Author Topic: Trojan  (Read 14346 times)

0 Members and 1 Guest are viewing this topic.

Pidde

  • Guest
Trojan
« on: August 26, 2007, 01:51:10 PM »
Hi, I need some help with some problems of mine and would be happy if someone could help me :)

The warning comes up from the avasti antivirus that i have a Trojan, they want me to put it in the chest and i do. Well the problem is that the warning pops up again and again. There comes 2 warnings so I think theres 2 different types that I have. Really need help with this. On the warning there comes up 2 names, Win32:Conhooks-BS[Trj] and Win32:Virtumonde-DF[Adw].

It would make my day if anyone could help me with this!!!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Trojan
« Reply #1 on: August 26, 2007, 02:01:51 PM »
OK lets go hunting

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

On completion of the combofix do the following

Please download RUNSCANNER and install
When the first page comes up select Beginner Mode
On the next page  select Save a binary .Run file (optional) 
Then click Start full computer scan at the bottom
At this time Runscanner.exe may request access to the Internet please allow it to do so
It will then run for 2 or 3 minutes
On completion it will ask for a location to save the file(s) and a name
It will do this for both the .run file and the log
Call the file Vundo and save to your desktop
You will see the .run file on your desktop Please zip that file by right clicking and selecting send to Zip file
Then upload that as an attachment to your next post.
Along with the Log file produced

« Last Edit: August 26, 2007, 02:05:10 PM by essexboy »

Pidde

  • Guest
Re: Trojan
« Reply #2 on: August 26, 2007, 02:39:34 PM »
Hi, im having a problem with the run file. I can't send it, but here is the logs.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Trojan
« Reply #3 on: August 26, 2007, 02:43:19 PM »
Hi there for some reason I cannot download or open the logs could you post them instead.  It may need multiple posts

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Trojan
« Reply #4 on: August 26, 2007, 02:45:13 PM »
The run file will need to be zipped or the forum will reject the upload due to the file type

mauserme

  • Guest
Re: Trojan
« Reply #5 on: August 26, 2007, 03:42:00 PM »
Here you go ...

Quote
ComboFix 07-08-25.2 - "Filip" 2007-08-26 14:07:45.2 - FAT32x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.46.1053.18.797 [GMT 2:00]
 * Created a new restore point


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\UxjyRLL5.exe
C:\WINDOWS\Tasks.\At11.job
C:\WINDOWS\Tasks.\At13.job
C:\WINDOWS\Tasks.\At16.job
C:\WINDOWS\Tasks.\At17.job
C:\WINDOWS\Tasks.\At18.job
C:\WINDOWS\Tasks.\At19.job
C:\WINDOWS\Tasks.\At20.job
C:\WINDOWS\Tasks.\At21.job
C:\WINDOWS\Tasks.\At22.job
C:\WINDOWS\Tasks.\At23.job
C:\WINDOWS\Tasks.\At24.job


(((((((((((((((((((((((((   Files Created from 2007-07-26 to 2007-08-26  )))))))))))))))))))))))))))))))


2007-08-25 23:11   <KAT>   d--------   C:\Program\Ventrilo
2007-08-22 23:37   <KAT>   d--------   C:\DOCUME~1\Filip\APPLIC~1\OpenOffice.org2
2007-08-12 00:58   98,304   --a------   C:\WINDOWS\system32\CmdLineExt.dll
2007-08-12 00:57   2,297,552   --a------   C:\WINDOWS\system32\d3dx9_26.dll
2007-08-12 00:47   1   --a------   C:\WINDOWS\system32\SI.bin
2007-08-12 00:47   <KAT>   d--------   C:\Program\Ubisoft
2007-08-11 22:16   <KAT>   d--------   C:\Program\Lavasoft
2007-08-11 22:16   <KAT>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-11 22:15   <KAT>   d--------   C:\Program\Delade filer\Wise Installation Wizard
2007-08-11 08:23   69,472   --a------   C:\WINDOWS\War3Unin.dat
2007-08-11 08:23   2,829   --a------   C:\WINDOWS\War3Unin.pif
2007-08-11 08:23   139,264   --a------   C:\WINDOWS\War3Unin.exe
2007-08-11 07:27   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-08-10 16:46   18   --a------   C:\WINDOWS\system32\dn320d180e.dat
2007-08-10 16:46   <KAT>   d--hs----   C:\FOUND.000
2007-08-08 19:33   <KAT>   d--------   C:\DOCUME~1\Filip\APPLIC~1\teamspeak2
2007-08-07 23:59   <KAT>   d--------   C:\DOCUME~1\Filip\APPLIC~1\AdobeUM
2007-08-07 18:10   31,616   --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2007-07-29 09:39   <KAT>   d--------   C:\Program\DivX


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-28 00:07   783224   --a------   C:\WINDOWS\system32\aswBoot.exe
2007-07-28 00:02   94416   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-28 00:02   92848   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-28 00:00   23152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-27 23:59   42912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-27 23:58   26624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-27 23:57   95608   --a------   C:\WINDOWS\system32\AvastSS.scr
2007-07-25 16:34   ---------   d--------   C:\Program\iTunes
2007-07-25 16:34   ---------   d--------   C:\Program\iPod
2007-07-25 16:33   ---------   d--------   C:\Program\Delade filer\Apple
2007-07-24 16:09   ---------   d--------   C:\DOCUME~1\FILIP\APPLIC~1\Apple Computer
2007-07-24 16:09   ---------   d--------   C:\DOCUME~1\Filip\APPLIC~1\Apple Computer
2007-07-22 21:37   ---------   d--------   C:\DOCUME~1\FILIP\APPLIC~1\dvdcss
2007-07-22 21:37   ---------   d--------   C:\DOCUME~1\Filip\APPLIC~1\dvdcss
2007-07-19 20:17   ---------   d--------   C:\DOCUME~1\FILIP\APPLIC~1\WinRAR
2007-07-19 20:17   ---------   d--------   C:\DOCUME~1\Filip\APPLIC~1\WinRAR
2007-07-19 06:19   ---------   d--------   C:\Program\QuickTime
2007-07-19 06:19   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-19 06:18   ---------   d--------   C:\Program\Apple Software Update
2007-07-19 06:18   ---------   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-18 00:59   ---------   d--------   C:\DOCUME~1\Filip\APPLIC~1\vlc
2007-07-18 00:59   ---------   d--------   C:\DOCUME~1\FILIP\APPLIC~1\vlc
2007-07-15 21:26   2378   --a------   C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
2007-07-15 21:25   8972   --a------   C:\WINDOWS\pchealth\helpctr\Config\Cntstore.bin
2007-07-09 21:07   200704   --a------   C:\WINDOWS\system32\ssldivx.dll
2007-07-09 21:07   1044480   --a------   C:\WINDOWS\system32\libdivx.dll
2007-07-02 03:31   ---------   d--------   C:\Program\LimeWire
2007-07-02 03:31   ---------   d--------   C:\DOCUME~1\FILIP\APPLIC~1\LimeWire
2007-07-02 03:31   ---------   d--------   C:\DOCUME~1\Filip\APPLIC~1\LimeWire
2007-07-01 20:26   ---------   d--------   C:\DOCUME~1\FILIP\APPLIC~1\Ventrilo
2007-07-01 20:26   ---------   d--------   C:\DOCUME~1\Filip\APPLIC~1\Ventrilo
2007-07-01 20:10   ---------   d--------   C:\Program\Steam
2007-07-01 20:00   ---------   d--------   C:\Program\uTorrent
2007-07-01 19:59   ---------   d--------   C:\DOCUME~1\Filip\APPLIC~1\uTorrent
2007-07-01 19:59   ---------   d--------   C:\DOCUME~1\FILIP\APPLIC~1\uTorrent
2007-07-01 19:35   ---------   d--------   C:\Program\MSN Messenger
2007-06-25 22:39   945   --a------   C:\WINDOWS\HotFix.bat
2007-06-25 22:39   657   --a------   C:\WINDOWS\CLEANUP.CMD

mauserme

  • Guest
Re: Trojan
« Reply #6 on: August 26, 2007, 03:42:57 PM »
Quote
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{84c9e310-932c-419d-9043-d84faef76558}]
         C:\WINDOWS\system32\findic.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"RTHDCPL"="RTHDCPL.EXE" [2005-11-16 20:27 C:\WINDOWS\RTHDCPL.exe]
"SynTPLpr"="C:\Program\Synaptics\SynTP\SynTPLpr.exe" [2005-11-02 00:11]
"SynTPEnh"="C:\Program\Synaptics\SynTP\SynTPEnh.exe" [2005-11-02 00:11]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-12-02 15:42]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00]
"ATICCC"="C:\Program\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-10-19 09:30]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-01-17 18:28]
"Acer ePower Management"="C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-01-16 11:58]
"LManager"="C:\Program\LAUNCH~1\QtZgAcer.EXE" [2005-12-06 17:11]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-11-30 20:39]
"LogitechCameraAssistant"="C:\Program\Acer\OrbiCam\CameraAssistant.exe" [2005-11-29 14:45]
"LogitechVideo[inspector]"="C:\Program\Acer\OrbiCam\InstallHelper.exe" [2005-11-29 14:51]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [2004-11-01 17:22]
"ADMTray.exe"="C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 16:45]
"avast!"="C:\Program\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 00:03]
"SunJavaUpdateSched"="C:\Program\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program\iTunes\iTunesHelper.exe" [2007-07-10 09:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"MsnMsgr"="C:\Program\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]
"Steam"="C:\Program\Steam\Steam.exe" [2007-07-01 20:10]
"MSMSGS"="C:\Program\Messenger\msmsgs.exe" [2004-08-04 01:47]

C:\DOCUME~1\FILIP\START-~1\PROGRAM\AUTOST~1\
OpenOffice.org 2.2.lnk - C:\Program\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\findic]
findic.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\ddcyvtu.dll

R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R1 OsaFsLoc;OsaFsLoc;\??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 osaio;osaio;\??\C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;\??\C:\WINDOWS\system32\drivers\osanbm.sys
R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\Drivers\lv321av.sys
R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys
S3 AVerM115;AVerM115 service;C:\WINDOWS\system32\DRIVERS\AVerM115.sys
S3 SMCB000;SMSC CIR HID Miniport Device Driver;C:\WINDOWS\system32\DRIVERS\hidsmsc.sys


Contents of the 'Scheduled Tasks' folder
2007-08-15 11:32:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program\Apple Software Update\SoftwareUpdate.exe
2007-08-25 22:01:02 C:\WINDOWS\Tasks\At1.job
2007-08-25 23:01:02 C:\WINDOWS\Tasks\At2.job
2007-08-26 00:01:02 C:\WINDOWS\Tasks\At3.job
2007-08-26 01:01:04 C:\WINDOWS\Tasks\At4.job
2007-08-26 02:01:02 C:\WINDOWS\Tasks\At5.job
2007-08-26 03:01:02 C:\WINDOWS\Tasks\At6.job
2007-08-26 04:01:02 C:\WINDOWS\Tasks\At7.job
2007-08-26 05:01:02 C:\WINDOWS\Tasks\At8.job
2007-08-26 06:01:02 C:\WINDOWS\Tasks\At9.job
2007-08-26 07:01:02 C:\WINDOWS\Tasks\At10.job
2007-08-26 09:01:02 C:\WINDOWS\Tasks\At12.job
2007-08-26 11:01:02 C:\WINDOWS\Tasks\At14.job
2007-08-26 12:01:02 C:\WINDOWS\Tasks\At15.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-26 14:08:33
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-26 14:08:59
C:\ComboFix-quarantined-files.txt ... 2007-08-26 14:09

   --- E O F ---

mauserme

  • Guest
Re: Trojan
« Reply #7 on: August 26, 2007, 03:45:28 PM »
Quote
Runscanner logfile http://www.runscanner.net

* = authenticode signed file
- = file not found

000 General info
----------------
Computer name : ACER5672
Creation time : 2007-08-26 14:13:04
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 6.0.2900.2180
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.0.3.0
Type of scan : Full scan
User Language : Svenska
User rights : Administrator
Windows folder : C:\WINDOWS

001 Running processes
---------------------
c:\acer\empowering technology\epower\epower_dmc.exe (Acer Incorporated)
c:\program\lavasoft\ad-aware 2007\aawservice.exe (Lavasoft AB)
c:\program\delade filer\apple\mobile device support\bin\applemobiledeviceservice.exe (Apple, Inc.)
* c:\windows\system32\ati2evxx.exe (ATI Technologies Inc.)
* c:\windows\system32\ati2evxx.exe (ATI Technologies Inc.)
* c:\program\alwil software\avast4\ashserv.exe (ALWIL Software)
* c:\program\alwil software\avast4\aswupdsv.exe (ALWIL Software)
* c:\program\alwil software\avast4\ashmaisv.exe (ALWIL Software)
* c:\program\alwils~1\avast4\ashdisp.exe (ALWIL Software)
* c:\program\alwil software\avast4\ashwebsv.exe (ALWIL Software)
c:\program\widcomm\bluetooth software\bin\btwdins.exe (Broadcom Corporation.)
c:\program\widcomm\bluetooth software\bttray.exe (Broadcom Corporation.)
c:\program files\acer\acer arcade\kernel\tv\clcapsvc.exe
c:\program\ati technologies\ati.ace\cli.exe (ATI Technologies Inc.)
c:\program\ati technologies\ati.ace\cli.exe (ATI Technologies Inc.)
c:\program\ati technologies\ati.ace\cli.exe (ATI Technologies Inc.)
c:\program files\acer\acer arcade\kernel\tv\clsched.exe
c:\program files\acer\acer arcade\kernel\clml_ntservice\clmlservice.exe (Cyberlink)
c:\program files\acer\acer arcade\pcmservice.exe (CyberLink Corp.)
c:\acer\empowering technology\edatasecurity\edsloader.exe (HiTRUST)
* c:\program\mozilla firefox\firefox.exe (Mozilla Corporation)
c:\program\intel\wireless\bin\evteng.exe (Intel Corporation)
c:\program\intel\wireless\bin\regsrvc.exe (Intel Corporation)
* c:\program\ipod\bin\ipodservice.exe (Apple Inc.)
* c:\program\itunes\ituneshelper.exe (Apple Inc.)
* c:\program\java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
c:\program\launch~1\qtzgacer.exe (Dritek System Inc.)
c:\program\acer\orbicam\cameraassistant.exe (Acer)
c:\windows\system32\elkctrl.exe (Logitech Inc.)
c:\program\delade filer\logitech\lvmvfm\lvprcsrv.exe (Logitech)
c:\windows\system32\lvcomsx.exe (Logitech)
c:\program files\acer\acer arcade\kernel\clml_ntservice\clmlserver.exe (Cyberlink)
* c:\windows\rthdcpl.exe (Realtek Semiconductor Corp.)
c:\program\cyberlink\shared files\richvideo.exe
* c:\docume~1\filip\lokala~1\temp\rar$ex00.203\runscanner.exe (Runscanner.net)
c:\acer\empowering technology\admserv.exe (Avocent Inc.)
* c:\program\steam\steam.exe (Valve Corporation)
c:\program\synaptics\syntp\syntpenh.exe (Synaptics, Inc.)
c:\program\synaptics\syntp\syntplpr.exe (Synaptics, Inc.)
c:\acer\empowering technology\admtray.exe (Avocent Inc.)
d:\program\winrar.exe
c:\program\intel\wireless\bin\s24evmon.exe (Intel Corporation)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
- c:\acer\empowering technology\epower\acer epower management.exe boot
c:\acer\empowering technology\admtray.exe (Avocent Inc.)
c:\program\ati technologies\ati.ace\cli.exe (ATI Technologies Inc.)
* c:\program\alwils~1\avast4\ashdisp.exe (ALWIL Software)
c:\acer\empowering technology\edatasecurity\edsloader.exe (HiTRUST)
c:\acer\empowering technology\epower\epower_dmc.exe (Acer Incorporated)
* c:\program\itunes\ituneshelper.exe (Apple Inc.)
C:\WINDOWS\alaunch.exe (Acer Inc.)
c:\program\launch~1\qtzgacer.exe (Dritek System Inc.)
c:\program\acer\orbicam\cameraassistant.exe (Acer)
c:\windows\system32\elkctrl.exe (Logitech Inc.)
c:\program\acer\orbicam\installhelper.exe (Acer)
c:\windows\system32\lvcomsx.exe (Logitech)
* c:\windows\system32\ime\pintlgnt\imscinst.exe
c:\program files\acer\acer arcade\pcmservice.exe (CyberLink Corp.)
c:\program\quicktime\qttask.exe (Apple Inc.)
* C:\WINDOWS\rthdcpl.exe (Realtek Semiconductor Corp.)
* c:\program\java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
c:\program\synaptics\syntp\syntpenh.exe (Synaptics, Inc.)
c:\program\synaptics\syntp\syntplpr.exe (Synaptics, Inc.)

003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
* c:\program\steam\steam.exe (Valve Corporation)

004 C:\Documents and Settings\Filip\Start-meny\Program\Autostart
----------------------------------------------------------------
c:\program\openof~1.2\program\quicks~1.exe

005 C:\Documents and Settings\All Users\Start-meny\Program\Autostart
--------------------------------------------------------------------
c:\program\adobe\acroba~1.0\reader\reader~1.exe (Adobe Systems Incorporated)
c:\program\widcomm\blueto~1\bttray.exe (Broadcom Corporation.)

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
c:\program\lavasoft\ad-aware 2007\aawservice.exe (Ad-Aware 2007 Service)
c:\acer\empowering technology\admserv.exe (AdminWorks Agent X6)
c:\program\delade filer\apple\mobile device support\bin\applemobiledeviceservice.exe (Apple Mobile Device)
C:\WINDOWS\microsoft.net\framework\v1.1.4322\aspnet_state.exe (ASP.NET State Service)
* C:\WINDOWS\system32\ati2evxx.exe (ATI External Event Utility EXE Module)
* c:\program\alwil software\avast4\ashserv.exe (avast! Antivirus)
* c:\program\alwil software\avast4\aswupdsv.exe (avast! iAVS4 Control Service)
* c:\program\alwil software\avast4\ashmaisv.exe (avast! Mail Scanner)
* c:\program\alwil software\avast4\ashwebsv.exe (avast! Web Scanner)
c:\program\widcomm\bluetooth software\bin\btwdins.exe (Bluetooth Service)
c:\program files\acer\acer arcade\kernel\tv\clcapsvc.exe (CyberLink Background Capture Service (CBCS))
c:\program files\acer\acer arcade\kernel\clml_ntservice\clmlserver.exe (CyberLink Media Library Service)
c:\program\cyberlink\shared files\richvideo.exe (Cyberlink RichVideo Service(CRVS))
c:\program files\acer\acer arcade\kernel\tv\clsched.exe (CyberLink Task Scheduler (CTS))
c:\program\intel\wireless\bin\evteng.exe (Intel(R) PROSet/Wireless Event Log)
c:\program\intel\wireless\bin\regsrvc.exe (Intel(R) PROSet/Wireless Registry Service)
c:\program\intel\wireless\bin\s24evmon.exe (Intel(R) PROSet/Wireless Service)
* c:\program\ipod\bin\ipodservice.exe (iPod Service)
c:\program\delade filer\logitech\lvmvfm\lvprcsrv.exe (Logitech Process Monitor)
« Last Edit: August 26, 2007, 03:47:10 PM by mauserme »

mauserme

  • Guest
Re: Trojan
« Reply #8 on: August 26, 2007, 03:48:38 PM »
Quote

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
c:\windows\system32\drivers\epm-psd.sys (Acer EPM Power Scheme Driver)
c:\windows\system32\drivers\epm-shd.sys (Acer EPM System Hardware Driver)
C:\WINDOWS\system32\drivers\netmnt.sys (Acer NetMonitor Protocol)
C:\WINDOWS\system32\drivers\aegisp.sys (AEGIS Protocol (IEEE 802.1x) v3.4.9.0)
* C:\WINDOWS\system32\drivers\amdagp.sys (AMD AGP Bus Filter Driver)
* C:\WINDOWS\system32\drivers\averm115.sys (AVerM115 service)
- c:\docume~1\filip\lokala~1\temp\catchme.sys (Base)
c:\windows\system32\drivers\btserial.sys (Bluetooth Serial Driver)
C:\WINDOWS\system32\drivers\btkrnl.sys (Bluetooth-bussräknare)
C:\WINDOWS\system32\drivers\btaudio.sys (Bluetooth-ljudenhet)
C:\WINDOWS\system32\drivers\btwdndis.sys (Bluetooth-server för nätverksåtkomst)
* C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom NetXtreme Gigabit Ethernet)
* C:\WINDOWS\system32\drivers\mdmxsdk.sys (Diagnostic Interface DRIVER)
* C:\WINDOWS\system32\drivers\ptilink.sys (Direct Parallel Link Driver)
* C:\WINDOWS\system32\drivers\dkbfltr.sys (Dritek Keyboard Filter Driver)
* C:\WINDOWS\system32\drivers\gearaspiwdm.sys (GEARAspiWDM)
* C:\WINDOWS\system32\drivers\hsf_cnxt.sys (HSF_CNXT driver)
* C:\WINDOWS\system32\drivers\hsf_dpv.sys (HSF_DP driver)
* C:\WINDOWS\system32\drivers\hsfhwazl.sys (HSF_HWAZL WDM driver)
* C:\WINDOWS\system32\drivers\w39n51.sys (Intel(R) PRO/Wireless 3945ABG Adapter Driver)
c:\windows\system32\drivers\lvprcmon.sys (Logitech LVPrcMon Driver)
c:\windows\system32\drivers\lvmvdrv.sys (Logitech Machine Vision Engine Loader)
* C:\WINDOWS\system32\drivers\lvusbsta.sys (Logitech USB Monitor Filter)
* C:\WINDOWS\system32\drivers\lv321av.sys (Logitech USB PC Camera (VC0321))
* C:\WINDOWS\system32\drivers\hdaudbus.sys (Microsoft UAA Bus Driver for High Definition Audio)
C:\WINDOWS\system32\drivers\ndisfilt.sys (OSA NdisFilter Protocol)
c:\windows\system32\drivers\osafsloc.sys (OsaFsLoc)
c:\windows\system32\drivers\osaio.sys (osaio)
c:\windows\system32\drivers\osanbm.sys (osanbm)
* C:\WINDOWS\system32\drivers\ql12160.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\ql1080.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\ql1280.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\asc.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\symc8xx.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\sym_hi.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\ultra.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\sym_u3.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\symc810.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\sparrow.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\mraid35x.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\asc3550.sys (SCSI miniport)
* C:\WINDOWS\system32\drivers\dac2w2k.sys (SCSI Miniport)
* C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
* C:\WINDOWS\system32\drivers\rtkhdaud.sys (Service for Realtek HD Audio (WDM))
* C:\WINDOWS\system32\drivers\sisagp.sys (SIS AGP Bus Filter)
* C:\WINDOWS\system32\drivers\hidsmsc.sys (SMSC CIR HID Miniport Device Driver)
* C:\WINDOWS\system32\drivers\smcirda.sys (SMSC IrCC Miniport Device Driver)
* C:\WINDOWS\system32\drivers\syntp.sys (Synaptics TouchPad Driver)
* C:\WINDOWS\system32\drivers\cmdide.sys (System Bus Extender)
* C:\WINDOWS\system32\drivers\aliide.sys (System Bus Extender)
* C:\WINDOWS\system32\drivers\tifm21.sys (tifm21.sys)
C:\WINDOWS\system32\drivers\ntidrvr.sys (Upper Class Filter Driver)
C:\WINDOWS\system32\drivers\btwusb.sys (WIDCOMM USB Bluetooth Driver)
* C:\WINDOWS\system32\drivers\ati2mtag.sys (Video)
C:\WINDOWS\system32\drivers\btport.sys (Virtuell Bluetooth-kommunikationsdrivrutin)
C:\WINDOWS\system32\drivers\s24trans.sys (WLAN Transport)

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
c:\program\delade~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
c:\program\delade~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
c:\program\delade~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF40-A96B-11d1-9C6B-0000F875AC61}

mauserme

  • Guest
Re: Trojan
« Reply #9 on: August 26, 2007, 03:49:04 PM »
Quote

035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
------------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
GUID / CLSID not found {7E853D72-626A-48EC-A868-BA8D5E23E045}
* c:\program\adobe\acrobat 7.0\activex\acroiehelper.dll (Adobe Systems Incorporated) {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- c:\windows\system32\findic.dll {84c9e310-932c-419d-9043-d84faef76558}
* c:\program\java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.) {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
---------------------------------------------------------------------------------
* c:\program\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
c:\program\ati technologies\ati.ace\atiacmxx.dll {5E2121EE-0300-11D4-8D3B-444553540000}
C:\WINDOWS\system32\epm-po.dll (Acer Labs USA) {2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
* c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
* c:\program\itunes\itunesminiplayer.dll (Apple Inc.) {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
c:\windows\system32\btneighborhood.dll (Broadcom Corporation.) {6af09ec9-b429-11d4-a1fb-0090960218cb}
c:\program\openoffice.org 2.2\program\shlxthdl.dll (Sun Microsystems, Inc.) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
c:\program\openoffice.org 2.2\program\shlxthdl.dll (Sun Microsystems, Inc.) {087B3AE3-E237-4467-B8DB-5A38AB959AC9}
c:\program\openoffice.org 2.2\program\shlxthdl.dll (Sun Microsystems, Inc.) {63542C48-9552-494A-84F7-73AA6A7C99C1}
c:\program\openoffice.org 2.2\program\shlxthdl.dll (Sun Microsystems, Inc.) {3B092F0C-7696-40E3-A80F-68D74DA84210}
* c:\program\synaptics\syntp\syntpcpl.dll (Synaptics, Inc.) {2F603045-309F-11CF-9774-0020AFD0CFF6}
d:\program\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}

062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
------------------------------------------------------------
c:\program\adobe\acrobat 7.0\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}
c:\program\openoffice.org 2.2\program\shlxthdl.dll (Sun Microsystems, Inc.) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}

063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
---------------------------------------------------------------------
C:\WINDOWS\system32\lsdelete.exe

067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
---------------------------------------------------------------------
* C:\WINDOWS\system32\ati2evxx.dll (ATI Technologies Inc.)
- findic.dll

069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
--------------------------------------------------------
C:\WINDOWS\system32\bthcrp.dll (Broadcom Corporation.)

073 %windir%\Tasks
------------------
AppleSoftwareUpdate.job : c:\program\apple software update\softwareupdate.exe (Apple Inc.)
At1.job : c:\windows\system32\uxjyrll5.exe
At10.job : c:\windows\system32\uxjyrll5.exe
At12.job : c:\windows\system32\uxjyrll5.exe
At14.job : c:\windows\system32\uxjyrll5.exe
At15.job : c:\windows\system32\uxjyrll5.exe
At2.job : c:\windows\system32\uxjyrll5.exe
At3.job : c:\windows\system32\uxjyrll5.exe
At4.job : c:\windows\system32\uxjyrll5.exe
At5.job : c:\windows\system32\uxjyrll5.exe
At6.job : c:\windows\system32\uxjyrll5.exe
At7.job : c:\windows\system32\uxjyrll5.exe
At8.job : c:\windows\system32\uxjyrll5.exe
At9.job : c:\windows\system32\uxjyrll5.exe

100 Internet Explorer settings
------------------------------
CustomizeSearch HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Default_Page_URL HKLM : http://global.acer.com
Default_Search_URL HKLM : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search Page HKCU : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search Page HKLM : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchAssistant HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
ShellNext HKCU : http://global.acer.com/
Start Page HKCU : http://global.acer.com

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
* c:\program\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {8AD9C840-044E-11D1-B3E9-00805F499D93}
GUID / CLSID not found {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
* c:\program\java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.) {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
* c:\program\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
* c:\program\java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.) {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

105 HKCU\Software\Microsoft\Internet Explorer\MenuExt
-----------------------------------------------------
&Sample Toolband Serach : res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
Skicka till &Bluetooth-enhet... : c:\Program\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

121 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
--------------------------------------------------------------------------
- c:\windows\system32\ddcyvtu.dll

161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
dontdisplaylastusername : 0
shutdownwithoutlogon : 1
undockwithoutlogon : 1

173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
GUID / CLSID not found
c:\windows\system32\edsshellext.dll (HiTRUST) {29FF7AB0-BE34-4992-A30B-53A9D86EE239}
* c:\program\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
d:\program\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Trojan
« Reply #10 on: August 26, 2007, 03:59:18 PM »
Thankee Kieth working now

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Trojan
« Reply #11 on: August 26, 2007, 04:13:27 PM »
Rerun run scanner but this time select EXPERT mode

Run a full system scan

Locate the items in the quote box below

Right click them individually and select delete
Accept the warning
Then repeat until they are all gone.


Quote
052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
c:\windows\system32\findic.dll {84c9e310-932c-419d-9043-d84faef76558}

073 %windir%\Tasks
------------------
At1.job : c:\windows\system32\uxjyrll5.exe
At10.job : c:\windows\system32\uxjyrll5.exe
At12.job : c:\windows\system32\uxjyrll5.exe
At14.job : c:\windows\system32\uxjyrll5.exe
At15.job : c:\windows\system32\uxjyrll5.exe
At2.job : c:\windows\system32\uxjyrll5.exe
At3.job : c:\windows\system32\uxjyrll5.exe
At4.job : c:\windows\system32\uxjyrll5.exe
At5.job : c:\windows\system32\uxjyrll5.exe
At6.job : c:\windows\system32\uxjyrll5.exe
At7.job : c:\windows\system32\uxjyrll5.exe
At8.job : c:\windows\system32\uxjyrll5.exe
At9.job : c:\windows\system32\uxjyrll5.exe

105 HKCU\Software\Microsoft\Internet Explorer\MenuExt
-----------------------------------------------------
Sample Toolband Serach : res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM

121 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
--------------------------------------------------------------------------
c:\windows\system32\ddcyvtu.dll


Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\SI.bin
    C:\WINDOWS\system32\dn320d180e.dat
    C:\WINDOWS\Tasks\At1.job
    C:\WINDOWS\Tasks\At2.job
    C:\WINDOWS\Tasks\At3.job
    C:\WINDOWS\Tasks\At4.job
    C:\WINDOWS\Tasks\At5.job
    C:\WINDOWS\Tasks\At6.job
    C:\WINDOWS\Tasks\At7.job
    C:\WINDOWS\Tasks\At8.job
    C:\WINDOWS\Tasks\At9.job
    C:\WINDOWS\Tasks\At10.job
    C:\WINDOWS\Tasks\At12.job
    C:\WINDOWS\Tasks\At14.job
    C:\WINDOWS\Tasks\At15.job
    c:\windows\system32\uxjyrll5.exe



  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
[color="#ff0000"]*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes[/color].
[color="green"]**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")[/color]

Click "Exit" to close OTMoveIt.

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.