Win32:Trojano-3522 [Trj]

[?uest]

Hello folks!

I have been battling with this trojan for the past 2 weeks or so and so far it has had the upper hand.

Win32:Trojano-3522 [Trj] is the name of the malware and the symptoms it has exhibited so far is that it copies itself as an exe file in and named after the folder it is present in. For instance, the path avast! brings up is F:\FUN DRIVE\2k5\temp\temp.exe\[UPX].

I have 2 hard disks partitioned into 2 each and this pest has copied itself into all of them. It appears that it hasnt gone into any of the system folders, at least I havent noticed Avast! giving me a warning with a path into any of the system folders.

I used to run AVG anti virus and it spotted it and was able to delete the copies the scan detected. But after sometime I get the virus-detected warning message and not necessarily after a reboot.  The thing is after running system scan and removing the instances of the trojan, I scan again it it says my system is clean.  After sometime, I get the warning message again.

So I uninstalled AVG and got around to installing Avast! which friends been telling me is superior to AVG. I thorough scanned my system and moved all instances of the trojan found to the chest. But the situation is the same as previously: Folders assessed to be clean elicit a warning message after sometime.

So I googled for possible fixes and came across this forum (surprise surprise!). I searched for topics covering what Im experiencing but found none containing the exact name of the trojan residing in my system. That is, none with the same four digit suffix. Still, I followed the advise (as much as I could determine relevant to my situation). I scheduled boot time scan and set it to move all instances to chest. For a few hours after that I was beginning to feel positive that the scan took care of it. Of course, it didnt.

There has been no noticeable evidence that the trojan causes any issues with browsing or response of my system. I use Opera but checked whether IE was compromised. It isnt, at least not when I tried browsing on it. I'd say the only effect is the irritating copies of the exe file I see in my folders. Naturally I dont try to run the exe file.

Spybot doesnt detect it.
Im currently scanning with ewido to see if it may make any difference but somehow my hopes arent high.
Im using Avast! 4.7 home edition on winXP SP2.

I'd deeply appreciate it if some of you kind folks could give advice on how to deal with it as Im trying to put off formatting my PC until absolutely necessary. Below is the HijackThis log file

Cheers. ?

Logfile of HijackThis v1.99.1
Scan saved at 03:04:52, on 29/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
d:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\WINDOWS\System32\svchost.exe
d:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
D:\Program Files\eMule\emule.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
D:\Program Files\KONAMI\Pro Evolution Soccer 5\pes5.exe
D:\Program Files\Browsers\Opera\Opera.exe
E:\Shared Installers\aswclnr.exe
E:\Shared Installers\aswclnr.tmp
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://uk.search.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://uk.search.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137439817796
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - d:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

[Spiritsongs]

   Hi :

     HijackThis logs are best reviewed by HijackThis Experts
     found on antiSPYWARE forums ; since you have Spybot,
     why not ask their Experts on THEIR forums at :
     http://forums.spybot.info !?

[?uest]

Thanks Im on my way to doing that. However, it will be helpful if any one can suggest a way to deal with this trojan.

Cheers. ?

[FreewheelinFrank]

No active firewall was found on your system or the firewall you use is unknown to us. If you don´t use a firewall you should download and install one or activate windows xp´s own one.

http://hijackthis.de/logfiles/24699f70bcd5c8c47c2e772112978065.html

Nothing bad is obvious from the HijackThis! log. Have you tried a scan with BlackLight to check for rootkits?

http://www.f-secure.com/blacklight/

[?uest]

I will be doing that now FreewheelinFrank. Thanks.

[?uest]

BlackLight doesnt find anything questionable...

[FreewheelinFrank]

What about installing a firewall- watch out for which processes try to access the net.

Zone Alarm, Kerio and Comodo are all good.

What name did AVG detect the Trojan as? Unfortunately, Trojano-3522 is avast!'s own name and doesn't give us any information.

[?uest]

Unfortunately I cant remember what AVG called it.  And I deleted whatever files AVG left after being uninstalled. However ewido detected it but after reboot it the trojan still copies itself. Im currently scanning with ewido and I will post what it calls the trojan shortly.

Cheers. ?

[?uest]

ewido calls it worm.brontok.n and I recall AVG referring to it as a worm.

EDIT: Im behind a router and so I have no software firewall.

Cheers. ?

[DavidR]

EDIT: Im behind a router and so I have no software firewall.

Which is something that you should rectify, you router more than likely only provides inbound protection not outbound protection.

Should anything get past your defences (which it has in this case) then it is free to connect to the internet and download more of the same. Or transmit your personal data (user names, passwords, key logger, etc.) back home.

[FreewheelinFrank]

Where did Ewido find the infection? Was it able to delete the infected files?

The worm runs at startup with explorer.exe and makes registry changes:

http://www.sophos.com/virusinfo/analyses/w32brontokn.html

[?uest]

Thanks for that FreewheelinFrank!

ewido found instances in several folders. My other PC in the network has been infected as well and someone in my family managed to run the exe file! 

The symptoms are:

*If you bring up the Windows Task Manager, it closes after 2 seconds or so.
*Same thing with running any installers.
*When thedesktop starts a dos prompt is displayed
*The exe file icons look like folders. I imagine thats how it was run when someone inadvertently took it for a harmless folder
*avast! runs only for a few seconds when launched.
*There is no avast! icon on the sys tray


I get the impression that the other PC may need a format.