Avast WEBforum
Other => Viruses and worms => Topic started by: SUSZANNAH on August 20, 2007, 01:42:51 AM
-
hi all, a little info required if possible.
Straight away after last virus database update, avast screamed I had this virus.
trojan gen.... in system 32 safely went to chest, when i read the properties, it said that last modfication was 17/4/07 does this mean it was on pc all this time undetected?
Tried to look up vtststs.dll in google but it came back with zilch...seems safe now just curious........ ::)
-
Does this mean it was on pc all this time undetected?
Yes, it could be.
No, it could be a false positive detection.
Can you send the samples to virus@avast.com ?
You can zip and password the files... Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks.
It will be good if you check the file against on-line scanners. Submit the file to:
Virustotal (http://www.virustotal.com/en/indexf.html)
Jotti (http://virusscan.jotti.org/)
There is also Kaspersky File Scanner (http://www.kaspersky.com/scanforvirus) (The file should not be larger than 1 MB).
-
Thank you Tech, been a long time how do I get it from the chest to Jotti? ::)
-
Thank you Tech, been a long time how do I get it from the chest to Jotti? ::)
You will have to extract the file to a temporary folder (better an USB drive), do NOT double-click the file or run it...
From this temporary folder, submit to VirusTotal (better than Jotti).
-
You can't the chest is a protected area, you have to export it (not restore) to a temp location and upload it to VirusTotal, much better results (more scanners) and it uses the windows version of avast.
Once you have uploaded it you will need to delete it from the temp location. You may need to pause the standard shield when you export or try to upload otherwise it might be detected again and stopped (resume standard shield immediately the upload completes).
-
Thanks guys, very interesting results seems it's Conhook again...............
these are virustotal results, hope the info comes in useful
Antivirus Version Last Update Result
AhnLab-V3 2007.8.18.0 2007.08.18 Win-Trojan/Conhook.8399
AntiVir 7.4.1.62 2007.08.19 TR/Dldr.ConHook.AH.18
Authentium 4.93.8 2007.08.17 -
Avast 4.7.1029.0 2007.08.20 Win32:Trojan-gen. {Other}
AVG 7.5.0.484 2007.08.19 Downloader.Generic5.IYP
BitDefender 7.2 2007.08.20 Adware.Winflyer.A
CAT-QuickHeal 9.00 2007.08.18 -
ClamAV 0.91 2007.08.20 -
DrWeb 4.33 2007.08.19 -
eSafe 7.0.15.0 2007.08.16 -
eTrust-Vet 31.1.5069 2007.08.18 -
Ewido 4.0 2007.08.19 -
FileAdvisor 1 2007.08.20 -
Fortinet 2.91.0.0 2007.08.19 W32/ConHook.AH!tr.dldr
F-Prot 4.3.2.48 2007.08.17 -
F-Secure 6.70.13030.0 2007.08.19 Trojan-Downloader.Win32.ConHook.ah
Ikarus T3.1.1.12 2007.08.19 Trojan-Spy.Win32.Bancos.ha
Kaspersky 4.0.2.24 2007.08.20 Trojan-Downloader.Win32.ConHook.ah
McAfee 5100 2007.08.17 -
Microsoft 1.2803 2007.08.19 -
NOD32v2 2470 2007.08.19 a variant of Win32/TrojanDownloader.Agent.ANM
Norman 5.80.02 2007.08.17 -
Panda 9.0.0.4 2007.08.19 Spyware/DuncanMonitor
Prevx1 V2 2007.08.20 Generic.Malware
Rising 19.36.60.00 2007.08.19 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.18 VIPRE.Suspicious
Symantec 10 2007.08.20 Trojan.Duntek
TheHacker 6.1.8.170 2007.08.17 -
VBA32 3.12.2.2 2007.08.17 -
VirusBuster 4.3.26:9 2007.08.19 -
Webwasher-Gateway 6.0.1 2007.08.20 Trojan.Dldr.ConHook.AH.18
Additional information
File size: 8425 bytes
MD5: 32360eaaa37d9d5245193116b9ff8318
SHA1: a3cf0547d7cad1a88c99326fefd17748fbf75a4f
packers: UPACK
packers: UPack
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=A5A7E64CE96A0D6A2071004B8253C7001E766C20
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
so now can I just delete temp folder? as avast has already picked it up?????
-
http://forum.avast.com/index.php?topic=28035.0
looking at the dates, it seems I never really got rid of it....................... :(
-
Better luck this time, see you are burning the midnight oil ;D me too been manually downloading MS Security updates (after my hard drive image back-up) before installing.
Last one just downloaded and my bed is calling.
-
lol mine is too, last question is is safe to get rid of that temp folder now, see no reason to send it to avast.......unless you can think of one lol
-
Yes, but I have the folder that I have excluded from avast scans (creatively named avast-excludes ;D) for some of my tools and samples, that way if I have a file I want to upload or is suspect it goes in there, makes life easier.
-
lol good thinking the folder stays (may need it soon) lol virus goes.... have a good night I am sure I will be back to haunt you soon ;D ;D ;D
-
In that thread from April we never ran ComboFix which might have identified this. And Essexboy offered to do a WinPFind analyis which wasn't noticed. Two good opportunities to get that file were missed :( But at least it seems it wasn't active.
If you would like to double check your computer download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
-
Many thanks Mauserme for pointing that out, must apologise to essex. Will get on with download and get back to you.... again many thanks :)
-
Here is Combofix results, working on HJT as we speak...... :)
ComboFix 07-08-17.2 - "HP_Owner" 2007-08-20 22:34:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190 [GMT 1:00]
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
D:\Autorun.inf
((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))
2007-08-20 22:33 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-16 02:11 <DIR> d-------- C:\Program Files\MSXML 4.0
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-20 16:55 --------- d-------- C:\Program Files\Spyware Terminator
2007-08-20 11:00 --------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Spyware Terminator
2007-08-17 22:50 --------- d-------- C:\Program Files\SpywareBlaster
2007-08-17 14:45 --------- d-------- C:\Program Files\SUPERAntiSpyware
2007-08-07 22:26 138624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-07-27 23:07 783224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-27 23:02 94416 --a--c--- C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-27 23:02 92848 --a--c--- C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-27 23:00 23152 --a--c--- C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 22:59 42912 --a--c--- C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 22:58 26624 --a--c--- C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 22:57 95608 --a--c--- C:\WINDOWS\system32\AVASTSS.scr
2007-07-24 19:20 --------- d-------- C:\Program Files\Common Files\MAGIX Shared
2007-07-24 19:19 --------- d-------- C:\Program Files\MAGIX
2007-07-09 15:48 --------- d-------- C:\Program Files\Common Files\AOL
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-13 11:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-05-26 23:16 130048 --a--c--- C:\WINDOWS\system32\SpoonUninstall.exe
2001-03-28 12:02 122880 --a--c--- C:\WINDOWS\inf\Agfa\message.exe
2005-01-21 19:35:37 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-27 23:03]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2003-08-18 19:57]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 C:\WINDOWS\AGRSMMSG.exe]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-08-07 22:00]
"HostManager"="C:\Program Files\Common Files\AOL\1178117888\ee\AOLSoftware.exe" [2006-11-17 14:21]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-29 23:12]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewContextMenu"=0 (0x0)
"NoWinKeys"=0 (0x0)
"NoShellSearchButton"=0 (0x0)
"NoFileAssociate"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoClose"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"NoSimpleStartMenu"=0 (0x0)
"HideClock"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoTrayItemsDisplay"=0 (0x0)
"StartMenuLogoff"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1178117888\ee\AOLSoftware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS
S3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS
S3 U81xbus;LGE U8XXX driver (WDM);C:\WINDOWS\system32\DRIVERS\U81xbus.sys
S3 U81xmdfl;LGE U8XXX USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\U81xmdfl.sys
S3 U81xmdm;LGE U8XXX USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\U81xmdm.sys
S3 U81xmgmt;LGE U8XXX USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\U81xmgmt.sys
S3 U81xobex;LGE U8XXX USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\U81xobex.sys
S3 usbsermptxp;Motorola USB Modem Driver for MPT XP;C:\WINDOWS\system32\DRIVERS\usbsermptxp.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\setupSNK.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 22:36:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-20 22:37:18
C:\ComboFix-quarantined-files.txt ... 2007-08-20 22:37
--- E O F ---
-
HJT log done.......
Logfile of HijackThis v1.99.1
Scan saved at 11:00:43, on 20/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Common Files\AOL\1178117888\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AOL 9.0\waol.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://esampler.tns-global.com/esampler/writeaoltest.html?harvest,AOL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1178117888\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6836D0D-4E7B-4AFE-AFD2-B53B5D144D7B}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
hope this helps......... :)
-
hope this helps......... :)
Ta :)
The only thing unusual I see is that ComboFix put D:\Autorun.inf in quarantine. Since you haven't mentioned any problems related to removable media (flash drives, etc) I'm surprised by this.
Please upload the file to Virus Total (http://www.virustotal.com/) and post the results. Its not in the original location now, of course. It will either be in c:\qoobox\quarantine\ or a subdirectory of that. If you have trouble finding it open C:\ComboFix-quarantined-files.txt in notepad and it will show you the exact location.
BTW, what is the D: drive?
-
hi there, the D drive is the HP recovery drive, only autorun problem I have been having the last few months is that cd's won't auto start in F drive...........
File Autorun.inf.vir received on 08.21.2007 16:32:28 (CET)
Current status: finished
Result: 0/32 (0%)
Compact
Print results
Email:
Antivirus Version Last Update Result
AhnLab-V3 2007.8.22.0 2007.08.21 -
AntiVir 7.4.1.62 2007.08.21 -
Authentium 4.93.8 2007.08.20 -
Avast 4.7.1029.0 2007.08.20 -
AVG 7.5.0.484 2007.08.20 -
BitDefender 7.2 2007.08.21 -
CAT-QuickHeal 9.00 2007.08.21 -
ClamAV 0.91 2007.08.21 -
DrWeb 4.33 2007.08.21 -
eSafe 7.0.15.0 2007.08.20 -
eTrust-Vet 31.1.5076 2007.08.21 -
Ewido 4.0 2007.08.21 -
FileAdvisor 1 2007.08.21 -
Fortinet 2.91.0.0 2007.08.21 -
F-Prot 4.3.2.48 2007.08.20 -
F-Secure 6.70.13030.0 2007.08.21 -
Ikarus T3.1.1.12 2007.08.21 -
Kaspersky 4.0.2.24 2007.08.21 -
McAfee 5101 2007.08.20 -
Microsoft 1.2803 2007.08.21 -
NOD32v2 2473 2007.08.21 -
Norman 5.80.02 2007.08.21 -
Panda 9.0.0.4 2007.08.21 -
Prevx1 V2 2007.08.21 -
Rising 19.37.12.00 2007.08.21 -
Sophos 4.20.0 2007.08.21 -
Sunbelt 2.2.907.0 2007.08.21 -
Symantec 10 2007.08.21 -
TheHacker 6.1.8.171 2007.08.21 -
VBA32 3.12.2.2 2007.08.21 -
VirusBuster 4.3.26:9 2007.08.21 -
Webwasher-Gateway 6.0.1 2007.08.21 -
Additional information
File size: 90 bytes
MD5: 95302117c6e27bd3e9a9d416acd56e40
SHA1: 835996bafc1f83286f2b3b3ac70c39851bcabe8d
don't know is this makes any sense to you, it doesn't to me lol.......whats new !!
-
It makes sense in that avast is the only one to detect it, but that is on your system. One of the problems with VT is that its version of the VPS is often older than the users, they have difficulty in updating the VPS.
However, the report normally has something after the - like, for example:
Avast 4.7.1029.0 2007.08.20 - nothing found
So I still have doubts about the file, you could also try Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/).
-
Really odd here David, ran scan through Jotti came back as nothing found, so what has Combofix quarantined???
-
There have been many cases of autorun.inf being used in conjunction with USB drive infections, these often put a copu of autorun.inf in the root of any drive or partitions to continue with the replication of the infection.
Normally you don't see a copy of autorun.inf on a hard disk, this is more removable media and usb drives, so it may be because it is on your hard disk that it has been quarantined. Unfortunately I know very little about the workings of combofix to say exactly why it did that.
I believe the only reason you have a copy is because of the recovery partition, this would I assume act like an installation CD and that would have an autorun.ini file.
A search of my system only finds one and that is in a Folder back-up copy of XP SP2 update that I copied of my CD.
-
This may be a false positive - very unusual for ComboFix.
In at least some cases HP uses autorun.inf to call the warning screen letting you know you should not modify any files on the recovery partition.
Open autorun.inf.vir in notepad (this should be safe) and post its contents.
-
Hi again. it wont let me open it, it asks to look on net to find the program that wrote it, it's about 1kb in size
-
Hi again. it wont let me open it, it asks to look on net to find the program that wrote it, it's about 1kb in size
Is there an option below that to choose from a list of programs? If there is, check that and choose notepad.
-
this is all it came up with:-
[autorun]
OPEN=setupSNK.exe
ICON=\SMRTNTKY\fcw.ico
ACTION=Wireless Network Setup Wizard
-
There's a situation outlined here
http://support.microsoft.com/?kbid=878475
where a hard drive can appear as a USB drive when setting up wireless networking. I believe this is what happened on your computer.
I think ComboFix detected the file because one of the files it calls (setupSNK.exe) is also a name used by some malware. This, with the fact that it's unusual to have autorun.inf on a hard drive, makes it look suspicious.
You could probably just delete it as its serving no purpose.
-
Phew!! thanks for that, as long as my wireless on laptop still works thats fine by me ;D
-
Thanks for letting me finish what we started :)