Author Topic: Trojano 1586  (Read 6721 times)

0 Members and 1 Guest are viewing this topic.

zorrofox

  • Guest
Trojano 1586
« on: July 04, 2005, 12:20:39 AM »
 Hi folks. I hope someone can help with this cos I ain't got much hair left.

A couple of days ago Avast alerted me to a trojan called "Trojano 1586". It's advice was to move to chest, ehich I did. However, today the same thing has happened three times. I've followed the same advice again. I even disabled system restore before the last time thinking this would get rid of it. No such luck.

I use the usual suspects security-wise and thought I was pretty safe. My opinion has changed somewhat. Any help you folks can give would be very much appreciated.

Here's my Hijack This! log. I hope it's of some use.

Logfile of HijackThis v1.99.1
Scan saved at 22:45:53, on 03/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\kxmixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\kem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.racemore.com/more/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RecSche] C:\LifeView FlyVideo\RecSche.exe /Startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kX Mixer] kxmixer --startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Diskeeper 9 Professional Edition Registration.lnk = C:\Program Files\Executive Software\Diskeeper\ESIRegister.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {076BD9A0-9F4B-4026-A5F8-412356313131} (SIMBIN_WebLauncher Control) - http://www.racemore.com/more/SIMBIN_WebLauncher.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4C49F9E-BFDE-43B2-B5F9-E5395CB69059}: NameServer = 194.72.9.44 194.74.65.86
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 89325
  • No support PMs thanks
Re: Trojano 1586
« Reply #1 on: July 04, 2005, 12:35:25 AM »
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

Although a quick look doesn't reveal anything obvious, the IPs listed should relate to your ISP.

O16 - DPF: {076BD9A0-9F4B-4026-A5F8-412356313131} (SIMBIN_WebLauncher Control) - http://www.racemore.com/more/SIMBIN_WebLauncher.ocx
Unless this was installed by you as a racing fan?

You don't appear to have a firewal installed unless you are using a hardware router/firewall.
« Last Edit: July 04, 2005, 12:37:17 AM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

MFB

  • Guest
Re: Trojano 1586
« Reply #2 on: July 04, 2005, 06:56:05 AM »
I'm not famliar with this program:

      O4 - HKLM\..\Run: [kX Mixer] kxmixer --startup

You might want to check up on that one. 

Make sure you ignore these as what DavidR said:

    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

      O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)



zorrofox

  • Guest
Re: Trojano 1586
« Reply #3 on: July 04, 2005, 08:10:20 AM »
Thanks folks. Aye, the Racemore entry is valid, though I don't use it anymore. The reference to "kx" is to do with alternative drivers I use with my Creative soundcard.

Something's still wrong though. I'll check out the analysis thing when I get in from work later today. Thanks for the help so far.

zorrofox

  • Guest
Re: Trojano 1586
« Reply #4 on: July 04, 2005, 08:39:07 AM »
Just a quickie. How do I ascertain whether the IP references DO relate to my ISP?

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Trojano 1586
« Reply #5 on: July 04, 2005, 10:26:27 AM »
Hi Zorrofox,

What exactly was the name and location of the file avast! detected? You could try uploading  the file to Jotti's scanner which will submit it to multiple scan engines and indicate if this is a false positive.

If other scanners do say it's a Trojan, please make a note of the name they use for it, as this can give more information on the web.

Have you done a boot time scan with avast!? If not, do this now because avast! can only remove some malware at Windows boot.

If this fails to remove it, you could try these two powerful anti-Trojan programs- they both have a free trial:

TDS-3 (Download the definitions file and move to the program folder.)

http://tds.diamondcs.com.au/

and TrojanHunter

http://www.trojanhunter.com/

     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

zorrofox

  • Guest
Re: Trojano 1586
« Reply #6 on: July 04, 2005, 05:22:33 PM »
Hi again. Well, I downloaded both those programs suggested and Trojanhunter immediately found 2 entries. One was called "Bropia***", and - I'm ashamed to say - I can't remember  the second. It renamed the files and, as they weren't required anyway, I got rid.

I've done another scan and found nothing, so it seems to have worked. Touch wood. The folder I found it in was one I use to store anything transferred through MSN Messenger.And I know who sent that particular file. I don't know why Avast! didn't pick it up as it was transferred though.

Anyway, thankyou everybody. I can now go and chase the guy who sent me said file in the first place.

Thankyou all very much.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Trojano 1586
« Reply #7 on: July 04, 2005, 05:49:40 PM »
Recommend you run the Symantec Bropia removal tool to check all traces have gone.

http://securityresponse.symantec.com/avcenter/venc/data/w32.bropia.removal.tool.html

Also the Microsoft Malicious Software Removal tool, as Bropia may drop the Spybot worm.

http://www.microsoft.com/security/malwareremove/default.mspx
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

zorrofox

  • Guest
Re: Trojano 1586
« Reply #8 on: July 04, 2005, 07:14:54 PM »
I've now run both those tools also and I'm still clean. Fantastic!

Thanks again everyone.