me your .exe file in a password protected .zip archive at the following address : tweakie-at-mail.nu (do not forget to mention the zip password in the email).

    Thanks,

    --
    Tweakie
     
  19. BigDaddy

    BigDaddy Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    13
    Hi,

    Strange coincident when reading Big Slipper's post (why can't I stop thinking this is a dutch nickname? :p )

    Ria's PC again got infected today with a file with random filemane. I was able to undo things with the registry file and renaming the exe. I guess this one is not reinstalling itself but comes from an infected site (because Ria is on loads of PTC and autosurf programmes).

    The fastest way to find out if -after a reboot- the exe is still running is looking into taskmanager if a long-name task shows up abbreviated (eg. Spyswe~1.exe in stead of SpySweeper.exe).

    Tweakie: mail with baohii.zip is on the way :)


    Paul
     
  20. BigDaddy

    BigDaddy Registered Member

    Joined:
    Mar 22, 2004
    Posts:
    13
    Okay... the nasty once came back....

    But when opening the windows folder Norton Antivirus came popping up with the message there was a virsu found in the manually renamed baohii.exe (renamed to baohii2.exe), stating is is a backdoor.exdis virus. Strange enough, Norton seemed unable to remove the file.

    Later on, after doing all the reverse on registry and rebooting, NAV was able to quarantaine the file. So one way or another, it seemed to have been in use all the time.

    I hope tweakie can find out what other files are involved with this one.


    Paul
     
  21. big slipper

    big slipper Registered Member

    Joined:
    May 5, 2004
    Posts:
    4
    Location:
    Italy
    Hi
    The nasty now left my host thank to patch of my registry, and the file is not renamed until the system is restarted.
    As i was tell you, i try to understand what was happened, and I saw that shortcut to winplayer it was became

    C:\PROGRA~1\WINDOW~2\wmplayer.exe,-120

    and when I launch the program the program start and after some seconds they became a ghost and in the PC there is a new copy of file exe

    Oh, another thing... all file mpg,mp3 and so on bind to wmplayer.exe don't have the icon of wmplayer ...

    I send my wmplayer.exe to kaspersky website and the results is

    Current object: wmplayer.exe

    wmplayer.exe Ok


    Statistics:
    Known viruses: 88226 Updated: 6.05.2004
    File size (Kb): 61 Scan time: 00:00:01
    Speed (Kb/sec): 61 Virus bodies: 0
    Archives: 0 Packed: 0
    Folders: 0 Files: 1
    Suspicious: 0 Warnings: 0

    this is Hijack log
    Logfile of HijackThis v1.97.7
    Scan saved at 8.58.53, on 06/05/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\crypserv.exe
    C:\WINNT\System32\svchost.exe
    C:\Programmi\NMapWin\bin\nmapserv.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    d:\Programmi\sapdb\indep_prog\pgm\serv.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINNT\Explorer.EXE
    C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
    C:\OfficeScan NT\pccntmon.exe
    C:\Programmi\ahead\InCD\InCD.exe
    C:\PROGRA~1\QUICKT~1\qttask.exe
    C:\WINNT\system32\internat.exe
    C:\WINNT\system32\HPJETDSC.EXE
    C:\WINNT\System\services.exe
    C:\Programmi\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    C:\Programmi\Internet Explorer\iexplore.exe
    C:\Programmi\Microsoft Office\Office\OUTLOOK.EXE
    E:\Programmi\Ethereal\ethereal.exe
    C:\Programmi\FreshDevices\FreshDownload\fd.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    G:\temp\winzip\temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    F3 - REG:win.ini: run=""
    O2 - BHO: (no name) - {024DE5EB-3649-445E-8D57-C09A9A33D479} - C:\WINNT\system32\PHelper.dll (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\Programmi\FreshDevices\FreshDownload\fdcatch.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Smapp] C:\Programmi\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Programmi\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [THGuard] "C:\PROGRA~1\TROJAN~1.8\THGuard.exe"
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [HP JetDiscovery] HPJETDSC.EXE
    O4 - HKCU\..\Run: [System Update] C:\WINNT\System\services.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: DigiChat Applet - http://host8.digichat.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install041.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/it/win/QuickTimeInstaller.exe
    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_1025_pack.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/ieplugin.CAB
    O16 - DPF: {FFFF0068-0001-101A-A3C9-08002B2F49FB} - http://213.200.210.99/download/ccjysm_celeb.exe

    suggestions o_O

    Thank guys

    Best regards

    Alex
     
  22. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi big slipper,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:


    F3 - REG:win.ini: run=""
    O2 - BHO: (no name) - {024DE5EB-3649-445E-8D57-C09A9A33D479} - C:\WINNT\system32\PHelper.dll (file missing)

    O4 - HKCU\..\Run: [System Update] C:\WINNT\System\services.exe

    O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install041.exe

    O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
    O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_1025_pack.cab

    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/ieplugin.CAB
    O16 - DPF: {FFFF0068-0001-101A-A3C9-08002B2F49FB} - http://213.200.210.99/download/ccjysm_celeb.exe


    Then reboot into safe mode and cut & paste:
    C:\WINNT\System\services.exe to a different location on your HD

    Then boot normally and have that file checked at the KAV site.

    Regards,

    Pieter
     
  23. big slipper

    big slipper Registered Member

    Joined:
    May 5, 2004
    Posts:
    4
    Location:
    Italy
    for tweakie :

    where can i send the file?

    I don't see the @...... part of address... :D
    I don't understand :doubt:

    Thank

    To continue the war with my nasty.... I see with ethereal that there are many DNS query of this domain

    969 2004-05-06 08:52:50.0223 <My host> 10.82.15.255 NBNS Name query NB KKTYRT.COM <00>
    970 2004-05-06 08:52:50.7715 <My host> 10.82.15.255 NBNS Name query NB KKTYRT.COM <00>
    971 2004-05-06 08:52:51.5214 <My host> 10.82.15.255 NBNS Name query NB KKTYRT.COM <00>
    976 2004-05-06 08:52:52.3031 <My host> 10.82.15.255 NBNS Name query NB IOQWIEZ.COM <00>
    977 2004-05-06 08:52:53.0527 <My host> 10.82.15.255 NBNS Name query NB IOQWIEZ.COM <00>
    978 2004-05-06 08:52:53.8026 <My host> 10.82.15.255 NBNS Name query NB IOQWIEZ.COM <00>
    983 2004-05-06 08:52:54.6894 <My host> 10.82.15.255 NBNS Name query NB KURGOH.COM <00>
    984 2004-05-06 08:52:55.4393 <My host> 10.82.15.255 NBNS Name query NB KURGOH.COM <00>
    996 2004-05-06 08:52:56.1893 <My host> 10.82.15.255 NBNS Name query NB KURGOH.COM <00>
    1107 2004-05-06 08:52:57.1446 <My host> 10.82.15.255 NBNS Name query NB OFARDIT.COM <00>
    1108 2004-05-06 08:52:57.8943 <My host> 10.82.15.255 NBNS Name query NB OFARDIT.COM <00>
    1109 2004-05-06 08:52:58.6443 <My host> 10.82.15.255 NBNS Name query NB OFARDIT.COM <00>
    1114 2004-05-06 08:52:59.4807 <My host> 10.82.15.255 NBNS Name query NB WATREHY.COM <00>
    1115 2004-05-06 08:53:00.2302 <My host> 10.82.15.255 NBNS Name query NB WATREHY.COM <00>
    1116 2004-05-06 08:53:00.9802 <My host> 10.82.15.255 NBNS Name query NB WATREHY.COM <00>
    1121 2004-05-06 08:53:01.8300 <My host> 10.82.15.255 NBNS Name query NB HARTIQY.COM <00>
    1122 2004-05-06 08:53:02.5797 <My host> 10.82.15.255 NBNS Name query NB HARTIQY.COM <00>
    1123 2004-05-06 08:53:03.3297 <My host> 10.82.15.255 NBNS Name query NB HARTIQY.COM <00>
    1128 2004-05-06 08:53:04.1606 <My host> 10.82.15.255 NBNS Name query NB DDTETU.COM <00>
    1129 2004-05-06 08:53:04.9098 <My host> 10.82.15.255 NBNS Name query NB DDTETU.COM <00>
    1130 2004-05-06 08:53:05.6597 <My host> 10.82.15.255 NBNS Name query NB DDTETU.COM <00>
    1135 2004-05-06 08:53:06.5935 <My host> 10.82.15.255 NBNS Name query NB VYRWUR.COM <00>
    1136 2004-05-06 08:53:07.3433 <My host> 10.82.15.255 NBNS Name query NB VYRWUR.COM <00>
    1137 2004-05-06 08:53:08.0933 <My host> 10.82.15.255 NBNS Name query NB VYRWUR.COM <00>
    2528 2004-05-06 09:07:49.8961 <My host> 10.82.15.255 NBNS Name query NB FWKJTA.COM <00>
    2529 2004-05-06 09:07:50.6457 <My host> 10.82.15.255 NBNS Name query NB FWKJTA.COM <00>
    2530 2004-05-06 09:07:51.3956 <My host> 10.82.15.255 NBNS Name query NB FWKJTA.COM <00>
    2535 2004-05-06 09:07:52.1754 <My host> 10.82.15.255 NBNS Name query NB SDKLGT.COM <00>
    2536 2004-05-06 09:07:52.9249 <My host> 10.82.15.255 NBNS Name query NB SDKLGT.COM <00>
    2537 2004-05-06 09:07:53.6749 <My host> 10.82.15.255 NBNS Name query NB SDKLGT.COM <00>
    2542 2004-05-06 09:07:54.4568 <My host> 10.82.15.255 NBNS Name query NB KHKJTA.COM <00>
    2543 2004-05-06 09:07:55.2061 <My host> 10.82.15.255 NBNS Name query NB KHKJTA.COM <00>
    2544 2004-05-06 09:07:55.9561 <My host> 10.82.15.255 NBNS Name query NB KHKJTA.COM <00>
    2549 2004-05-06 09:07:56.7383 <My host> 10.82.15.255 NBNS Name query NB HARDSS.COM <00>
    2550 2004-05-06 09:07:57.4873 <My host> 10.82.15.255 NBNS Name query NB HARDSS.COM <00>
    2551 2004-05-06 09:07:58.2373 <My host> 10.82.15.255 NBNS Name query NB HARDSS.COM <00>
    2885 2004-05-06 09:12:49.8542 <My host> 10.82.15.255 NBNS Name query NB WATREHY.COM <00>
    2886 2004-05-06 09:12:50.6038 <My host> 10.82.15.255 NBNS Name query NB WATREHY.COM <00>
    2887 2004-05-06 09:12:51.3538 <My host> 10.82.15.255 NBNS Name query NB WATREHY.COM <00>
    2892 2004-05-06 09:12:52.1345 <My host> 10.82.15.255 NBNS Name query NB HARTIQY.COM <00>
    2893 2004-05-06 09:12:52.8840 <My host> 10.82.15.255 NBNS Name query NB HARTIQY.COM <00>
    2894 2004-05-06 09:12:53.6340 <My host> 10.82.15.255 NBNS Name query NB HARTIQY.COM <00>
    2899 2004-05-06 09:12:54.4177 <My host> 10.82.15.255 NBNS Name query NB DDTETU.COM <00>
    2900 2004-05-06 09:12:55.1672 <My host> 10.82.15.255 NBNS Name query NB DDTETU.COM <00>
    2901 2004-05-06 09:12:55.9172 <My host> 10.82.15.255 NBNS Name query NB DDTETU.COM <00>
    2906 2004-05-06 09:12:56.7001 <My host> 10.82.15.255 NBNS Name query NB VYRWUR.COM <00>
    2907 2004-05-06 09:12:57.4494 <My host> 10.82.15.255 NBNS Name query NB VYRWUR.COM <00>
    2908 2004-05-06 09:12:58.1994 <My host> 10.82.15.255 NBNS Name query NB VYRWUR.COM <00>

    do you know some of this domain o_O

    thank for all suggestion

    Alex
     
  24. Tweakie

    Tweakie Registered Member

    Joined:
    Feb 28, 2004
    Posts:
    90
    Location:
    E.U.
    Unfortunately, your malware is not a simple one :doubt:

    Here is a summary of what I've found :


    Bahoii.exe is a program written in C or C++ and
    compiled with lccwin32. It is not compressed but the strings
    contained inside it are encrypted.

    I finally could obtain a memory dump of it that confirms
    Sophos and Symantec analysis of the exdis backdoor :

    http://www.sophos.com/virusinfo/analyses/trojexdisa.html
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.exdis.html

    Unfortunately, I did not really trace its execution yet.
    It contains the following URLs :

    hxxp://www.kosovo.ru/pl.php
    hxxp://golddirectory.us/php/filtc.php

    Both these pages contain the title "X-okRecv11".
    They might just be there for notifying the backdoor owner
    that you have been infected (not sure).

    hxxp://golddirectory.us/php/pstor.php
    This webpage seems to have been removed.

    There are also the following URLs :
    wvw.payforclick.pp.ru
    wvw.girls-on-the-net.com
    wvw.terranouva.com
    wvw.easysoft.ru
    wvw.payforclick.pp.ru
    e-gold.fethard.biz.ru
    yambo.biz
    alegria.biz
    imoney.com
    telepat.ru
    paymer.ru
    e-port.ru
    etc...

    There are also the following URLs in it :
    www.microsoft.com
    www.intel.com
    (Maybe for avoiding the use of GetInternetConnectedState ?)

    There are also several IRC commands (JOIN/KICK/PRIVMSG...) and a serie
    of strings that look like commands known by the backdoorn (execmd, getdir,
    getflb, putflb, prclst, prckil...).

    It also seems to feature some advanced stealth techniques : memory
    injection (probably in iexplore.exe) and maybe API hooking (could
    be targeting NtQuerySystemInformation,EnumServicesStatusW,
    EnumServicesStatusA, GetTcpTable, GetTcpTableFromStack...)

    It looks for Internet Explorer path in the regsitry (HKLM/Software/Microsoft/
    IE Setup/Setup/Path). Then, it plays with its settings : it changes value of
    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess to "yes"
    so that each instance of IE runs as a new process and it changes some vaues
    in SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\* so that
    forms can be posted unencrypted without any warnings. It then post such a form.
    I don't know yet what information are sent.

    It looks for a software called "WebMoney".

    It also tries to get IE cached passwords through pstorec.dll and does
    something with POP3 accounts.

    I could also spot the following filenames :
    selfdel.bat : a batch script that delete some files
    command.pif
    cmd.pif
    Probably supposed to act as companions for command.com and cmd.exe (?)

    *600.bin
    *pstor.tmp
    *ctechn.tmp
    *mand.*
    *mand.pif
    cmd.*

    I also spotted the following CLSID :

    {9BA05972-F6A8-11CF-A442-00A0C90A8F39}


    It would be great if some AV/AT expert here could explore it further.


    --
    Tweakie
     
    Last edited by a moderator: May 6, 2004
  25. yifeic

    yifeic Guest

    I have the same problem except my file is differently named and in the registry there are a bunch of keys called LEGACY_XADZ that cannot be deleted
     
Loading...
Thread Status:
Not open for further replies.