Solve : Getting my A** kicked by nodqq.exe virus on 3 machines....wow? – InterviewSolution

InterviewSolution

1.	Solve : Getting my A** kicked by nodqq.exe virus on 3 machines....wow?
Answer» Took most of last night and today to sift through posts, google searches and to get my THOUGHTS together...so here goes. 2 weeks ago bought a verbatim 500G usb drive to use between my 3 machines, a desktop, a laptop and a netbook. Yesterday I first noticed that I couldn't get to any hidden files with the laptop. Each time I tried to reset the folder options to show hidden files, it WOULD go right back to not show them. Tried with my desktop and same problem. Checked my netbook and all was ok with hidden files, so I plugged in my USB drive and bang! Immediately lost the ability to see them. It then occured to me that it had to be spread thru the USB drive. Since then I have identified 2 what I think are trojans on my machines, one named ca.exe and one named nodqq.exe. I'll cover one machine at a time and post the logs for each. The post is going to get waaay long, but I want to include as much info as might be necessary. First thing I did was update all virus protection to Norton internet security 2010 and run scans. (All 3 machines) First the logs: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:47:45 AM, on 5/1/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe C:\Program Files\InstaVerse\InstaVerse.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hphmon05.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\MySoftware\Newsflsh.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=laptop O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\IPSBHO.DLL O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\npwinext.dll O3 - Toolbar: FireShot - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Documents and Settings\HomePro\Application Data\Mozilla\Firefox\Profiles\z4mprbi8.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.80.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coIEPlg.dll O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [tracker] C:\Program Files\MySoftware\MyInvoices\tracker.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe" O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume O4 - HKLM\..\Run: [InstaVerse] C:\Program Files\InstaVerse\InstaVerse.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\Newsflsh.exe O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269371081812 O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe -- End of file - 8464 bytes Norton Internet Security 2010 Logs Category: Resolved Security Risks Date & Time,Risk,Activity,Status,Recommended Action 5/1/2010 7:33 AM,High,ca.exe (ca.exe) DETECTED by SONAR,Quarantined,Resolved - No Action 5/1/2010 7:25 AM,High,nodqq.exe (nodqq.exe) detected by SONAR,Quarantined,Resolved - No Action 5/1/2010 1:34 AM,High,nodqq0.dll (Trojan.Packed.NsAnti) detected by Virus scanner,Quarantined,Resolved - No Action 5/1/2010 12:27 AM,High,p.exe (Trojan Horse) detected by Virus scanner,Quarantined,Resolved - No Action 5/1/2010 12:25 AM,High,plugin-newplayer.pdf (Bloodhound.PDF!gen) detected by Virus scanner,Quarantined,Resolved - No Action 5/1/2010 12:20 AM,High,nmdfgds0.dll (Trojan Horse) detected by Virus scanner,Quarantined,Resolved - No Action 5/1/2010 12:13 AM,Low,Tracking Cookies detected by Virus scanner,Removed,Resolved - No Action 5/1/2010 12:11 AM,High,5c244c96-38b87354 (Downloader) detected by Virus scanner,Quarantined,Resolved - No Action 5/1/2010 12:11 AM,High,Downloader detected by Virus scanner,Quarantined,Resolved - No Action 5/1/2010 12:11 AM,High,Downloader detected by Virus scanner,Quarantined,Resolved - No Action 5/1/2010 12:11 AM,High,Trojan Horse detected by Virus scanner,Quarantined,Resolved - No Action 5/1/2010 12:11 AM,High,Trojan Horse detected by Virus scanner,Quarantined,Resolved - No Action 5/1/2010 12:11 AM,High,Trojan Horse detected by Virus scanner,Quarantined,Resolved - No Action 5/1/2010 12:11 AM,High,Downloader detected by Virus scanner,Quarantined,Resolved - No Action 5/1/2010 12:06 AM,High,cdaudio.sys (Infostealer.Gampass) detected by Virus scanner,Quarantined,Resolved - No Action Category: SONAR Activity Date & Time,Risk,Activity,Status,Recommended Action 5/1/2010 7:33 AM,High,ca.exe (ca.exe) detected by SONAR,Quarantined,Resolved - No Action 5/1/2010 7:25 AM,High,nodqq.exe (nodqq.exe) detected by SONAR,Quarantined,Resolved - No Action After scanning 3 TIMES and restarting each time, the SONAR from Norton picked up on nodqq.exe first and then ca.exe and quarantined them. These items never showed up in the task manager, but nodqq.exe showed up in the start up list of msconfig. I deleted it from there and dumped the recycle bin. I then ran a search for them by Start>Search>filename and found nodqq.dll. I deleted and dumped that too. I restarted and was able to reset folder options, so now I can see hidden files. I still have some issues though. In msconfig I have 1 blank line thats checked with no name and no command. Not sure if that's an issue. Also if I try to make any changes, I get an "access denied error" and says I should sign in as an administrator. Theres only 1 user on this machine which is an admin. Not sure if I still have issues with this machine, But I'll also need to kill and remove these fro m the drive. I appreciate any thoughts, It is a huge help that so many people take the time to share their expertise. Please visit this webpage for a tutorial on downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix See the area: Using ComboFix, and when done, post the log back here.

Discussion

No Comment Found

Related InterviewSolutions