Author Topic: INF:Autorun-G [Trj] Trojan Horse?  (Read 101003 times)

0 Members and 1 Guest are viewing this topic.

PedroMarco

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #120 on: January 05, 2008, 02:25:37 PM »
Hi guys,

I used the attrib command from oldman but it says:

"File not found - C:\autorun.inf"

Is it possible that the file is really gone? My computer is running just fine. But it's very strange isn't it?!

I can't post what is in the file.

Is there anything else I can do to find it?

Thanks for your patience.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #121 on: January 05, 2008, 06:26:11 PM »
If you still have DSS, you could run that again and we'll see if it turns up.

PedroMarco

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #122 on: January 06, 2008, 04:25:05 PM »
Here is my DSS. I still can't find any trace of the autorun... Please, shed some light on this mystery!
***************************************
Deckard's System Scanner v20071014.68
Run by Pierre on 2008-01-06 23:15:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
47: 2008-01-06 15:15:12 UTC - RP47 - Deckard's System Scanner Restore Point
46: 2008-01-06 14:59:56 UTC - RP46 - Installed Canon Camera WIA Driver
45: 2008-01-06 14:59:26 UTC - RP45 - Installed Canon Camera WIA Driver
44: 2008-01-06 14:58:55 UTC - RP44 - Installed Canon Camera WIA Driver
43: 2008-01-06 14:58:22 UTC - RP43 - Installed Canon Camera WIA Driver


-- First Restore Point --
1: 2007-12-23 04:55:34 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Pierre.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:31 PM, on 1/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\WINDOWS\system32\ElkCtrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\Pierre\Desktop\Download\dss.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\PROGRA~1\TRENDM~1\HIJACK~1\Pierre.exe

PedroMarco

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #123 on: January 06, 2008, 04:25:48 PM »
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\system32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB001" /M "Stylus C67"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198370829522
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198400337015
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

--
End of file - 8127 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 meiudf - c:\windows\system32\drivers\meiudf.sys <Not Verified; Matsushita Electric Industrial Co.,Ltd.; >
R1 SrvcSSIOMngr - c:\windows\system32\drivers\ssiomngr.sys <Not Verified; COMPAL ELECTRONIC INC.; Compal IoManager Application>
R1 TPwSav (Common Driver) - c:\windows\system32\drivers\tpwsav.sys <Not Verified; TOSHIBA; >
R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys <Not Verified; TOSHIBA Corporation.; TOSHIBA Network Device Usermode I/O protocol>
R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell>
R3 LVPrcMon (Logitech LVPrcMon Driver) - c:\windows\system32\drivers\lvprcmon.sys
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 Tvs (Toshiba Virtual Sound with SRS technologies) - c:\windows\system32\drivers\tvs.sys <Not Verified; TOSHIBA Corporation; Audio Filter>

S3 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree(TM)>
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe <Not Verified; Matsushita Electric Industrial Co., Ltd.; >

PedroMarco

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #124 on: January 06, 2008, 04:26:43 PM »
-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-01 15:06:10       284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-12-06 and 2008-01-06 -----------------------------

2008-01-06 23:19:22         0 d-------- C:\Program Files\Trend Micro
2008-01-04 07:59:38         0 d-------- C:\WINDOWS\Sun
2008-01-04 07:59:38         0 d-------- C:\Documents and Settings\Pierre\Application Data\Sun
2008-01-03 23:02:36         0 d-------- C:\Documents and Settings\Pierre\Application Data\InterVideo
2008-01-01 18:44:24         0 d-------- C:\Program Files\Canon
2008-01-01 18:44:22         0 d-------- C:\Program Files\Common Files\Canon
2008-01-01 15:06:23         0 d-------- C:\Program Files\QuickTime
2008-01-01 15:06:20         0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-01 15:06:06         0 d-------- C:\Program Files\Apple Software Update
2008-01-01 15:06:06         0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-26 12:30:26         0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-26 12:30:23         0 d-------- C:\Program Files\MSXML 4.0
2007-12-26 11:54:19     79679 --a------ C:\WINDOWS\system32\E_FLMAAP.DLL <Not Verified; SEIKO EPSON CORPORATION; EPSON Bi-directional Printer>
2007-12-26 11:54:19     34304 --a------ C:\WINDOWS\system32\E_FBCHAAP.DLL <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer Driver>
2007-12-26 11:54:19     64000 --a------ C:\WINDOWS\system32\E_FBCBAAP.DLL <Not Verified; SEIKO EPSON CORPORATION; EPSON CBT Engine>
2007-12-26 11:53:04         0 d-------- C:\Program Files\EPSON
2007-12-26 10:23:49    262144 --a------ C:\WINDOWS\system32\ElkCtrl.exe <Not Verified; Logitech Inc.; Logitech Camera Software>
2007-12-26 10:23:49     57344 --a------ C:\WINDOWS\system32\ElkCtlPS.dll <Not Verified; Logitech Inc.; Logitech Camera Software>
2007-12-26 10:23:48     82432 --a------ C:\WINDOWS\system32\msxml4r.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2007-12-26 10:23:48     44544 --a------ C:\WINDOWS\system32\msxml4a.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1>
2007-12-26 10:23:42         0 d-------- C:\Program Files\Logitech
2007-12-24 08:15:06         0 d-------- C:\Program Files\Microsoft Works
2007-12-24 08:14:55         0 d-------- C:\Program Files\MSBuild
2007-12-24 08:13:39         0 d-------- C:\Program Files\Microsoft.NET
2007-12-24 08:10:40         0 d-------- C:\WINDOWS\SHELLNEW
2007-12-24 08:00:19         0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-23 23:07:22         0 d-------- C:\Program Files\MSN Messenger
2007-12-23 23:06:47         0 d-------- C:\WINDOWS\SxsCaPendDel
2007-12-23 22:46:34         0 d---s---- C:\Documents and Settings\Pierre\UserData
2007-12-23 22:28:00         0 d-------- C:\Program Files\MagicISO
2007-12-23 21:35:15      5248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2007-12-23 21:35:15    155136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2007-12-23 21:35:12         0 d-------- C:\Program Files\Deamonj
2007-12-23 21:16:34         0 d-------- C:\Documents and Settings\Pierre\Application Data\vlc
2007-12-23 21:11:30         0 d-------- C:\Program Files\VLC
2007-12-23 21:09:07         0 d-------- C:\Program Files\uTorrent
2007-12-23 21:08:59         0 d-------- C:\Documents and Settings\Pierre\Application Data\uTorrent
2007-12-23 20:51:34         0 d-------- C:\Documents and Settings\Pierre\Contacts
2007-12-23 20:01:54         0 d-------- C:\Documents and Settings\Pierre\Application Data\Macromedia
2007-12-23 20:01:54         0 d-------- C:\Documents and Settings\Pierre\Application Data\Adobe
2007-12-23 20:01:52      1158 --a------ C:\WINDOWS\mozver.dat
2007-12-23 19:47:25         0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-12-23 19:47:25         0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-12-23 19:47:25         0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-12-23 19:47:25         0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-12-23 19:47:25         0 d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2007-12-23 19:47:25         0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-12-23 19:47:25         0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-12-23 19:47:25         0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-12-23 19:47:24         0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-12-23 19:47:24         0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-12-23 19:47:24         0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-12-23 19:47:24         0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-12-23 19:47:24         0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-12-23 19:47:24         0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-12-23 19:47:24         0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-12-23 19:47:24         0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-12-23 19:47:24         0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-12-23 19:47:23    786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-12-23 17:33:37         0 d-------- C:\Documents and Settings\Pierre\Application Data\skypePM
2007-12-23 17:33:37        32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-23 17:32:15         0 d-------- C:\Documents and Settings\Pierre\Application Data\Skype
2007-12-23 17:32:00         0 d-------- C:\Program Files\Skype
2007-12-23 17:32:00         0 d-------- C:\Program Files\Common Files\Skype
2007-12-23 17:31:54         0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2007-12-23 17:01:47         0 d-------- C:\WINDOWS\Downloaded Installations
2007-12-23 17:00:02         0 d-------- C:\Program Files\Winamp
2007-12-23 16:59:37         0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-12-23 14:14:43    106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2007-12-23 14:14:42    471040 -----n--- C:\WINDOWS\system32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2007-12-23 14:14:42    262144 -----n--- C:\WINDOWS\system32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2007-12-23 14:14:42   1568768 -----n--- C:\WINDOWS\system32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2007-12-23 14:14:41    155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2007-12-23 14:14:41         0 d-------- C:\Program Files\Common Files\Ahead
2007-12-23 14:14:37         0 d-------- C:\Program Files\Ahead
2007-12-23 13:42:58    245824 -ra------ C:\WINDOWS\Instexec.exe <Not Verified; Logitech; Logitech>
2007-12-23 13:42:55    245824 -ra------ C:\WINDOWS\system32\InstExec.exe <Not Verified; Logitech; Logitech>
2007-12-23 13:41:57         0 d-------- C:\Program Files\Common Files\Logitech
2007-12-23 12:56:19         0 dr------- C:\Documents and Settings\Pierre\Favorites
2007-12-23 12:56:19         0 d-------- C:\Documents and Settings\Pierre\Desktop
2007-12-23 12:56:19         0 d---s---- C:\Documents and Settings\Pierre\Cookies
2007-12-23 12:56:19         0 dr-h----- C:\Documents and Settings\Pierre\Application Data
2007-12-23 12:56:19         0 d-------- C:\Documents and Settings\Pierre\Application Data\toshiba
2007-12-23 12:56:19         0 d-------- C:\Documents and Settings\Pierre\Application Data\InterTrust
2007-12-23 12:56:19         0 d-------- C:\Documents and Settings\Pierre\Application Data\Identities
2007-12-23 12:56:18         0 dr-h----- C:\Documents and Settings\Pierre\SendTo
2007-12-23 12:56:18         0 dr-h----- C:\Documents and Settings\Pierre\Recent
2007-12-23 12:56:18         0 d--h----- C:\Documents and Settings\Pierre\PrintHood
2007-12-23 12:56:18         0 d--h----- C:\Documents and Settings\Pierre\NetHood
2007-12-23 12:56:18         0 dr------- C:\Documents and Settings\Pierre\My Documents
2007-12-23 12:56:18         0 d--h----- C:\Documents and Settings\Pierre\Local Settings
2007-12-23 12:56:17         0 d-------- C:\Documents and Settings\Pierre\WINDOWS
2007-12-23 12:56:17         0 d--h----- C:\Documents and Settings\Pierre\Templates
2007-12-23 12:56:17         0 dr------- C:\Documents and Settings\Pierre\Start Menu
2007-12-23 12:56:16   3407872 --ah----- C:\Documents and Settings\Pierre\NTUSER.DAT
2007-12-23 12:55:28    262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2007-12-23 12:54:42   1671168 --a------ C:\WINDOWS\system32\W29MLRES.DLL <Not Verified; Intel Corporation; Intel(R) PRO/Wireless 2915ABG Network Connection>
2007-12-23 12:54:24     98304 --a------ C:\WINDOWS\system32\TCtrlCommon.dll <Not Verified; TOSHIBA Corporation; TCtrlCommon>
2007-12-23 12:53:47         0 d-------- C:\Documents and Settings\Default User\WINDOWS

PedroMarco

  • Guest
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #125 on: January 06, 2008, 04:27:10 PM »
2007-12-23 12:53:47         0 d-------- C:\Documents and Settings\Default User\Application Data\toshiba
2007-12-23 12:53:47         0 d-------- C:\Documents and Settings\Default User\Application Data\InterTrust
2007-12-23 12:50:12     77824 --a------ C:\WINDOWS\system32\tosmreg.exe <Not Verified; Toshiba Corporation; Tosmreg>
2007-12-23 12:50:12     88358 --a------ C:\WINDOWS\agrsmmsg.exe <Not Verified; Agere Systems; Agere SoftModem Messaging Applet>
2007-12-23 12:50:11     45056 --a------ C:\WINDOWS\system32\csellang.dll
2007-12-23 12:50:11    110592 --a------ C:\WINDOWS\system32\cselect.exe <Not Verified; Toshiba Corporation; toshiba cselect>
2007-12-23 12:50:11     64512 -----n--- C:\WINDOWS\agrsmdel.exe <Not Verified; Agere Systems; LTRemove>
2007-12-23 12:50:11         0 d-------- C:\Program Files\ltmoh
2007-12-23 12:49:41         0 d-------- C:\CONNECT
2007-12-23 12:49:40         0 d-------- C:\WINDOWS\TOSHOFER
2007-12-23 12:49:35      6528 --a------ C:\WINDOWS\system32\drivers\Tbiosdrv.sys
2007-12-23 12:49:30         0 d-------- C:\Program Files\Datalode
2007-12-23 11:58:00         0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-12-23 11:56:03         0 --a------ C:\WINDOWS\nsreg.dat
2007-12-23 11:56:01         0 d-------- C:\Documents and Settings\Pierre\Application Data\Mozilla
2007-12-23 11:54:47         0 d-------- C:\Program Files\Avast4
2007-12-23 11:49:44         0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-23 11:49:14         0 d-------- C:\Program Files\Windows Live
2007-12-23 11:49:05         0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-23 09:27:38         0 d-------- C:\WINDOWS\system32\PreInstall
2007-12-23 08:52:12         0 d-------- C:\WINDOWS\system32\SoftwareDistribution


-- Find3M Report ---------------------------------------------------------------

2008-01-06 18:34:30         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-03 23:50:14         0 d-------- C:\Program Files\Java
2008-01-01 18:44:22         0 d-------- C:\Program Files\Common Files
2007-12-23 22:15:43         0 d-------- C:\Program Files\Common Files\Adobe
2007-12-23 12:56:31         0 d-------- C:\Program Files\TOSHIBA
2007-12-23 12:54:42         0 d-------- C:\Program Files\Intel
2007-12-23 12:54:05         0 d-------- C:\Program Files\InterVideo


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [07/19/2005 11:09 AM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [07/19/2005 11:06 AM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [07/19/2005 11:10 AM]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [08/26/2005 09:49 AM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [03/23/2004 10:40 PM]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [08/26/2005 10:11 AM]
"NDSTray.exe"="NDSTray.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [04/06/2005 07:25 AM]
"TPSMain"="TPSMain.exe" [06/01/2005 08:16 AM C:\WINDOWS\system32\TPSMain.exe]
"ZoomingHook"="ZoomingHook.exe" [06/07/2005 12:58 AM C:\WINDOWS\system32\ZoomingHook.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [04/27/2005 07:13 AM]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [05/02/2004 04:45 AM]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [07/16/2005 01:52 AM]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [05/02/2004 04:45 AM]
"AGRSMMSG"="AGRSMMSG.exe" [12/22/2004 01:10 AM C:\WINDOWS\agrsmmsg.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [08/22/2005 04:49 PM C:\WINDOWS\system32\TCtrlIOHook.exe]
"TFncKy"="TFncKy.exe" []
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [12/04/2007 09:00 PM]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [12/09/2005 03:32 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 08:00 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 08:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 08:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 08:00 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [08/24/2007 07:00 AM]
"LogitechCameraAssistant"="C:\Program Files\Logitech\Video\CameraAssistant.exe" [12/07/2005 10:26 AM]
"LogitechVideo[inspector]"="C:\Program Files\Logitech\Video\InstallHelper.exe" [12/07/2005 10:33 AM]
"LogitechCameraService(E)"="C:\WINDOWS\system32\ElkCtrl.exe" [11/01/2004 05:22 PM]
"EPSON Stylus C67 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.exe" [01/25/2005 04:00 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [12/11/2007 10:56 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [12/30/2004 03:32 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [9/1/2005 7:52:49 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=01000000
"NoLogoff"=01000000
"NoRecentDocsMenu"=01000000
"NoActiveDesktop"=01000000
"NoRecentDocsHistory"=01000000
"NoRecentDocsNetHood"=01000000
"NoSMMyDocs"=01000000
"NoSMMyPictures"=01000000
"NoNetworkConnections"=01000000
"NoUserNameInStartMenu"=01000000
"NoTrayItemsDisplay"=00000000
"NoSharedDocuments"=01000000


Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: INF:Autorun-G [Trj] Trojan Horse?
« Reply #126 on: January 06, 2008, 07:10:36 PM »
Hi PedroMarco

Well I don't  know where it went, but it's not there. I left it originaly so we could examine it and it was in your pervious DSS log. It's not in this one though. Everything looks fine.

To protect you from autorun infections in the future and a means to inspect your usb devices I suggest doing this.

Download this program, Flash Drive Disinfector by sUBs from

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Plug in your usb hd

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

This utility will do a couple of things. First it will remove any autorun.inf it finds. There shouldn't be one on a fixed HD anyway. There is no need for such a file on any removable storage device -- iPod, USB flash drive, cell phone, .etc as you can open these drives manually.

It will create a SYSTEM protected, read-only, and perfectly harmless Autorun.inf file on any hard drive or removable storage device it finds when run. This file will not only help prevent future autorun infections, it will disable any current Autorun infection its ability to restart.

In this way you can open the usb drives and look for any files you need to remove, in your case  kavo

You can do this with all of your usb devices.