Nuovo worm/virus ? (C:\WINDOWS\TEMP\ylpf1.exe)

[mattia_m78]

I'm ivestigating on a problem.
I've found a running exe on my pc, located in C:\WINDOWS\Temp\ylpf1.exe
I removed it, but after a day it was there.
So I removed it one more time and raplaced it with a ylpf1.exe of 0kb (read-only). After another day I found a ylpf2.exe. Trying to understand the problem I've discovered a new user on my pc with name RHM and I removed it.
I'm not able to understand what is the vulnerability exploited.
By now I'm looking at C:\WINDOWS\TEMP with FileMon.exe (FileSystem access monitor) and on the LAN with Ethereal trying to figure out what happens.

With Ethereal I've noticed a strange behaviour that could be related to the problem, when I open the browser (MS Explorer), periodically it seraches to download WinHound.exe. I've attached the capture log.

I have XP SP2 and firewall on the lan that stops netbios, rpc and ports under 1024. I use Emule leatest version, I have Google toolbar installed, and Microsoft Messenger.
I've checked the system with Hijack (see the logfile attached) and Spyboat and it is clean.

Please, help me to understand!

Thanks,
Mattia


---- Ethereal Capture --------------------------------------------
(ip.addr eq 192.168.1.33 and ip.addr eq 207.226.160.3)
and (tcp.port eq 4030 and tcp.port eq 80)

GET /WinHoundInstaller.exe HTTP/1.1
User-Agent: Mozilla/4.0
Host: download.winhound.com

HTTP/1.1 500 Internal Error
Server: thttpd/2.21b-p36c 15jul2005
Content-Type: text/html
Date: Sat, 19 Aug 2006 20:48:45 GMT
Last-Modified: Sat, 19 Aug 2006 20:48:45 GMT
Accept-Ranges: bytes
Connection: close
<HTML>
<HEAD><TITLE>500 Internal Error</TITLE></HEAD>
<BODY BGCOLOR="#cc9999" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H2>500 Internal Error</H2>
There was an unusual problem serving the requested URL '/WinHoundInstaller.exe'.
<HR>
<ADDRESS>thttpd/2.21b-p36c 15jul2005</ADDRESS>
</BODY>
</HTML>

---- Hijack Log --------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 23.09.02, on 19/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\lexpps.exe
C:\Programmi\eMule\emule.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program_Installer\Filemon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\Ethereal\ethereal.exe
C:\Programmi\Ethereal\ethereal.exe
C:\Programmi\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar2.dll
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programmi\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\eMule\emule.exe -AutoStart
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\Programmi\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

[goldfix_1]

ciao

search with google: WinHoundInstaller

and install a good antivirus

[mattia_m78]

Ciao,
grazie per la risposta.

In effetti per WinHound penso che ci sia un BOH su Explorer che cerca di scaricarselo,
ma in realtà il pc non ha nessun exe di WinHound.

Invece mi preoccupa molto quel ylpf1.exe dove neanche google mi aiuta...

[Simeon]

Ti deve piacere particolarmente l'inglese...

Sospetto che tu abbia LinkOptimizer.

Posta:

log di RootkitRevealer
assicurati di essere disconnesso, chiudi tutte le finestre, disabilita l'antivirus;

log di Gmer
scheda "Autostart", fai una scansione, clicca su Copy ed incolla il tutto qui su forum al momento della risposta.

[amvinfe]

Originariamente inviato da mattia_m78
Ciao,
grazie per la risposta.

In effetti per WinHound penso che ci sia un BOH su Explorer che cerca di scaricarselo,
ma in realtà il pc non ha nessun exe di WinHound.

Invece mi preoccupa molto quel ylpf1.exe dove neanche google mi aiuta...

su google non troverai nulla perchè il nome del file è random
http://www.suspectfile.com/forum/viewtopic.php?p=1416

[mattia_m78]

Scusate per l'inglese... (era un copia incolla da un altro post)

Effettivamente avevo 2 problemi.
Un residuo di WinHound (winet.dll infettata con oleext.dll)
ed uno moolto più tosto, come giustamente suggerito, LinkOptimazer !

Con tanto di Rootkit (anche se non penso di aver mai clikkato su Rimuovi dal pannelllo di controllo).
Dovrei essere riuscito a sistemare "quasi" tutto con un po' di passate con i vari tools suggeriti più CCleaner (per spazzare tutte le Temp) la patch per il wmf (che mi mancava e che è il vettore per l'infezione) ed un regedit sul disco C montato come secondario su un altro pc. Cancellati i files con i nomi casuali (in Windows ed in Programmi/FileComuni/System) (trovati grazie a streams.exe di sysinternals) e tolti l'utente ed il suo servizio (sempre con nomi casuali).

Ora dovrebbe essere tutto ok, solo non mi convincono un paio di (file missing) in Haijack.
Vi allego il log nel caso qualcuno avesse qualche altro utile suggerimento.

Grazie mille a tutti, se qualcuno avesse il mio problema spero di poter essere utile.

Logfile of HijackThis v1.99.1
Scan saved at 1.15.36, on 23/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmi\Remote Administrator\r_server.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Programmi\Grisoft\AVG Free\avgcc.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\eMule\emule.exe -AutoStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmi\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\Programmi\Remote Administrator\r_server.exe" /service (file missing)

[mattia_m78]

Dimenticavo....
Sempre su sysinternals.com ho trovato l'essenziale RootkitReleaver.exe
che però mi ha lasciato un dubbio.
Ho ancora dei valori nascosti nelle chiavi del servizio sptd sotto Cfg (CurrentControlSet/Services/sptd/Cfg).

Leggendo un po' non sono riuscito a capire se è normale o se possa esserci un altro Rootkit.

Al momento ho disinstallato DaemonTools (che dovrebbe essere responsabile del servizo in
questione) e devo provare a ripulire anche quelle chiavi.

[Simeon]

Il log è ok.

I valori Cfg rilevati da RootkitRevealer appartengono ad un emulatore di periferiche virtuali; non sono dannosi per l'utente...