Trojan

[jayel64]

I have been hit with a trojan called Win32-Agent-HDR this was in the Local Settings\Temp.Interrnet.Also in my C:\are two others named Recycler and System Volume Information,Iam not able to delete these two folders because it wil not allow me accsess.Also on every file and folder it has put in a Thumbs file and every time I delete these Thumbs they return later.Every time I empty the Recycle Bin it turns up in the Recycler folder and the System Vol.Info.shows as empty but it does contain files but they are hidden.Also Avast now treats these folders as normal so they don`t show as a virus. Any help please.Regards.John.PS.The trojan (Win32-Agent-HDR) has been removed.

[essexboy]

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
  
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

* Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

[jayel64]

Code: [Select]

2007-05-29 16:20      2210    --a------    C:\Qoobox\Quarantine\C\WINDOWS\wr.txt.vir
2007-06-07 16:23      32    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\Quarantine\ppqdb.dat.vir
2007-06-07 16:23      32    --a------    C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\Quarantine\ppqsdb.dat.vir


Folder PATH listing
Volume serial number is A0A8-9E92
C:\QOOBOX
\---Quarantine
    +---C
    |   \---WINDOWS
    |       |   wr.txt.vir
    |       |   
    |       \---DOWNLO~1
    |           \---Quarantine
    |                   ppqdb.dat.vir
    |                   ppqsdb.dat.vir
    |                   
    \---Registry_backups
Is this right,having trouble pasting HJT log,too many words.john

[jayel64]

ComboFix 07-06-11.3 - C:\Documents and Settings\John\My Documents\ComboFix.exe
"John" - 2007-06-11 15:53:17 - Service Pack 2  NTFS 


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\DOWNLO~1.\Quarantine
C:\WINDOWS\DOWNLO~1.\Quarantine\ppqdb.dat
C:\WINDOWS\DOWNLO~1.\Quarantine\ppqsdb.dat
C:\WINDOWS\wr.txt

HJT.Part-1
(((((((((((((((((((((((((   Files Created from 2007-05-11 to 2007-06-11  )))))))))))))))))))))))))))))))


2007-06-11 15:51   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-10 17:36   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-06-10 17:35   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2007-06-10 17:35   <DIR>   d--------   C:\DOCUME~1\John\APPLIC~1\SUPERAntiSpyware.com
2007-06-10 17:06   14   --a------   C:\DOCUME~1\John\getfile.dat
2007-06-10 16:49   14   --a------   C:\WINDOWS\system32\getfile.dat
2007-06-08 16:51   <DIR>   d--------   C:\Program Files\a-squared Free
2007-06-08 16:51   <DIR>   d--------   C:\Program Files\a-squared
2007-06-08 16:36   <DIR>   d--h-----   C:\WINDOWS\PIF
2007-06-08 16:36   <DIR>   d--------   C:\Program Files\Enigma Software Group
2007-06-07 22:00   <DIR>   d--hs----   C:\RECYCLER
2007-06-06 21:17   831,488   ---------   C:\WINDOWS\UNMRW.exe
2007-06-06 21:17   7,582   ---------   C:\WINDOWS\system32\drivers\incdrm.sys
2007-05-30 19:51   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-30 16:55   <DIR>   d--------   C:\WINDOWS\system32\ActiveScan
2007-05-29 17:10   <DIR>   d--------   C:\WINDOWS\SxsCaPendDel
2007-05-29 16:46   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-05-26 20:47   217   --a------   C:\WINDOWS\rayiou.exe
2007-05-15 01:39   65,045   --a------   C:\WINDOWS\b138.exe
2007-05-14 17:56   14,155,776   --a------   C:\DOCUME~1\John\ntuser.dat


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-10 20:43:09   --------   d-----w   C:\DOCUME~1\John\APPLIC~1\uTorrent
2007-06-10 16:35:13   --------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2007-06-08 15:36:48   --------   d-----w   C:\Program Files\RegScrubXP
2007-06-06 20:28:39   155,648   ------w   C:\WINDOWS\system32\NeroCheck.exe
2007-06-06 20:17:45   --------   d-----w   C:\Program Files\Ahead
2007-06-05 13:16:53   --------   d-----w   C:\Program Files\Movie Maker
2007-06-05 13:16:46   --------   d-----w   C:\Program Files\gPhotoShow
2007-06-05 13:15:39   --------   d-----w   C:\Program Files\QuickTime
2007-06-05 13:15:38   --------   d-----w   C:\Program Files\Wallpaper Show
2007-06-05 13:14:52   --------   d-----w   C:\Program Files\Windows Live Toolbar
2007-06-05 13:14:50   --------   d-----w   C:\Program Files\MagicISO
2007-06-05 13:14:45   --------   d-----w   C:\Program Files\Messenger
2007-06-03 22:05:30   --------   d-----w   C:\DOCUME~1\John\APPLIC~1\Help
2007-06-01 20:05:40   --------   d-----w   C:\Program Files\Climate Change Experiment
2007-04-30 15:46:10   745,600   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55   85,952   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42   94,552   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41   23,416   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51   43,176   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23   26,888   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28   95,872   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-04-26 20:15:11   --------   d-----w   C:\Program Files\Registry Repair 9in1 - RegScrubXP, CCleaner, Free Error Cleaner, RegSeeker, Easy Cleaner, Free Windows Registry Repair, Tweak Now Registry Cleaner and more!
2007-04-23 16:53:52   --------   d-----w   C:\Program Files\Jasc Software Inc
2007-04-22 21:15:31   --------   d-----w   C:\DOCUME~1\John\APPLIC~1\Windows Desktop Search
2007-04-22 21:14:14   --------   d-----w   C:\Program Files\Windows Desktop Search
2007-04-22 16:33:58   --------   d-----w   C:\Program Files\Microsoft Office Enterprise 2007
2007-04-22 16:27:06   --------   d-----w   C:\Program Files\Microsoft Works
2007-04-22 16:26:14   --------   d-----w   C:\Program Files\MSBuild
2007-04-19 15:53:30   --------   d-----w   C:\Program Files\microsoft frontpage
2007-04-18 18:28:03   --------   d-----w   C:\Program Files\utorrent
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-14 18:59:02   --------   d-----w   C:\Program Files\LizardTech
2007-04-14 18:59:01   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-04-12 18:22:37   --------   d-----w   C:\Program Files\Planet Orbits ScreenSaver 2
2007-03-17 13:43:01   292,864   ----a-w   C:\WINDOWS\system32\winsrv.dll
2007-03-15 11:23:16   497,496   ----a-w   C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19:58   526,184   ----a-w   C:\WINDOWS\system32\XceedCry.dll
2001-08-18 12:00:00   94,784   --sh--w   C:\WINDOWS\twain.dll
2004-08-04 07:56:46   50,688   --sh--w   C:\WINDOWS\twain_32.dll
2004-08-04 07:56:42   1,028,096   --sh--w   C:\WINDOWS\system32\mfc42.dll
2004-08-04 07:56:43   54,784   --sh--w   C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:43   413,696   --sh--w   C:\WINDOWS\system32\msvcp60.dll
2004-08-04 07:56:43   343,040   --sh--w   C:\WINDOWS\system32\msvcrt.dll
2004-08-04 07:56:44   553,472   --sh--w   C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44   83,456   --sh--w   C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55   11,776   --sh--w   C:\WINDOWS\system32\regsvr32.exe

[jayel64]

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll [2006-10-26 12:28]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-04-07 00:02]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}=C:\Program Files\Windows Live Toolbar\msntb.dll [2007-02-12 15:56]
{F97DA966-F09D-4cab-BF29-75A0026986EA}=C:\PROGRA~1\BEARSH~2\BEARSH~1\MediaBar.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2005-10-10 22:49 C:\WINDOWS\system32\nwiz.exe]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2002-07-26 06:31]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 16:42]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-27 14:06]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"OpiStat"="C:\Program Files\OpiStat\OpiStat\OpiStat.exe" [2006-04-11 01:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-06 11:15]
"Desktop Tool"="C:\Program Files\Alcatel One Touch PC Suite 2\DesktopTool\DesktopTool.exe" [2003-12-09 18:40]
"NielsenOnline"="C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2006-04-19 07:26]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-10-15 19:36]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"winupd32"="winupd32.exe" []
"BDMCon"="C:\Program Files\Softwin\BitDefender8\bdmcon.exe" [2005-06-20 12:10]
"BDNewsAgent"="c:\program files\softwin\bitdefender8\bdnagent.exe" [2005-05-09 12:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-05-23 10:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"winupd32"=winupd32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
DNSQueryTimeouts   122480


Contents of the 'Scheduled Tasks' folder
2007-06-10 21:32:01  C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-11 16:01:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

  ? [3040]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-11 16:02:27
C:\ComboFix-quarantined-files.txt ... 2007-06-11 16:02

   --- E O F ---
HJT.Part-2.

[DavidR]

There is a limit in the amount of text you can paste into a post, you can copy and paste it in two posts (or more if needs be).

I guess you have now found that out posting away like a wild thing

[jayel64]

Yes this is all new to me,it took some time but I think that I got it right.Is this the info.you require.John.

[jayel64]

Checking my system files and folders I seem to have a lot of "Ghost" files(not as clear as the other files and folders)I am not sure if this is normal or not,also I found a log file in c:\docs & settings\allusers\ntuser.dat.log text doc.1kb).regf.   .   „ÐÃÐÇ

      
   
         
   d   s e t t i n g s \ a l l   u s e r s \ n t u s e r . d a t                                       Backdoor:Win32/Sdbot                                                Backdoor:Win32/Sdbot                                                Backdoor:Win32/Sdbot                                                Backdoor:Win32/Sdbot                                                Backdoor:Win32/Sdbot                                                Backdoor:Win32/SdbotSî¤DIRTÿàþâ\ D e v i c e \ H a r d d i s k V o l u m e 1 \ D o c u m e n t s   a n d   S e t t i n g s \ A l l   U s e r s \ n t u s e r . d a t   A T   t                                                  ÿ                                                                                                                                                                                                                                                                                               I think that the file mentioned Win32/sdbot was deleted on a deep scan when this virus first struck.Does this help in any way.John.                       

[DavidR]

Files that appear as slightly faded, usually indicate that they have the attribute hidden, this is often a tactic of malware to hide files from view. This is also used for a number of legitimate system files that windows doesn't want you to mess with, so care has to be exercised as not all hidden files will be malicious.

When you use the explorer, Tools, Folder Options, View and check the 'Show hidden files and folders' option, this is how they appear in explorer to indicate they would otherwise be hidden.

This is easy to test, right click on an ordinary file and select properties, check the Hidden option and click Apply, now you will see the icon beside the file name fade, uncheck the Hidden option and click Apply again and it will change to a normal display.

[jayel64]

Understood now the big question is my system still infected or am I being paranoid??.John.

[DavidR]

Well hopefully essexboy will be back to analyse your combofix log that he asked for.

However checking the files that have been newly created and see if you recognise them and if not google the file names to see if you can get more info on them and scan suspect files.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

These two look suspect, a google search is inconclusive (but suspect IMHO) on them and I would suggest using VirusTotal or Jotti.
(((((((((((((((((((((((((   Files Created from 2007-05-11 to 2007-06-11  )))))))))))))))))))))))))))))))
2007-05-26 20:47   217   --a------   C:\WINDOWS\rayiou.exe
2007-05-15 01:39   65,045   --a------   C:\WINDOWS\b138.exe

[Lisandro]

Understood now the big question is my system still infected or am I being paranoid??.John.

To be sure, I suggest:

1) Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3).

2) Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4) It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5) If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

6) After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

[essexboy]

My apologies for the delay but I forgot to put notify on this thread.

You appear to have a trojan but as to the variety I can't be quite sure without an Hijackthis log.

You have 2 suspect reg entries for run commands which indicate a possible smitfraud type infection plus a downloader.  I will not touch the registry lines until I see a log, but as for the downloader

 Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\b138.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Could you reply with the OTMoveit log and a Hijackthis log

PS I am now set to notify

[jayel64]

My apologies for the delay but I have been ill,I have implemented the suggestions from Thursday and there were two more Trojans found they were both downloaders all seems fine now.I have run all the virus software and updated all of them and so far so good Avast is on guard and has reported nothing.Many thanks for your help and advice if I have any more problems(not)then I know where to come.Regards.John.PS.The Trojans were Generic Win32/SDBots.Does this seem right.

[essexboy]

If you could just post a Hijackthis log then I can confirm that you are clean