HPE Community
Internet Products
1834484 Members
3748 Online
110067 Solutions
New Discussion

Re: Virus_SPR/Rootkit.XCP.B

 
wen4dao4
Regular Advisor

‎11-10-2005 12:32 PM

‎11-10-2005 12:32 PM

Virus_SPR/Rootkit.XCP.B

Hi, friends here. I'll be most grateful if any of you is kind enough to share his knowledge of a virus called 'SPR/Rootkit.XCP.B' discovered by Antiv Personal Premium in my HP Pavilion Notebook.

The relevant part of the AntiVir log reads the following:

C:\Program Files\Open Office
openofficeorg4.cab
ArchiveType: CAB (Microsoft)
--> dbghelp.dll
[DETECTION] Contains signature of the SPR/Rootkit.XCP.B.3 program

C:\swsetup\Btooth
Data1.cab
ArchiveType: CAB (Microsoft)
--> unicows.dll
[DETECTION] Contains signature of the SPR/Rootkit.XCP.B.5 program


AntiVir Personal Premioum says that the antivirus programme cannot delete the infected file because the latter is in an archive.

I wonder if I can, with impunity, manually delete the file 'unicows.dll'.

Below is also a HighjackThis log.

Many thanks for your help.

John
----------------

HighjackThis log;

Logfile of HijackThis v1.99.1
Scan saved at 01:29:03, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVPersonalPremium\AVGNT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonalPremium\AVSched32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Youxuan\Desktop\HijackThis.exe

O1 - Hosts: 62.189.6.78 _sip._tls.sip1.callserve.com
O1 - Hosts: 62.189.6.78 _sip._ssl.sip1.callserve.com
O1 - Hosts: 62.189.6.79 _sip._tls.sip2.callserve.com
O1 - Hosts: 62.189.6.79 _sip._ssl.sip2.callserve.com
O1 - Hosts: 62.189.6.85 _sip._tls.sip5.phoneserve.com
O1 - Hosts: 62.189.6.85 _sip._ssl.sip5.phoneserve.com
O1 - Hosts: 62.189.6.86 _sip._tls.sip6.phoneserve.com
O1 - Hosts: 62.189.6.86 _sip._ssl.sip6.phoneserve.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Update 5300C] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\update.exe 5300C+
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonalPremium\AVGNT.EXE /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonalPremium\AVSched32.EXE /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O10 - Broken Internet access because of LSP provider 'avsda.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=laptop
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125351856968
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D1606E6-8093-40E5-9EDE-C33EB18556FB}: NameServer = 212.67.120.148 212.67.96.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{3D1606E6-8093-40E5-9EDE-C33EB18556FB}: NameServer = 212.67.120.148 212.67.96.129
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir Mail Security Service (AntiVirMailService) - AntiVir PersonalProducts GmbH. - C:\PROGRAM FILES\AVPERSONALPREMIUM\AVMAILC.EXE
O23 - Service: AntiVir Service (AntiVirService) - AntiVir PersonalProducts GmbH - C:\PROGRAM FILES\AVPERSONALPREMIUM\AVGUARD.EXE
O23 - Service: AVE Service (AVEService) - AntiVir PersonalProducts GmbH - C:\PROGRAM FILES\AVPERSONALPREMIUM\AVESVC.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonalPremium\AVWUPSRV.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


0 Kudos
4 REPLIES 4
Rune J. Winje
Honored Contributor

‎11-18-2005 05:37 AM

‎11-18-2005 05:37 AM

Re: Virus_SPR/Rootkit.XCP.B

Hi,
while not directly answering your question, you may find Mark's Sysinternals Blog on the subject quite illuminating:

http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

It made some headlines in the news recently...


Cheers,
Rune
0 Kudos
wen4dao4
Regular Advisor

‎12-08-2005 08:30 AM

‎12-08-2005 08:30 AM

Re: Virus_SPR/Rootkit.XCP.B

Hi, friends here.

Although I do not find anything abnormal in the behaviour of the computer, I have installed RootkitRevealer today, and have done a scan.

Here is the result which contains three items:

HKLM\SOFTWARE\Andreas Haak\a* 21/09/2005 08:32 0 bytes
Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\webcal\URL Protocol 03/06/2005 18:11 13 bytes
Data mismatch between Windows API and raw hive data.

C:\Documents and Settings\Woodang\Local Settings\Temp\pcfE.tmp 08/12/2005 20:47 533 bytes
Visible in Windows API, but not in MFT or directory index.

I know that the first item is something the programme A-Square has left. I have tried to remove this particular registry key manually after removing the programme but did not have much success.

I do not think that the second item is anything suspicious. I might have set up the start page of IE manually myself when I set up the computer.

The third item is a bit mysterious. For a long time I keep finding some temporary files named 'pcf*.tmp' and do not know where it comes from.

I have AntiVir Personal Premium, Ad-Aware Plus SE, Spybot S&D, Spywareblaster, and Miscrosft Antispyware in my PC, and I have them frequently updated. I normally use Mozilla Firefox when surfing the Internet.

I shall be most grateful if you know about the third item and could tell me about it.

Cheers.

John
0 Kudos
wen4dao4
Regular Advisor

‎12-08-2005 09:57 AM

‎12-08-2005 09:57 AM

Re: Virus_SPR/Rootkit.XCP.B

Hi, friends here.

Scanning the second user account of the same laptop, I got the following result:

HKLM\SOFTWARE\Andreas Haak\a* 21/09/2005 08:32 0 bytes
Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\webcal\URL Protocol 03/06/2005 18:11 13 bytes
Data mismatch between Windows API and raw hive data.

C:\Documents and Settings\Youxuan\Local Settings\Temp\pcf1.tmp 08/12/2005 21:47 533 bytes
Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 08/12/2005 21:48 64.00 KB
Visible in Windows API, but not in MFT or directory index.

C:\WINDOWS\system32\wbem\Logs\wmiprov.log 08/12/2005 21:51 67 bytes
Hidden from Windows API.

There are two extra items as compared to the previous scanning.

Thanks for your help.

John
0 Kudos
wen4dao4
Regular Advisor

‎12-09-2005 06:15 AM

‎12-09-2005 06:15 AM

Re: Virus_SPR/Rootkit.XCP.B


Hi, friends. Don't worry about the above two messages any more.

I have googled the filenames on the Internet, and visited some relevant discussion forums. They seem to be authentic components of Windows XP.

Moreover, I have downloaded 'RegDelNull' (from www.sysinternals.com), and CCleaner (from www.ccleaner.com). By running these two tools, I have deleted the items that I did not know about.

My apologies for having drawn your attention to a problem which I should have solved on my own.

Many thanks.

John
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.