Unknown Virus/ Spyware 5

[SHardy]

Hi,

I am having a problem with a process that runs on startup and uses up most of the PCs resources. While it is running many applications cannot run.

Until I get rid of it, I am able to end the process and carry on. However, this is far from ideal, and I do not know if it is anyway malicious or a security risk.

So far I have:

1) Run a complete virus scan using McAfee VirusScan v4.5.1 SP1 (virus defs 4.0.4415 / scan engine 4.3.20). Also have the Virus Shield running permanently).

2) Installed Spybot - Search & Destroy. Made sure it was up to date and run a scan. It did pick up quite a few items. Fixed the problems, restarted the machine & the process was running again. Ran S&D again, but no problems found (except one IE DSO Exploit).

The name of the process varies, but is of the following naming convention:

GLB*.tmp (eg GLB10.tmp)

There will also be several related files created in the C:\TEMP\ directory. These include a couple of executables named as follows:

GL_*.exe (eg GL_14.exe)

Have looked through the system folders, but cannot see anything obviously out of place. But then again it's not likely to be obvious is it?

Any ideas of what is causing this problem?

How can I get rid of it?

Thanks,
Simon

 

[tazuk]

Hi Simon --

I'd suggest starting with faq760-4866 in this forum.
Please post back with how you get on; if the problem persists then post a HijackThis log and startup list, and we'll have a butchers at it.

I'll keep an eye out for your follow up post, but may not get the chance to respond to quickly as I'm changing jobs and my network access goes down at 3pm GMT.

HTH


TazUk

Blue-screening PCs since 1998

 

[SHardy]

OK, thanks. I have downloaded all the suggested programs. When I have finished, if there is still a problem I will post the HijackThis log.

Thanks again

 

[SHardy]

OK, here we go. I have installed and run:

CWShredder
Spybot S&D
AdAware
McAfee Stinger

I rebooted after each. I even ran each of them a second time to check that what they had removed hadn't reinstalled. All came back clear on the second running.

I have now run HijackThis. I have copied the log file & the start up list below.

NOTE: The process that is causing the problems is C:\TEMP\GLBF.tmp

I can end this process and delete the executables from C:\TEMP. However, upon restarting it has been reinstalled and restarted. This process, while it is running, uses up a huge amount of the system resources, making it very difficult to run anything.

HijackThis log file:

Logfile of HijackThis v1.99.0
Scan saved at 16:28:57, on 16/12/04
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\cusrvc.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tapisrv.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINNT\system32\rasman.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\WBEM\winmgmt.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\IBM\CLIENT~1\cwbbs.exe
C:\PROGRA~1\IBM\CLIENT~1\cwbntred.exe
C:\WINNT\system32\nddeagnt.exe
C:\Program Files\IBM\Client Access\CWBPROVD.EXE
C:\WINNT\explorer.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\IBM\Client Access\cwbuitsk.exe
C:\Program Files\IBM\Client Access\CWBSVD.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
C:\Program Files\Novell\ZENworks\naldesk.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Compuware\QALoad\plgui.exe
C:\Program Files\Compuware\QALoad\PlayerAgent.exe
C:\PROGRA~1\Plus!\MICROS~1\IEXPLORE.EXE
U:\Snapshot\Utils\WMICORE.exe
C:\TEMP\GLBF.tmp
K:\OpsSupport\SoftwareDownloads\Spyware Removal\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.qbe-europe.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;10.0.0.0;172.30.0.0;192.23.134.253;*.itnetplc.com;ecase.ricksons.co.uk;*qbe-warranty.com;<local>
F2 - REG:system.ini: UserInit=C:\PROGRA~1\IBM\CLIENT~1\cwbbs.exe,C:\PROGRA~1\IBM\CLIENT~1\cwbntred.exe,C:\PROGRA~1\IBM\CLIENT~1\cwbprovd.exe,userinit,nddeagnt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Taskbar] "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
O4 - HKLM\..\Run: [Client Access API Daemon] "C:\Program Files\IBM\Client Access\cwbappcd.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [fwenc.exe] "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
O4 - HKLM\..\Run: [NAL] naldesk.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKCU\..\RunOnce: [MovingCacheA Wininet Settings] rundll32.exe C:\WINNT\System32\wininet.dll,RunOnceUrlCache C:\WINNT\Profiles\SHARDY\TEMPOR~1
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Player Agent.lnk = C:\Program Files\Compuware\QALoad\plgui.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O12 - Plugin for .spop: C:\PROGRA~1\Plus!\MICROS~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -

http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = qbe-europe.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = qbe-europe.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qbe-europe.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qbe-europe.com
O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Client Update Service for Novell - Novell, Inc. - C:\WINNT\System32\cusrvc.exe
O23 - Service: Client Access Remote Command - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Novell Application Launcher - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: Novell ZfD Wake on LAN Status Agent - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Workstation Manager - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe



Sartup List:

StartupList report, 16/12/04, 16:29:16
StartupList version: 1.52.2
Started from : K:\OpsSupport\SoftwareDownloads\Spyware Removal\HijackThis\HijackThis.EXE
Detected: Windows NT 4 SP6 (WinNT 4.00.1381)
Detected: Internet Explorer v5.51 SP2 (5.51.4807.2300)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolss.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\cusrvc.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\RpcSs.exe
C:\WINNT\system32\tapisrv.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINNT\system32\rasman.exe
c:\winnt\system32\pstores.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\System32\WBEM\winmgmt.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\IBM\CLIENT~1\cwbbs.exe
C:\PROGRA~1\IBM\CLIENT~1\cwbntred.exe
C:\WINNT\system32\nddeagnt.exe
C:\Program Files\IBM\Client Access\CWBPROVD.EXE
C:\WINNT\explorer.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\IBM\Client Access\cwbuitsk.exe
C:\Program Files\IBM\Client Access\CWBSVD.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe
C:\Program Files\Novell\ZENworks\naldesk.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Compuware\QALoad\plgui.exe
C:\Program Files\Compuware\QALoad\PlayerAgent.exe
C:\PROGRA~1\Plus!\MICROS~1\IEXPLORE.EXE
U:\Snapshot\Utils\WMICORE.exe
C:\TEMP\GLBF.tmp
K:\OpsSupport\SoftwareDownloads\Spyware Removal\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup]
Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
Player Agent.lnk = C:\Program Files\Compuware\QALoad\plgui.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\PROGRA~1\IBM\CLIENT~1\cwbbs.exe,C:\PROGRA~1\IBM\CLIENT~1\cwbntred.exe,C:\PROGRA~1\IBM\CLIENT~1\cwbprovd.exe,userinit,nddeagnt.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
NDPS = C:\WINNT\System32\dpmw32.exe
NWTRAY = NWTRAY.EXE
Client Access Service = "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
Client Access Taskbar = "C:\Program Files\IBM\Client Access\cwbuitsk.exe"
Client Access API Daemon = "C:\Program Files\IBM\Client Access\cwbappcd.exe"
Client Access Check Version = "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
fwenc.exe = "C:\Program Files\CheckPoint\SecuRemote\bin\fwenc.exe"
NAL = naldesk.exe
ZENRC Tray Icon = zentray.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

MovingCacheA Wininet Settings = rundll32.exe C:\WINNT\System32\wininet.dll,RunOnceUrlCache C:\WINNT\Profiles\SHARDY\TEMPOR~1

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINNT\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

{D34F18B0-576E-11D0-B28C-00C04FD7CD22}_PC-0247_Administrator.job

--------------------------------------------------

Enumerating Download Program Files:

[{62475759-9E84-458E-A1AB-5D2C442ADFDE}]
CODEBASE =

http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE =

http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINNT\System32\webcheck.dll

--------------------------------------------------
End of report, 5,986 bytes
Report generated in 0.380 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only



Thanks,
Simon

 

[confusedlady]

SHardy,

I am just learning how to read these logs myself, so DO NOT delete anything until someone else replies for certain. I beleive the GL*.tmp files are created during some install/uninstall processes, and I'm thinking the following may have something to do with that. Possibly allowing HJT to remove this item would fix the problem....

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -

http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe

Hopefully one of the HJT gurus will see this and comment!

Melissa

 

[2ffat]

I posted your log at the location given by faq760-5547. It red flagged 4 entries and yellow-flagged several others. You might know better which entries are valid in the yellow-flags.

James P. Cottingham
-----------------------------------------
^{To determine how long it will take to write and debug a program, take your best estimate, multiply that by two, add one, and convert to the next higher units.}

 

[BadBigBen]

I would suggest that you Boot into SafeMode first...

then DELETE your TEMP Folder completely (you can use a progie like HD-CLEAN to do this for you)... "C:\Temp\" and "C:\Winnt\Temp\"... aswell as cleaning out your TEMPORARY INTERNET FILES... then kill this process "C:\TEMP\GLBF.tmp" and "C:\WINNT\system32\MSTask.exe"... (on my system there is no MSTASK.EXE for the TASK Scheduler MSTinit.exe is more like it but then again I am using XP not NT)

Run REGEDIT go to the following key: HKEY_CLASSES_ROOT, there look for ".TMP" if it is listed then DELETE that KEY only...

then rerun the progies already used (hopefully updated)...

then run HJT... delete the line pointed to you by Melissa (aka confusedlady)...

Hope this helps a bit... repost if it did the trick or if you are still stuck with it...





Ben

If it works don't fix it! If it doesn't use a sledgehammer...

 

[tazuk]

Sorry for the delay in responding Shardy.
I've had a read around myself, but cannot add anything useful to the previous posts, other than that I think the installer confusedlady refers to maybe Wise as suggested here.

TazUk

Blue-screening PCs since 1998

 

[pechenegs]

hi, I don't see anyhting in your log. Try a few online scanners.

Run an online antivirus check from at least one and preferably 2 of the following sites....

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/

http://www.ravantivirus.com/scan/

make sure autoclean is enabled on the scans

try aboutbustser from rubberducky. Make sure your progs are up to date

http://www.majorgeeks.com/downloads31.html

 

[SHardy]

Thanks for all the help. Seem to have sorted it now.

The "GLB*.tmp" process IS an installation process. This is for an application that is delivered across the network upon login (exactly what application it is installing I do not know). Therefore this process SHOULD run.

However, there must have been an "unkonwn factor" that was preventing the installation from running properly. As such the installation was continually running and using up all the PCs resources.

After having manually gone through the whole file system, trying to remove (and uninstall) anything that I deemed unnecessary, it seems to have sorted itself out now.

Now upon login, the "GLB*.tmp" process STILL starts, but only for a couple of minutes and then drops of the process list. Therefore no longer causing any problems for further use of the PC.

Once again, thanks for all the help. I have found this all very useful.

Regards,
Simon

 

[pechenegs]

ok, I did a google on that beast and nothing shows up, usually means it's a baddie and recent. it would be good to know what it is, how it got on your system and how to zap it off permanently.

khaz