Author Topic: Trojan found! (Read 4323 times)

suhegate · « **on:** January 28, 2008, 06:55:23 PM »

My avast! informed me it found a trojan horse. Whatever I do, virus stays where it is. I can only click 'no action'.
Virus is in WINDOWS so I dare not to delete it manually. What should I do?

virus name: Win32:BHO-KD
virus type: Trojan horse
infected file: cdosy.dll (which is in folder 'system32')

Please help me by answering! Thanks for answers in advance.

1975maggie · « **Reply #1 on:** January 28, 2008, 07:03:03 PM »

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

.

Run combofix first then HJT thanks

suhegate · « **Reply #2 on:** January 29, 2008, 10:24:22 AM »

ok, thx for help. this is now log from combofix:

ComboFix 08-01-29.3 - xx 2008-01-29 10:15:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.194 [GMT 1:00]
Running from: C:\Documents and Settings\xx\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cdosy.dll
C:\WINDOWS\system32\drivers\rsawqgsv.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\salesmonitor
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\MyWay\Cache\SmileyCentralBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet optimizer
C:\Program Files\MyWay
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
C:\Program Files\MyWay\myBar\History\search
C:\Program Files\MyWay\myBar\Settings\prevcfg.htm
C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\Cache\0009DBBE.bin
C:\Program Files\MyWebSearch\bar\Cache\007BE6CF.bin
C:\Program Files\MyWebSearch\bar\Cache\007BEE32.bin
C:\Program Files\MyWebSearch\bar\Cache\00FFA7A1
C:\Program Files\MyWebSearch\bar\Cache\014E5E05.bin
C:\Program Files\MyWebSearch\bar\Cache\014E5FAB.bin
C:\Program Files\MyWebSearch\bar\Cache\014E622C.bin
C:\Program Files\MyWebSearch\bar\Cache\014E646E.bin
C:\Program Files\MyWebSearch\bar\Cache\014E7391.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search
C:\Program Files\MyWebSearch\bar\Settings\prevcfg.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\bar\Settings\settings.htm
C:\Program Files\newdotnet
C:\Program Files\newdotnet\nncore.dll
C:\Program Files\newdotnet\nnrun.exe
C:\Program Files\newdotnet\readme.html
C:\Program Files\newdotnet\uninstall.exe
C:\Program Files\SideFind
C:\Program Files\SideFind\sfexd001
C:\WINDOWS\msettings.ini
C:\WINDOWS\NDNuninstall6_98.exe
C:\WINDOWS\system32\cdosy.dll
C:\WINDOWS\system32\drivers\rsawqgsv.dat
C:\WINDOWS\system32\f3PSSavr.scr

----- BITS: Possible infected sites -----

hxxp://ytkdfmdkflf.info
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ATCEUFSK
-------\LEGACY_NNSERV
-------\atceufsk
-------\NNServ

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-29 10:07 . 2007-12-02 13:33   211   --a------   C:\Boot.bak
2008-01-29 10:06 . 2004-08-03 23:00   260,272   --a------   C:\cmldr
2008-01-27 18:22 . 2008-01-27 18:22   <DIR>   d--------   C:\Program Files\Alwil Software
2008-01-27 18:22 . 2007-12-04 14:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2008-01-27 18:22 . 2004-01-09 10:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2008-01-27 18:22 . 2007-12-04 13:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2008-01-27 18:22 . 2007-12-04 15:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-27 18:22 . 2007-12-04 15:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-27 18:22 . 2007-12-04 15:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-27 18:22 . 2007-12-04 15:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-27 18:22 . 2007-12-04 15:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 12:48   ---------   d-----w   C:\Program Files\PokerStars
2008-01-12 16:59   ---------   d-----w   C:\Documents and Settings\xx\Application Data\Azureus
2007-12-31 09:16   ---------   d-----w   C:\Program Files\Full Tilt Poker.Net
2007-12-22 14:13   ---------   d-----w   C:\Documents and Settings\xx\Application Data\BSplayer
2007-12-22 13:48   ---------   d-----w   C:\Documents and Settings\xx\Application Data\BSplayer Pro
2007-12-02 10:32   163,840   ----a-w   C:\WINDOWS\system32\NeroCheck.exe
2007-12-02 10:32   ---------   d-----w   C:\Program Files\Common Files\PrivacyConductor
2007-12-02 10:31   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\ESET
2007-12-01 20:54   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
.

suhegate · « **Reply #3 on:** January 29, 2008, 10:24:44 AM »

{continue]
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyDVDPlayer"="C:\Program Files\EasyDVD\EasyDVD.exe" [2002-04-22 10:32 306176]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-10 21:11 77824]
"PcAhH"="C:\WINDOWS\cssbv.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^xx^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\xx\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-12-02 11:32 163840 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-05-14 08:47 67072 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2007-11-30 16:56 1266936 d:\igre\steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-30 17:52 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

S3 AC2003;AC2003;C:\WINDOWS\system32\Drivers\AC2003.sys [2003-12-10 08:21]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-24 23:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-26 08:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-29 09:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-26 10:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-27 11:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-27 12:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-27 12:59:59 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-28 14:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-28 15:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-28 16:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-28 17:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-12 00:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-28 18:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-28 19:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-28 20:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-27 21:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-26 22:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2007-11-11 01:01:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2007-11-11 02:01:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2007-10-06 02:01:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2007-10-06 03:01:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2007-12-10 05:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2007-12-27 06:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-26 07:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\DtHSJMgM.exe
"2008-01-29 09:16:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 10:18:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-01-29 10:19:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 09:19:26

// I had a problem with a file c:\WINDOWS\system32\cdosy.dll, which was deleted (according to the log report). So, is my problem already fixed?

suhegate · « **Reply #4 on:** January 29, 2008, 10:30:36 AM »

here is also a log form HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:21, on 29.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.najdi.si/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PcAhH] C:\WINDOWS\cssbv.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [EasyDVDPlayer] "C:\Program Files\EasyDVD\EasyDVD.EXE /min"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm414YYSI
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - D:\igre\poker\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c293.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll
O16 - DPF: {3707DB0E-E788-491A-8FA7-8C8B9774AAEB} (DigSigX Control) - https://edavki.durs.si/OpenPortal/Gui/Applets/hslDigSigX.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/ricochet/ReflexiveWebGameLoader.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://edavki.durs.si/OpenPortal/Gui/Applets/msxml4.cab
O16 - DPF: {CC4271BF-1582-4FD4-81CD-9AE877B17644} (ESignDoc2 Object) - https://edavki.durs.si/PersonalPortal/[59372]/Controls/ESignDocControls/hslESignDoc2.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{316EAE20-08EF-4EC1-BA3C-71AC96B11CF8}: NameServer = 193.189.160.23,193.189.160.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{316EAE20-08EF-4EC1-BA3C-71AC96B11CF8}: NameServer = 193.189.160.23,193.189.160.13
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7557 bytes

1975maggie · « **Reply #5 on:** January 29, 2008, 05:51:10 PM »

Looking pretty good. May be a couple of things left.

Submit this file to www.virustotal.com

C:\WINDOWS\cssbv.exe

copy and paste the above line into the submit a file box on their site, click send file, wait for the results and please post them in your next reply.

Empty your scheduled tasks folder of all entries except "2008-01-29 09:16:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

Open HJT, do a system scan only, check mark the following lines if present

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c293.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

Your java is way out of date and can be exploited by malware. Please update it.

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to "Java Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".

Click the download button on the right.

> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Please do the above, post the virustotal results and let me know of any problems, you are still having.

Spiritsongs · « **Reply #6 on:** January 29, 2008, 07:07:55 PM »

Hi :

As already mentioned, your Sun Java is way-out-of-date . However, it would
be Best to start by uninstalling ALL versions of this program you have, then
either go to the "java.sun.com...." Site that was mentioned or to
www.java.com .
From your Log, it appears Avast is your ONLY security program !? IF true,
you are seriously UNDERPROTECTED. SHOULD HAVE AT LEAST ONE
antiSPYWARE/antiTROJAN program and I recommend you start with the
FREE Version of "SUPERAntiSpyware" from www.superantispyware.com .
AND the Windows "Firewall" you have is NOT very good. Recommend you
install either Zone Alarm, Sunbelt Kerio, or Sygate Firewall ; all are
available at www.filehippo.com/software/firewalls .

Author Topic: Trojan found! (Read 4323 times)

suhegate

Trojan found!

1975maggie

Re: Trojan found!

suhegate

Re: Trojan found!

suhegate

Re: Trojan found!

suhegate

Re: Trojan found!

1975maggie

Re: Trojan found!

Spiritsongs

Re: Trojan found!