Author Topic: Virus isolated ? what now ?  (Read 5852 times)

0 Members and 1 Guest are viewing this topic.

Sydney

  • Guest
Virus isolated ? what now ?
« on: November 18, 2008, 08:05:44 AM »
Hi, to cut a long story short:
Computer crashed, restored system with Acronis, updated Avast and found virus (Win32:Trojan-gen, other) in 3 different folders:
during memory test: c:\windows\system32\dpcdll32.dll
during boot scan: C:\System Volume Information\_restore{tons of numbers}.dll and C:\Windows\system32\trz97.tmp
Moved all of them to chest. Disabled system restore.
Sent infected files off to virustotal, all 3 showed the same result:

File msxmlr32.dll received on 11.18.2008 00:04:39 (CET)
Current status: finished
Result: 5/36 (13.89%)
Compact Compact
Print results Print results
Antivirus    Version    Last Update    Result
AhnLab-V3    2008.11.18.0    2008.11.17    -
AntiVir    7.9.0.31    2008.11.17    TR/Hijack.AE
Authentium    5.1.0.4    2008.11.17    -
Avast    4.8.1281.0    2008.11.17    Win32:Trojan-gen {Other}
AVG    8.0.0.199    2008.11.17    -
BitDefender    7.2    2008.11.17    -
CAT-QuickHeal    10.00    2008.11.17    -
ClamAV    0.94.1    2008.11.17    -
DrWeb    4.44.0.09170    2008.11.17    -
eSafe    7.0.17.0    2008.11.17    -
eTrust-Vet    31.6.6210    2008.11.14    -
Ewido    4.0    2008.11.17    -
F-Prot    4.4.4.56    2008.11.17    -
F-Secure    8.0.14332.0    2008.11.17    -
Fortinet    3.117.0.0    2008.11.15    -
GData    19    2008.11.17    Win32:Trojan-gen {Other}
Ikarus    T3.1.1.45.0    2008.11.17    Trojan-Dropper.Agent
K7AntiVirus    7.10.526    2008.11.15    -
Kaspersky    7.0.0.125    2008.11.17    -
McAfee    5437    2008.11.17    -
Microsoft    1.4104    2008.11.17    -
NOD32    3619    2008.11.17    -
Norman    5.80.02    2008.11.17    -
Panda    9.0.0.4    2008.11.17    -
PCTools    4.4.2.0    2008.11.17    -
Prevx1    V2    2008.11.18    -
Rising    21.04.02.00    2008.11.17    -
SecureWeb-Gateway    6.7.6    2008.11.17    Trojan.Hijack.AG.1
Sophos    4.35.0    2008.11.17    -
Sunbelt    3.1.1801.2    2008.11.14    -
Symantec    10    2008.11.17    -
TheHacker    6.3.1.1.155    2008.11.15    -
TrendMicro    8.700.0.1004    2008.11.17    -
VBA32    3.12.8.9    2008.11.17    -
ViRobot    2008.11.17.1472    2008.11.17    -
VirusBuster    4.5.11.0    2008.11.17    -

Sydney

  • Guest
Re: Virus isolated ? what now ?
« Reply #1 on: November 18, 2008, 08:06:42 AM »
Additional information
File size: 19456 bytes
MD5...: b71bad15ed29340e40a99fef8f29a5c8
SHA1..: 9b8c66ac5c3aa35b610f3b152abcfa4c0855c9f8
SHA256: 655140a99646a518233cf805f70a8ade52012ede67eb553eb857b02004644522
SHA512: c927329ac658cd8d4ba952609f446c9687fac643c31c7b6126ce11bd811983a0
678aadfeb7fdea8d9a50f316a28cb2a2ff52c032d84dcc1e755a31bc6cbeb5e9
PEiD..: Armadillo v1.xx - v2.xx
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x36004171
timedatestamp.....: 0xb87cc61bL (invalid)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3ca2 0x3e00 6.34 a0e31b98456f4457f55b30e59af33f8f
.data 0x5000 0x140 0x200 1.90 a9c47f21add80dd88f44de28f19e6a6d
.rsrc 0x6000 0x2e0 0x400 2.33 c16e7450c25f0cb8eb66fd8de7a0ebca
.reloc 0x7000 0x268 0x400 3.57 b92e0ec845a4707d5da5e959dbd2ca97

( 5 imports )
> ADVAPI32.dll: GetUserNameA
> USER32.dll: CharNextA, LoadStringA, wvsprintfA, CharLowerA
> KERNEL32.dll: GetModuleFileNameW, lstrcpyW, SystemTimeToFileTime, GetFileTime, DisableThreadLibraryCalls, GetTickCount, GetVersionExA, VirtualFree, WaitForSingleObject, IsBadReadPtr, GetModuleFileNameA, InterlockedIncrement, lstrlenA, lstrlenW, InterlockedDecrement, GetStringTypeExA, GetThreadLocale, CloseHandle, ReadFile, GetFileSize, CreateFileA, GetCurrentProcess, GetProcAddress, GetModuleHandleA, GetComputerNameA, VirtualAlloc, WriteProcessMemory, VirtualAllocEx, LoadLibraryA, CreateRemoteThread, VirtualProtect, Sleep, MoveFileExA, GetVolumeInformationA, FindClose, FindFirstFileA, GetWindowsDirectoryA, FreeLibrary, CreateThread, FreeLibraryAndExitThread, GetSystemTime
> WININET.dll: InternetCheckConnectionA, InternetOpenA, InternetConnectA, HttpOpenRequestA, HttpSendRequestA, InternetQueryDataAvailable, InternetReadFile, InternetCloseHandle, InternetCanonicalizeUrlA, InternetCrackUrlA, InternetGetConnectedState
> MSVCRT.dll: __2@YAPAXI@Z, realloc, __3@YAXPAX@Z, memset, _adjust_fdiv, malloc, _initterm, free, _except_handler3, memcpy

( 31 exports )
TSPI_lineAnswer, TSPI_lineClose, TSPI_lineDial, TSPI_lineDrop, TSPI_lineGetAddressCaps, TSPI_lineGetAddressID, TSPI_lineGetAddressStatus, TSPI_lineGetCallInfo, TSPI_lineGetCallStatus, TSPI_lineGetDevCaps, TSPI_lineGetDevConfig, TSPI_lineGetID, TSPI_lineGetIcon, TSPI_lineGetLineDevStatus, TSPI_lineGetNumAddressIDs, TSPI_lineMakeCall, TSPI_lineNegotiateTSPIVersion, TSPI_lineOpen, TSPI_lineSetAppSpecific, TSPI_lineSetDevConfig, TSPI_lineSetStatusMessages, TSPI_phoneNegotiateTSPIVersion, TSPI_providerEnumDevices, TSPI_providerGenericDialogData, TSPI_providerInit, TSPI_providerInstall, TSPI_providerShutdown, TSPI_providerUIIdentify, TUISPI_lineConfigDialog, TUISPI_lineConfigDialogEdit, TUISPI_providerInstall

Sydney

  • Guest
Re: Virus isolated ? what now ?
« Reply #2 on: November 18, 2008, 08:07:28 AM »
Ran a Hijack-this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:03:16, on 18.11.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Gemeinsame Dateien\InterVideo\RegMgr\iviRegMgr.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
c:\programme\lenovo\system update\suservice.exe
C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
c:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
C:\Programme\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Programme\Canon\CAL\CALMAIN.exe
C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Logger\logmon.exe
C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Programme\Lenovo\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Programme\Lenovo\Zoom\TpScrex.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
C:\Programme\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Lenovo\Client Security Solution\cssauth.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Taskbar Shuffle\taskbarshuffle.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Digital Line Detect\DLG.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programme\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Windows NT\Zubehör\wordpad.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

Sydney

  • Guest
Re: Virus isolated ? what now ?
« Reply #3 on: November 18, 2008, 08:08:49 AM »
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tagesschau.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lenovo.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPFNF7] C:\Programme\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [TPHOTKEY] C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Programme\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AwaySch] C:\Programme\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [AMSG] C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
O4 - HKLM\..\Run: [trueImageMonitor.exe] C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Programme\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programme\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [cssauth] "C:\Programme\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Programme\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Programme\Digital Line Detect\DLG.exe
O4 - Global Startup: Erinnerungen für Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office alt\Office\OSA9.EXE
O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

Sydney

  • Guest
Re: Virus isolated ? what now ?
« Reply #4 on: November 18, 2008, 08:09:45 AM »
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo  - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo  - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programme\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programme\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IPS-Basisservice (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: IviRegMgr - InterVideo - C:\Programme\Gemeinsame Dateien\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) -   - c:\programme\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Programme\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Programme\Lenovo\Rescue and Recovery\ADM\IUService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 14245 bytes
----------------------------------------------------------------------------------------------------------
Ran a secunia-scan that confirmed that everything is up-to-date.
Ran another Avast boot-scan and thorough scan with system-restore turned off: everything clear.
Scanned for malware. None found.
Turned system restore back on and created restore-point.
And wondering what to do now ??
Are these files infected as Avast suggests ? Should I keep them in the chest ? What about that system-folder (from memory) - is it o.k. to keep it there/does Windows not need it ?
Any input would be appreciated. Thanks.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Virus isolated ? what now ?
« Reply #5 on: November 18, 2008, 09:05:32 AM »
Nothing in the log that I can see.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Sydney

  • Guest
Re: Virus isolated ? what now ?
« Reply #6 on: November 18, 2008, 09:13:25 AM »
Hi Frank, I was just reading through one of your older replies......
Thanks for getting back to me on this one.
So you're saying I'm clean and keep everything as is ??

CharleyO

  • Guest
Re: Virus isolated ? what now ?
« Reply #7 on: November 18, 2008, 09:50:56 AM »
***

Your HJT log looks ok to me also.


***

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Virus isolated ? what now ?
« Reply #8 on: November 18, 2008, 09:57:39 AM »
A HijackThis! log alone is not a 100% guarantee that there is no malware present. avast! seems to have caught this nasty, but bear in mind this warning:

http://www.geekstogo.com/2007/10/03/what-is-a-backdoor-trojan/
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Sydney

  • Guest
Re: Virus isolated ? what now ?
« Reply #9 on: November 18, 2008, 10:45:28 AM »
avast! seems to have caught this nasty
http://www.geekstogo.com/2007/10/03/what-is-a-backdoor-trojan/
Yeah, but about 3 weeks late. All the backups I have ever done on this new computer show the same bug - despite frequent Avast-scanning. And I was as cautious as I could have been when installing the system (and this is the second problem already in that short time). So even if I reinstall, this might easily happen again...
At the same time I clearly understand what you're saying re: BDT. So I might end up reinstalling anyways.
Thanks heaps for your help !! Syd.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Virus isolated ? what now ?
« Reply #10 on: November 18, 2008, 11:33:07 AM »
Quote
So even if I reinstall, this might easily happen again...

Not if you're careful.

Don't open e-mail attachments, except those your expecting, from people you know, and don't follow links in e-mails.
Don't download executable files from the web, except from the most trustworthy of sources.
Keep you computer 100% up to date with OS updates and Secunia- this should be the first thing you do after a reinstall.

     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Sydney

  • Guest
Re: Virus isolated ? what now ?
« Reply #11 on: November 18, 2008, 06:15:05 PM »
Yeah, except I've done / am doing all that - and still ....

One last thing that crossed my mind though:
If this was a BDT that is only there to gather information, why would it make my system crash ?
If I was one of them, I'd try to hide and keep still and just spy. Except this thing suddenly activated itself and refrained my computer from booting...strange sort of behavior for that species...