Author Topic: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]  (Read 41672 times)

0 Members and 1 Guest are viewing this topic.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #15 on: October 11, 2007, 02:55:24 PM »
Is this related?
Difficult to say... are the same files being detected or other ones?

I have updated Java as instructed.
Don't forget to uninstall the old versions.
The best things in life are free.

cupladays

  • Guest
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #16 on: October 11, 2007, 02:59:35 PM »
Runscanner log:

Runscanner logfile http://www.runscanner.net

* = authenticode signed file
- = file not found

000 General info
----------------
Computer name : PC147518913218
Creation time : 11/10/2007 9:13:02 PM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 7.0.5730.11
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.0.3.0
Type of scan : Full scan
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS

001 Running processes
---------------------
* c:\program files\lavasoft\ad-aware 2007\aawservice.exe (Lavasoft AB)
* c:\program files\alwil software\avast4\ashserv.exe (ALWIL Software)
* c:\program files\alwil software\avast4\aswupdsv.exe (ALWIL Software)
* c:\program files\alwil software\avast4\ashmaisv.exe (ALWIL Software)
* c:\progra~1\alwils~1\avast4\ashdisp.exe (ALWIL Software)
* c:\program files\alwil software\avast4\ashwebsv.exe (ALWIL Software)
c:\program files\logitech\setpoint\lbtwiz.exe (Logitech Inc.)
c:\progra~1\widcomm\blueto~1\btstac~1.exe (Broadcom Corporation.)
c:\program files\widcomm\bluetooth software\bin\btwdins.exe (Broadcom Corporation.)
c:\program files\widcomm\bluetooth software\bttray.exe (Broadcom Corporation.)
* c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe (Google Inc.)
c:\program files\hp\hp software update\hpwuschd2.exe (Hewlett-Packard Co.)
c:\program files\hp\digital imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
c:\program files\hp\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
c:\program files\hp\digital imaging\bin\hpqimzone.exe (Hewlett-Packard Development Company, L.P.)
c:\program files\hp\quickplay\qpservice.exe (CyberLink Corp.)
c:\program files\hpq\hp wireless assistant\hp wireless assistant.exe (Hewlett-Packard Development Company, L.P.)
c:\program files\hewlett-packard\shared\hpqwmiex.exe (Hewlett-Packard Development Company, L.P.)
* c:\program files\java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
c:\program files\common files\logitech\bluetooth\lbtserv.exe (Logitech Inc.)
c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe (Logitech Inc.)
* c:\program files\common files\logitech\khal\khalmnpr.exe (Logitech Inc.)
c:\program files\logitech\setpoint\setpoint.exe (Logitech Inc.)
c:\program files\common files\lightscribe\lssrvc.exe (Hewlett-Packard Company)
* c:\windows\system32\nvsvc32.exe (NVIDIA Corporation)
c:\program files\hewlett-packard\hp quick launch buttons\qlbctrl.exe ( Hewlett-Packard Development Company, L.P.)
c:\program files\rainlendar2\rainlendar2.exe
* c:\docume~1\p&jhar~1\locals~1\temp\temporary directory 2 for runscanner.zip\runscanner.exe (Runscanner.net)
* c:\program files\synaptics\syntp\syntpenh.exe (Synaptics, Inc.)
* c:\windows\system32\zonelabs\vsmon.exe (Zone Labs, LLC)
* c:\program files\zone labs\zonealarm\zlclient.exe (Zone Labs, LLC)

002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
* c:\program files\adobe\reader 8.0\reader\reader_sl.exe (Adobe Systems Incorporated)
* c:\progra~1\alwils~1\avast4\ashdisp.exe (ALWIL Software)
c:\program files\hewlett-packard\default settings\cpqset.exe
* C:\WINDOWS\system32\chdaudpropshortcut.exe (Windows (R) Server 2003 DDK provider)
c:\program files\hp\hpcoretech\hpcmpmgr.exe (Hewlett-Packard Company)
c:\program files\hp\hp software update\hpwuschd2.exe (Hewlett-Packard Co.)
c:\program files\hpq\hp wireless assistant\hp wireless assistant.exe (Hewlett-Packard Development Company, L.P.)
- lbtwiz.exe
* C:\WINDOWS\khalmnpr.exe (Logitech Inc.)
* c:\windows\system32\ime\pintlgnt\imscinst.exe
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation)
* c:\windows\system32\nvmctray.dll (NVIDIA Corporation)
C:\WINDOWS\system32\nwiz.exe
C:\Program Files\hewlett-packard\hp quick launch buttons\qlbctrl.exe ( Hewlett-Packard Development Company, L.P.)
c:\program files\hp\quickplay\qpservice.exe (CyberLink Corp.)
c:\windows\sminst\recguard.exe
* c:\program files\java\jre1.6.0_03\bin\jusched.exe (Sun Microsystems, Inc.)
* c:\program files\synaptics\syntp\syntpenh.exe (Synaptics, Inc.)
* c:\program files\zone labs\zonealarm\zlclient.exe (Zone Labs, LLC)

003 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
-----------------------------------------------------------------
c:\program files\logitech\desktop messenger\8876480\program\logitechdesktopmessenger.exe (Logitech Inc.)
c:\program files\rainlendar2\rainlendar2.exe
* c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe (Google Inc.)

005 C:\Documents and Settings\All Users\Start Menu\Programs\Startup
-------------------------------------------------------------------
c:\progra~1\widcomm\blueto~1\bttray.exe (Broadcom Corporation.)
c:\progra~1\hp\digita~1\bin\hpqtra08.exe (Hewlett-Packard Co.)
c:\progra~1\hp\digita~1\bin\hpqthb08.exe (Hewlett-Packard Development Company, L.P.)
c:\progra~1\logitech\deskto~1\8876480\program\logite~1.exe (Logitech Inc.)
c:\progra~1\logitech\setpoint\setpoint.exe (Logitech Inc.)
c:\progra~1\micros~4\office\osa9.exe (Microsoft Corporation)

010 HKLM\SYSTEM\CurrentControlSet\Services (Services)
-----------------------------------------------------
* c:\program files\lavasoft\ad-aware 2007\aawservice.exe (Ad-Aware 2007 Service)
c:\program files\hewlett-packard\hp quick launch buttons\addfiltr.exe (AddFiltr)
C:\WINDOWS\microsoft.net\framework\v1.1.4322\aspnet_state.exe (ASP.NET State Service)
* c:\program files\alwil software\avast4\ashserv.exe (avast! Antivirus)
* c:\program files\alwil software\avast4\aswupdsv.exe (avast! iAVS4 Control Service)
* c:\program files\alwil software\avast4\ashmaisv.exe (avast! Mail Scanner)
* c:\program files\alwil software\avast4\ashwebsv.exe (avast! Web Scanner)
c:\program files\widcomm\bluetooth software\bin\btwdins.exe (Bluetooth Service)
* c:\program files\google\common\google updater\googleupdaterservice.exe (Google Updater Service)
c:\program files\hewlett-packard\shared\hpqwmiex.exe (hpqwmiex)
c:\program files\common files\installshield\driver\1050\intel 32\idrivert.exe (InstallDriver Table Manager)
c:\program files\common files\lightscribe\lssrvc.exe (LightScribeService Direct Disc Labeling Service)
c:\program files\common files\logitech\bluetooth\lbtserv.exe (Logitech Bluetooth Service)
* C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Display Driver Service)
c:\windows\system32\hpzipm12.exe (Pml Driver HPZ12)
c:\program files\pc connectivity solution\servicelayer.exe (ServiceLayer)
* c:\windows\system32\zonelabs\vsmon.exe (TrueVector Internet Monitor)

cupladays

  • Guest
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #17 on: October 11, 2007, 03:01:50 PM »
Middle of Runscanner:

011 HKLM\SYSTEM\CurrentControlSet\Services (drivers)
----------------------------------------------------
* c:\windows\system32\drivers\amdagp.sys (AMD AGP Bus Filter Driver)
* c:\windows\system32\drivers\asc.sys (asc)
* c:\windows\system32\drivers\asc3550.sys (asc3550)
C:\WINDOWS\system32\drivers\avgarkt.sys (AVG Anti-Rootkit)
C:\WINDOWS\system32\drivers\avgarcln.sys (Avg Anti-Rootkit Clean Driver)
- c:\docume~1\p&jhar~1\locals~1\temp\catchme.sys (Base)
C:\WINDOWS\system32\drivers\btaudio.sys (Bluetooth Audio Device)
C:\WINDOWS\system32\drivers\btkrnl.sys (Bluetooth Bus Enumerator)
C:\WINDOWS\system32\drivers\btwdndis.sys (Bluetooth LAN Access Server)
C:\WINDOWS\system32\drivers\btport.sys (Bluetooth Virtual Communications Driver)
C:\WINDOWS\system32\drivers\btwhid.sys (Bluetooth Virtual HID Minidriver)
* c:\windows\system32\drivers\cmdide.sys (CmdIde)
- c:\windows\system32\drivers\uiusys.sys (Conexant Setup API)
* c:\windows\system32\drivers\dac2w2k.sys (dac2w2k)
* C:\WINDOWS\system32\drivers\mdmxsdk.sys (Diagnostic Interface x86 Driver)
* C:\WINDOWS\system32\drivers\ptilink.sys (Direct Parallel Link Driver)
* C:\WINDOWS\system32\drivers\eabfiltr.sys (Extended Base)
* C:\WINDOWS\system32\drivers\cpqbttn.sys (Extended Base)
* C:\WINDOWS\system32\drivers\eabusb.sys (Extended Base)
* C:\WINDOWS\system32\drivers\5u870cap.sys (HP Pavilion Webcam)
- c:\docume~1\p&jhar~1\locals~1\temp\hpispz\hpdom\pciinfo.sys (HP Pci Information)
* C:\WINDOWS\system32\drivers\hsf_cnxt.sys (HSF_CNXT driver)
* C:\WINDOWS\system32\drivers\hsf_dpv.sys (HSF_DP driver)
* C:\WINDOWS\system32\drivers\hsfhwazl.sys (HSF_HWAZL WDM driver)
* C:\WINDOWS\system32\drivers\hpzid412.sys (IEEE-1284.4 Driver HPZid412)
* C:\WINDOWS\system32\drivers\iastor.sys (Intel AHCI Controller)
* C:\WINDOWS\system32\drivers\e1e5132.sys (Intel(R) PRO/1000 PCI Express Network Connection Driver)
* C:\WINDOWS\system32\drivers\w39n51.sys (Intel(R) PRO/Wireless 3945ABG Adapter Driver)
* C:\WINDOWS\system32\drivers\netw3x32.sys (Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit)
* C:\WINDOWS\system32\drivers\lhidke.sys (Logitech SetPoint HID Mouse Filter Driver)
* C:\WINDOWS\system32\drivers\lmouke.sys (Logitech SetPoint Mouse Filter Driver)
* C:\WINDOWS\system32\drivers\rimsptsk.sys (MemoryStick)
* C:\WINDOWS\system32\drivers\hdaudbus.sys (Microsoft UAA Bus Driver for High Definition Audio)
* C:\WINDOWS\system32\drivers\chdaud.sys (Microsoft UAA Function Driver for High Definition Audio Service)
* c:\windows\system32\drivers\mraid35x.sys (mraid35x)
* C:\WINDOWS\system32\drivers\hpzipr12.sys (Print Class Driver for IEEE-1284.4 HPZipr12)
C:\WINDOWS\system32\drivers\pxhelp20.sys (PxHelp20)
* c:\windows\system32\drivers\ql1080.sys (ql1080)
* c:\windows\system32\drivers\ql12160.sys (ql12160)
* c:\windows\system32\drivers\ql1280.sys (ql1280)
* C:\WINDOWS\system32\drivers\rtl8139.sys (Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver)
* C:\WINDOWS\system32\drivers\rixdptsk.sys (Ricoh xD-Picture Card Driver)
* C:\WINDOWS\system32\drivers\rimmptsk.sys (SD / MMC)
* C:\WINDOWS\system32\drivers\secdrv.sys (Secdrv)
* c:\windows\system32\drivers\sisagp.sys (SIS AGP Bus Filter)
* c:\windows\system32\drivers\sparrow.sys (Sparrow)
* C:\WINDOWS\system32\zonelabs\srescan.sys (srescan)
* c:\windows\system32\drivers\sym_hi.sys (sym_hi)
* c:\windows\system32\drivers\sym_u3.sys (sym_u3)
* c:\windows\system32\drivers\symc810.sys (symc810)
* c:\windows\system32\drivers\symc8xx.sys (symc8xx)
* C:\WINDOWS\system32\drivers\syntp.sys (Synaptics TouchPad Driver)
* C:\WINDOWS\system32\drivers\aliide.sys (System Bus Extender)
* c:\windows\system32\drivers\ultra.sys (ultra)
* C:\WINDOWS\system32\drivers\hpzius12.sys (USB to IEEE-1284.4 Translation Driver HPZius12)
* C:\WINDOWS\system32\drivers\nv4_mini.sys (Video)
* C:\WINDOWS\system32\vsdatant.sys (vsdatant)
C:\WINDOWS\system32\drivers\btwusb.sys (WIDCOMM USB Bluetooth Driver)

030 HKLM\SOFTWARE\Classes\PROTOCOLS\Filter
------------------------------------------
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}

031 HKLM\SOFTWARE\Classes\PROTOCOLS\Handler
-------------------------------------------
c:\progra~1\common~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
c:\progra~1\common~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
c:\program files\logitech\desktop messenger\8876480\program\gaplugprotocol-8876480.dll (Logitech Inc.) {9462A756-7B47-47BC-8C80-C34B9B80B32B}
c:\program files\hp\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company) {CF184AD3-CDCB-4168-A3F7-8E447D129300}
c:\program files\common files\microsoft shared\information retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}
c:\progra~1\common~1\system\oledb~1\msdaipp.dll (Microsoft Corporation) {E1D2BF40-A96B-11d1-9C6B-0000F875AC61}

035 HKLM-HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
------------------------------------------------------------------
c:\windows\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}

041 HKLM-HKCU\Software\Microsoft\Internet Explorer\Toolbar
----------------------------------------------------------
* c:\program files\google\googletoolbar3.dll (Google Inc.) {2318C2B1-4965-11d4-9B18-009027A5CD4F}

045 HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
----------------------------------------------------------------
* c:\program files\google\googletoolbar3.dll (Google Inc.) {2318C2B1-4965-11D4-9B18-009027A5CD4F}

cupladays

  • Guest
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #18 on: October 11, 2007, 03:02:45 PM »
End of runscanner:

052 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
----------------------------------------------------------------------------------
GUID / CLSID not found {7E853D72-626A-48EC-A868-BA8D5E23E045}
* c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll (Adobe Systems Incorporated) {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
* c:\program files\google\googletoolbar3.dll (Google Inc.) {AA58ED58-01DD-4d91-8333-CF10577473F7}
* c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll (Google Inc.) {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
* c:\program files\java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.) {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

061 HKLM-HCKU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
---------------------------------------------------------------------------------
* c:\program files\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
c:\windows\system32\nvshell.dll {1CDB2949-8F65-4355-8456-263E7C208A5D}
c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A47}
- deskpan.dll {42071714-76d4-11d1-8b24-00a0c9068ff3}
c:\windows\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
* c:\windows\system32\hticons.dll (Hilgraeve, Inc.) {88895560-9AA2-1069-930E-00AA0030EBC8}
c:\progra~1\micros~4\office\olkfstub.dll (Microsoft Corporation) {0006F045-0000-0000-C000-000000000046}
* c:\program files\zone labs\zonealarm\zlavscan.dll (Zone Labs, LLC) {D9872D13-7651-4471-9EEE-F0A00218BEBB}
c:\windows\system32\btneighborhood.dll (Broadcom Corporation.) {6af09ec9-b429-11d4-a1fb-0090960218cb}
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation) {A70C977A-BF00-412C-90B7-034C51DA2439}
c:\windows\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48}
c:\program files\openoffice.org 2.1\program\shlxthdl.dll (Sun Microsystems, Inc.) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
c:\program files\openoffice.org 2.1\program\shlxthdl.dll (Sun Microsystems, Inc.) {087B3AE3-E237-4467-B8DB-5A38AB959AC9}
c:\program files\openoffice.org 2.1\program\shlxthdl.dll (Sun Microsystems, Inc.) {63542C48-9552-494A-84F7-73AA6A7C99C1}
c:\program files\openoffice.org 2.1\program\shlxthdl.dll (Sun Microsystems, Inc.) {3B092F0C-7696-40E3-A80F-68D74DA84210}
* c:\windows\system32\nvcpl.dll (NVIDIA Corporation) {FFB699E0-306A-11d3-8BD1-00104B6F7516}
c:\windows\system32\shellvrtf.dll (XSS) {7F67036B-66F1-411A-AD85-759FB9C5B0DB}
* c:\program files\synaptics\syntp\syntpcpl.dll (Synaptics, Inc.) {2F603045-309F-11CF-9774-0020AFD0CFF6}
c:\progra~1\common~1\micros~1\webfol~1\msonsext.dll {BDEADF00-C265-11d0-BCED-00A0C90AB50F}

062 HKLM-HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
------------------------------------------------------------
c:\program files\common files\adobe\acrobat\activex\pdfshell.dll (Adobe Systems, Inc.) {F9DB5320-233E-11D1-9F84-707F02C10627}
c:\program files\openoffice.org 2.1\program\shlxthdl.dll (Sun Microsystems, Inc.) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}

063 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
---------------------------------------------------------------------
C:\WINDOWS\system32\lsdelete.exe

067 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
---------------------------------------------------------------------
c:\program files\common files\logitech\bluetooth\lbtwlgn.dll (Logitech Inc.)

069 HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
--------------------------------------------------------
C:\WINDOWS\system32\bthcrp.dll (Broadcom Corporation.)
* C:\WINDOWS\system32\hpzsnt09.dll (HP)

073 %windir%\Tasks
------------------
AdwareAlert Scheduled Scan.job : c:\program files\adwarealert\adwarealert.exe
HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job : c:\program files\common files\sonic shared\sonic central\main\mediahub.exe

100 Internet Explorer settings
------------------------------
CustomizeSearch HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Default_Page_URL HKLM : http://go.microsoft.com/fwlink/?LinkId=69157
Default_Search_URL HKLM : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search Page HKCU : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Search Page HKLM : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchAssistant HKCU : http://www.google.com/ie
SearchAssistant HKLM : http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SearchUrl HKCU : http://www.google.com/search?q=%s
ShellNext HKCU : http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=pavilion&pf=laptop
Start Page HKCU : http://www.news.com.au/couriermail/
Start Page HKLM : http://go.microsoft.com/fwlink/?LinkId=69157

104 HKLM\Software\Microsoft\Code Store Database\Distribution Units
------------------------------------------------------------------
c:\windows\downloaded program files\hpisdatamanager.dll (Hewlett-Packard) {14C1B87C-3342-445F-9B5E-365FF330A3AC}
* c:\program files\java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.) {8AD9C840-044E-11D1-B3E9-00805F499D93}
* c:\program files\java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.) {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
* c:\program files\java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.) {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}

105 HKCU\Software\Microsoft\Internet Explorer\MenuExt
-----------------------------------------------------
Send To &Bluetooth : C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

160 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
NoDispBackgroundPage : 0

161 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
------------------------------------------------------------------
dontdisplaylastusername : 0
shutdownwithoutlogon : 1
undockwithoutlogon : 1

171 HKCU\Control Panel\Desktop\SCRNSAVE.EXE
-------------------------------------------
* c:\windows\system32\avastss.scr (ALWIL Software)

173 HKCR\*\shellex\ContextMenuHandlers
--------------------------------------
GUID / CLSID not found
* c:\program files\alwil software\avast4\ashshell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
* c:\program files\zone labs\zonealarm\zlavscan.dll (Zone Labs, LLC) {D9872D13-7651-4471-9EEE-F0A00218BEBB}

cupladays

  • Guest
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #19 on: October 11, 2007, 03:07:50 PM »
Hi Tech,

No the Win32:Ircbot [trj] detection message is new as of tonight.

And I uninstalled the old Java first and re-booted. There was a few of them!

What do you reckon of the HJT and Runscanner logs?

Ta,

Cupladays

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89015
  • No support PMs thanks
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #20 on: October 11, 2007, 03:23:53 PM »
Quote
Bad News - It appears I now have Win32:Ircbot-CDT[trj] Avast has found it tonight. Is this related?

Hard to say as we are hunting for either an undetected or hidden malware which could be a trojan downloader, that can bring down any sort of malware.
You don't give the infected file name or location which can be of more help than simply the malware name (more things for us to check for) ?

Did you not fix this in HJT as it was mentioned before ?
Quote
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Other than that I see nothing obvious in the HJT log.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89015
  • No support PMs thanks
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #21 on: October 11, 2007, 03:38:29 PM »
Update:

I have been doing a little more searching and checked out the Rainlender2.exe, do you know what this is ?
There are a couple of google hits that indicate it could be malware (trojan) rather than a desktop calender, though this isn't conclusive.
C:\Program Files\Rainlendar2\Rainlendar2.exe]O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe

See http://spywarefiles.prevx.com/RRCFDI24268863/RAINLENDAR2.EXE.html

So it would probably best to check the offending/suspect file at and report the findings: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #22 on: October 11, 2007, 03:51:33 PM »
I have been doing a little more searching and checked out the Rainlender2.exe, do you know what this is ?
A calendar, a todo list... a clean program should be.
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89015
  • No support PMs thanks
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #23 on: October 11, 2007, 04:09:05 PM »
Further down the next sentence I stated it is a desktop calendar but there may be a possibility it is not, and that is why the question is directed to cupladays do 'they' know what it is.

If cupladays installed it then there shouldn't be a problem, but it doesn't hurt to check at VT and Jotti.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

cupladays

  • Guest
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #24 on: October 11, 2007, 04:13:41 PM »
Hi Tech / DavidR,

Sorry - heres the filename / location from the log viewer:

11/10/2007 11:54:12 PM   P & J Harmen   528   Sign of "Win32:Ircbot-CDT [trj]" has been found in "C:\DOCUME~1\P&JHAR~1\LOCALS~1\Temp\Temporary Directory 1 for album59.zip\album59.scr" file.

Also - there are Win32:Ircbot-CDR logs in the logviewer from August now that I look harder.

12/08/2007 10:32:20 AM   P & J Harmen   536   Sign of "Win32:Ircbot-CDR [trj]" has been found in "C:\WINDOWS\system32\libmsns.dll" file.  
12/08/2007 6:18:03 PM   P & J Harmen   432   Sign of "Win32:Ircbot-CDR [trj]" has been found in "C:\WINDOWS\system32\libmsns.dll" file.  
13/08/2007 10:41:41 AM   P & J Harmen   520   Sign of "Win32:Ircbot-CDR [trj]" has been found in "C:\WINDOWS\system32\libmsns.dll" file.  
13/08/2007 3:32:47 PM   P & J Harmen   520   Sign of "Win32:Ircbot-CDR [trj]" has been found in "C:\WINDOWS\system32\libmsns.dll" file.  
13/08/2007 7:50:54 PM   P & J Harmen   440   Sign of "Win32:Ircbot-CDR [trj]" has been found in "C:\WINDOWS\system32\libmsns.dll" file.  

And David R - No, I didn't get rid of that 02-BHO file before. I missed that. It's done now.

Rainlender should be OK. Its a cute calender / To do list as Tech says. Was recommended by PCuser mag. I installed it.

Cheers

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #25 on: October 11, 2007, 04:22:56 PM »
To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.
VirusTotal and Jotti both have file size limits 10 and 15MB each.

As a workaround, you can add these files to the Standard Shield provider (on-access scanning) exclusion list.
Left click the 'a' blue icon, click on the provider icon at left and then Customize. Go to Advanced tab and click on Add button...
You can use wildcards like * and ?. But be carefull, you should 'exclude' that many files that let your system in danger.
After that, please, periodically check it - scan it into Chest, right clicking the file -  there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected as being infected then you can also remove it from the Exclusion list.

This link is a tutorial on how to help correct a virus detection that you believe to be false:
http://forum.avast.com/index.php?topic=25009.msg204838#msg204838
or http://forum.avast.com/index.php?topic=7779.msg62586#msg62586
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89015
  • No support PMs thanks
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #26 on: October 11, 2007, 04:28:03 PM »
The detection is in a zip file which is inert by nature, so unless it was unpacked and the screen-saver file album59.src was executed (avast wouldn't have allowed that) you should be in the clear from that particular issue. What we have to determine is what/how it got in the Temp folder, which is a common location for some downloaders to place files. If it was downloaded I wonder why the web shield didn't catch it before the standard shield though.

The others detected in the system folder were a different ball game, since they were in the system32 folder and as dlls could have been running. I think that they have been dealt with though, to add files to system folders and create registry entries permission is required.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP. Check Bob's, setup instructions and importantly the dropmyrights.msi file needed as MS have now cleared the original link.
http://mysharedfiles.no-ip.org/dropmyrights


I would only have been worried about the rainlender if you hadn't known what it was and hadn't installed it, so panic over.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

cupladays

  • Guest
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #27 on: October 12, 2007, 12:39:22 PM »
Hi Tech / DavidR,

I beleive the old Win32:Ircbot-CDR is gone.
The new Win32:Ircbot-CDR is the last one to banish.

I will run the false positives tests as you say, submit it to JOTTI or VirusTotal and report back. Also Ill look at the administrator browsing issues as you suggest.

This has been a fairly impressive forum. I am back with a healthy lappy. You guys get paid for this?

Regards,

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89015
  • No support PMs thanks
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #28 on: October 12, 2007, 05:04:44 PM »
There are many volunteers who help on the forums, those with Alwil Team in their details at the left of the post are from Alwil Software the developers of avast.

We are avast users like yourself, so our pay is helping other avast users get the best from avast.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

cupladays

  • Guest
Re: Win32:Small-HTC [Trj] & Win32:Dialer-gen. [Trj]
« Reply #29 on: October 15, 2007, 02:28:22 PM »
Hi again,

Sorry been a couple of days....but might need another hand.

I just went to submit the file to VirusTotal but couldnt find that particular one!... There has been a few more entries into the virus chest since then but I can't find them either... is there a secret to finding these files? I have turned the view hidden files feature on.

The only file I could see that resembled the ones in the log viewer or the chest was this one - but it appears OK?

File webcam-photos08.zip received on 10.15.2007 13:49:09 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/29 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results 
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email: 
 

Antivirus Version Last Update Result
AhnLab-V3 2007.10.13.1 2007.10.12 -
AntiVir 7.6.0.23 2007.10.15 -
Authentium 4.93.8 2007.10.14 -
Avast 4.7.1051.0 2007.10.14 -
BitDefender 7.2 2007.10.15 -
CAT-QuickHeal 9.00 2007.10.13 -
ClamAV 0.91.2 2007.10.14 -
DrWeb 4.44.0.09170 2007.10.15 -
eSafe 7.0.15.0 2007.10.10 -
eTrust-Vet 31.2.5207 2007.10.13 -
Ewido 4.0 2007.10.15 -
FileAdvisor 1 2007.10.15 -
Fortinet 3.11.0.0 2007.10.15 -
F-Secure 6.70.13030.0 2007.10.15 -
Ikarus T3.1.1.12 2007.10.15 -
Kaspersky 7.0.0.125 2007.10.15 -
McAfee 5140 2007.10.12 -
Microsoft 1.2908 2007.10.15 -
NOD32v2 2591 2007.10.14 -
Norman 5.80.02 2007.10.15 -
Panda 9.0.0.4 2007.10.14 -
Prevx1 V2 2007.10.15 -
Rising 19.45.02.00 2007.10.15 -
Sophos 4.22.0 2007.10.15 -
Sunbelt 2.2.907.0 2007.10.13 -
TheHacker 6.2.8.091 2007.10.15 -
VBA32 3.12.2.4 2007.10.15 -
VirusBuster 4.3.26:9 2007.10.14 -
Webwasher-Gateway 6.0.1 2007.10.15 -
Additional information
File size: 116360 bytes
MD5: 5f2221a4f79890e165ac82b84e40fe83
SHA1: 6bd2c39fc1661da2dc498e8d4516cc5750af2127