Author Topic: Win32: Trojan-gen {Other} (Read 22753 times)

Lisandro · « **Reply #15 on:** October 08, 2008, 08:52:25 PM »

Quote from: Roofel on October 08, 2008, 08:41:08 PM

I had Norton Antivirus before but removed it, so ill remove all of the "traces" after Symantec

To do it so:
1) Remove NAV or Norton 360 through Add/Remove programs from Control Panel. Boot.
2) Use Norton Removal Tool for Windows 2000/XP/Vista or Norton Removal Tool for Windows 98/Me. Boot.
3) Install avast! (or repair the installation) and boot.

The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer.

Roofel · « **Reply #16 on:** October 08, 2008, 08:57:43 PM »

Quote from: wyrmrider on October 08, 2008, 07:08:40 PM

Have you run the AVG removal tool- new in July
Essential that you do this
32 and 64 bit versions on the AVG website

Do not even think about removing something from your work computer without IT department OK
quarantine any hits do not remove/ delete
leave any avast hits in chest

what are?
Google if unknown

O4 - Global Startup: gamma.hta

active-x
google both CLSID and fiile name (s) folder names if unknown
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab

O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/sis/BTDownloadCtrl.cab

O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe

Hjt does not catch everything in these latest infections
please upload any hits to virustotal for a positive id
let's see MBAM and SAS logs (edit out cookies)
run the trend micro rootkit tool

O4 - Global Startup: gamma.hta

Googled it before and it was apparently connected to my "Desktop gamma setting" through another program and it was listed as safe so

O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/sis/BTDownloadCtrl.cab

Couldnt find anything on it, when I google both CSID and File name it shows up only other Hijackthis logs on other forums and sites. Judging by the name it is from a game Thinktanks that is hosted at Shockwave.com (Wild guess but might have been a free game I found that I wanted to try but couldnt get it to start

Not downloaded or anything, just run from the browser)

O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave.com/content/feedingfrenzy/SproutLauncher.cab

Same as above, just that the game is Feeding Frenzy

O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe

http://www.castlecops.com/o23list-2937.html

Leftover from program the administrators used I think, judging from the description (Think its safe to remove but kinda wanted to check with you people first

)

Quote from: Tech on October 08, 2008, 08:52:25 PM

Quote from: Roofel on October 08, 2008, 08:41:08 PM
I had Norton Antivirus before but removed it, so ill remove all of the "traces" after Symantec
To do it so:
1) Remove NAV or Norton 360 through Add/Remove programs from Control Panel. Boot.
2) Use Norton Removal Tool for Windows 2000/XP/Vista or Norton Removal Tool for Windows 98/Me. Boot.
3) Install avast! (or repair the installation) and boot.

The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer.

I tried it, removed most of the files manually before the program showed up meaning the removal tool had nothing to "base itself on" and it just said all was removed

As the Hijackthis log showed this might be left from Norton

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)

Spiritsongs · « **Reply #17 on:** October 08, 2008, 09:40:38 PM »

Hi :

Regarding ITunes/Bonjour-mDNSResponder : according to the Info at
www.liutilities.com/products/wintaskspro/processlibrary/mdnsresponder , this
is a NON-ESSENTIAL process/NOT a critical component as related to ITunes .

Would recommend you read the Info at www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/ to read WHAT this does and Removal
Instructions IF interested !?

wyrmrider · « **Reply #18 on:** October 09, 2008, 04:28:28 PM »

non infected 016's can be removed or left- your choice
if an app needs these Active-x they will be reloaded

on the 023
it is always better to remove with add/remove or other conventional means as there may be other parts/ fragments/ traces that will not be removed with hjt
do a search on vmover and aelita
you might search the registry also

still looking for mbam and sas logs- edit out cookies

Roofel · « **Reply #19 on:** October 09, 2008, 07:40:27 PM »

Quote from: wyrmrider on October 09, 2008, 04:28:28 PM

non infected 016's can be removed or left- your choice
if an app needs these Active-x they will be reloaded

on the 023
it is always better to remove with add/remove or other conventional means as there may be other parts/ fragments/ traces that will not be removed with hjt
do a search on vmover and aelita
you might search the registry also

still looking for mbam and sas logs- edit out cookies

Code: [Select]

Malwarebytes' Anti-Malware 1.28
Database versjon: 1203
Windows 5.1.2600 Service Pack 2

2008-10-09 19:22:29
mbam-log-2008-10-09 (19-22-29).txt

Skanntype: Rask Skann
Objekter skannet: 58030
Tid tilbakelagt: 28 minute(s), 9 second(s)

Minneprosesser infisert: 0
Minnemoduler infisert: 0
Registernøkler infisert: 0
Registerverdier infisert: 0
Registerfiler infisert: 0
Mapper infisert: 0
Filer infisert: 0

Minneprosesser infisert:
(Ingen mistenkelige filer funnet)

Minnemoduler infisert:
(Ingen mistenkelige filer funnet)

Registernøkler infisert:
(Ingen mistenkelige filer funnet)

Registerverdier infisert:
(Ingen mistenkelige filer funnet)

Registerfiler infisert:
(Ingen mistenkelige filer funnet)

Mapper infisert:
(Ingen mistenkelige filer funnet)

Filer infisert:
(Ingen mistenkelige filer funnet)

No suspicious files found is what it says

HijackThis logfile:

Code: [Select]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:21, on 2008-10-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Curse\CurseClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\no\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\no\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: avast!.lnk = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - Global Startup: gamma.hta
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.start.no
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207918024609
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\Software\..\Telephony: DomainName = no.via.as
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = no.via.as
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6494 bytes

Im doing some research on Aelita DMW Migration Agent and gonna remove the Bonjour application soon.

Here is the SAS log

Code: [Select]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/07/2008 at 05:05 PM

Application Version : 4.21.1004

Core Rules Database Version : 3591
Trace Rules Database Version: 1578

Scan type       : Quick Scan
Total Scan Time : 00:17:02

Memory items scanned      : 411
Memory threats detected   : 0
Registry items scanned    : 462
Registry threats detected : 0
File items scanned        : 7873
File threats detected     : 0

polonus · « **Reply #20 on:** October 09, 2008, 07:57:36 PM »

Hi Roofel,

Did you see this Norwegian link?: http://forumet.no/index.php?s=7eef383fa07125bd199b9f0e9613952b&showtopic=65982

polonus

Roofel · « **Reply #21 on:** October 09, 2008, 08:00:30 PM »

Yep, I did see it

It didnt exactly resolve my problem... I know because I posted it some time ago

I also found some Registry keys about vmover.exe

Code: [Select]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VMOVER.EXE]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VMOVER.EXE\0000]
"Service"="Vmover.exe"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Aelita DMW Migration Agent"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vmover.exe]
"Type"=dword:00000010
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,56,\
  00,6d,00,6f,00,76,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Aelita DMW Migration Agent"
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vmover.exe\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

ControlSet002

Code: [Select]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VMOVER.EXE]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VMOVER.EXE\0000]
"Service"="Vmover.exe"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Aelita DMW Migration Agent"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vmover.exe]
"Type"=dword:00000010
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,56,\
  00,6d,00,6f,00,76,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Aelita DMW Migration Agent"
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vmover.exe\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vmover.exe\Enum]
"0"="Root\\LEGACY_VMOVER.EXE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

ControlSet003

Code: [Select]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_VMOVER.EXE]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_VMOVER.EXE\0000]
"Service"="Vmover.exe"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Aelita DMW Migration Agent"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Vmover.exe]
"Type"=dword:00000010
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,56,\
  00,6d,00,6f,00,76,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Aelita DMW Migration Agent"
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Vmover.exe\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

CurrentControlSet

Code: [Select]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMOVER.EXE]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VMOVER.EXE\0000]
"Service"="Vmover.exe"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Aelita DMW Migration Agent"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vmover.exe]
"Type"=dword:00000010
"Start"=dword:00000003
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,56,\
  00,6d,00,6f,00,76,00,65,00,72,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Aelita DMW Migration Agent"
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vmover.exe\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vmover.exe\Enum]
"0"="Root\\LEGACY_VMOVER.EXE\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Had to post in a new post because it exceeded the char limit of 10000 chars

wyrmrider · « **Reply #22 on:** October 10, 2008, 12:24:38 AM »

really good news about the MBAM and SAS Scans

nothing new in your hjt
you know the issues with the 023

the 016's are gone

do you use all the toolbars remove the ones you do not use conventional means

do you use?
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe double check or remove and reinstall
I usually only see oddball locations in Vista

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
not dangerous but unnecessary uses resources
Quick access to the control panel via a System Tray icon for graphics based upon the Intel chipsets (ie, i810). These chipsets are often included on motherboards. Available via Start -> Settings -> Control Panel

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

Unknown
   O4 - Global Startup: gamma.hta

google on 04 ctfmon not usually necessary at boot time (and the file above)
see
http://support.microsoft.com/kb/282599

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
04 Not dangerous, but unnecessary. QuickTime

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
   Not dangerous, but unnecessary

O14 - IERESET.INF: START_PAGE_URL=http://www.start.no
This entry should be fixed if this address does not belong to your PC-manufacturer or your 'Internet-Service-Provider (ISP)'.

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe Is this really necessary?

C:\Program Files\Windows Live\Messenger\msnmsgr.exe
Possibly nasty! According to our database this process runs normally in c:\programme\msn messenger\!

you have both windows live messenger and msn messenger
is one Instant messenger and the other "windows messenger- to enhance your internet experience??))

you need to get SP 3 installed
run secunia software inspector
clean up CCleaner or ATF Cleaner
Defrag
new restore point

Roofel · « **Reply #23 on:** October 10, 2008, 02:06:52 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:04, on 2008-10-10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Curse\CurseClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: avast!.lnk = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - Global Startup: gamma.hta
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207918024609
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\Software\..\Telephony: DomainName = no.via.as
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = no.via.as
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5366 bytes

Gonna fix Ctfmon later on, did Step 1 in the Microsoft link you had

Installed SP3 last night

Ment I had installed it but I hadnt

The new Live Messenger(Formerly MSN Messenger) is placed in Program Files\Windows Live\Messenger\

I had uninstalled MSN messenger but some files was still left behind by the installer

Removed them and the entry said Missing File so i deleted it

Roofel · « **Reply #24 on:** October 10, 2008, 02:09:46 PM »

I got OpenOffice installed on my PC because of the school and such using OpenOffice

Is it possible to just remove The Office pack and therefore remove Ctfmon and all that?

I dont know if that is a bad thing or not:

Pros:
Getting more space on the PC
Its kinda unnecessary to have since I got OpenOffice

Cons:
Might mess up my PC :S

Lisandro · « **Reply #25 on:** October 10, 2008, 02:38:54 PM »

Quote from: Roofel on October 10, 2008, 02:09:46 PM

Is it possible to just remove The Office pack and therefore remove Ctfmon and all that?

Yes. Just use Add/Remove programs. Boot after it.

Quote from: Roofel on October 10, 2008, 02:09:46 PM

Might mess up my PC :S

Avoid the using of registry cleaners (even Revo Uninstaller) to remove Microsoft Office. It's too much Microsoft embedded. You must avoid messing let only the uninstaller to do its job.

micky77 · « **Reply #26 on:** October 10, 2008, 06:45:29 PM »

Seeing as you cannot boot in safe mode, you could try using the Avira Rescue Cd, I guess,its the same as a boot time scan.It allows you to scan without booting into windows.It is really meant for pc's that cannot be booted, but I have read of people using it,even though they can boot.You download the disc then double click on it.You will then be prompted to burn the program to cd,the download contains the latest definitions,so no need to update.Insert the cd and reboot.Then choose option 2 ( boot into rescue system ) Choose your language English or German then press SPACE then enter.Then choose scan and enter.Apparently you are recommended to back up your data, so it is NOT WITHOUT RISK
Regarding the gamma.hta entry, I can find very little,most of the hits are from you ( some Norwegian).I still think thats odd.But I am a total beginner.One other hit,oddly was from someone who had exactly the same problem as you.( 3 years ago )Your submission http://www.virustotal.com/analisis/67f96cc15fdac09462b880639a80e5c4

http://newsgroups.derkeiler.com/Archive/Alt/alt.comp.anti-virus/2005-08/msg00464.html

http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

Roofel · « **Reply #27 on:** October 10, 2008, 09:05:52 PM »

Newest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:04, on 2008-10-10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Curse\CurseClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sol.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: avast!.lnk = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - Global Startup: gamma.hta
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207918024609
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\Software\..\Telephony: DomainName = no.via.as
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = no.via.as
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = no.via.as
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5351 bytes

I have removed Microsoft Office and rebooted so it is gone now

Is it safe to "fix" Ctfmon entries and Excel from it?^^,

micky77 · « **Reply #28 on:** October 11, 2008, 12:05:21 AM »

Where exactly did you extract the file that you submitted to Virustotal ? Was it from the chest ?

Roofel · « **Reply #29 on:** October 11, 2008, 12:10:26 AM »

Yes, I extracted it from the Chest and extracted it to a folder while having the folder in the avast! exeption list. Why do you wonder?

Author Topic: Win32: Trojan-gen {Other} (Read 22753 times)

Lisandro

Re: Win32: Trojan-gen {Other}

Roofel

Re: Win32: Trojan-gen {Other}

Spiritsongs

Bonjour/mDNSResponder

wyrmrider

Re: Win32: Trojan-gen {Other}

Roofel

Re: Win32: Trojan-gen {Other}

polonus

Re: Win32: Trojan-gen {Other}

Roofel

Re: Win32: Trojan-gen {Other}

wyrmrider

Re: Win32: Trojan-gen {Other}

Roofel

Re: Win32: Trojan-gen {Other}

Roofel

Re: Win32: Trojan-gen {Other}

Lisandro

Re: Win32: Trojan-gen {Other}

micky77

Re: Win32: Trojan-gen {Other}

Roofel

Re: Win32: Trojan-gen {Other}

micky77

Re: Win32: Trojan-gen {Other}

Roofel

Re: Win32: Trojan-gen {Other}