Author Topic: Win32:trojan gen and Suspicious Files  (Read 4170 times)

0 Members and 1 Guest are viewing this topic.

Offline gospelwing

  • Newbie
  • *
  • Posts: 5
Win32:trojan gen and Suspicious Files
« on: July 07, 2009, 02:01:39 PM »
I am not computer saavy and have been doing my best by reading the topics and taking what steps I can understand. My computer is using Windows XP, my updates are set on "automatic" and update every day. I am currently using Avast4 Home Edition, Spybot Search and Destroy, Spyware Blaster, and I just downloaded Malwarebytes Anti-Malware.

For two weeks now, Avast has been giving warnings to the effect of "Suspicious file has been found using the heuristic method". The recommended action is always "ignore" and I have done just that.

Avast has also found many files infected with the Win32:trojan, Win32:trojan-gen, and Win32:rootkit-gen. The recommended action has been "move to chest" so I have done that. However, I was unaware until this evening that those files should not be deleted. I deleted all of the files that have been moved to the chest. I have no idea how many files have been moved and deleted thus far.

When I have schedule boot-time scans, I have set "move all infected files to chest" under "Advanced Settings" and have set "ignore or take no action with system files". On two occasions, I have turned off system restore and re-started in safe mode while completing a boot time scan.

Here is a copy of the scan results that I got from "program files - alwil - Avast4":
06/17/2009 17:37
Scan of all local drives

Number of searched folders: 6589
Number of tested files: 70430
Number of infected files: 0

----------------------------------------
06/17/2009 18:28
Scan of all local drives

Number of searched folders: 6589
Number of tested files: 70308
Number of infected files: 0

----------------------------------------
06/18/2009 17:54
Scan of all local drives

File C:\66y01b.cmd is infected by Win32:Kavos [Trj], Moved to chest
File C:\kyl0q3xg.bat is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0027070.dll is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0027071.dll is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0027073.cmd is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0028066.dll is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0028068.dll is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0028071.cmd is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0028101.exe is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP331\A0028105.dll is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028114.cmd is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028128.dll is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028130.dll is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028132.cmd is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028136.exe is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028164.dll is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028166.dll is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028174.bat is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028191.dll is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028193.dll is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028199.bat is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028224.dll is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028226.dll is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028229.bat is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028232.exe is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028249.cmd is infected by Win32:Kavos [Trj], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP332\A0028250.bat is infected by Win32:Kavos [Trj], Moved to chest
File C:\WINDOWS\system32\ahnfgss1.dll is infected by Win32:Kavos [Trj], Moved to chest
File C:\WINDOWS\system32\trz5.tmp is infected by Win32:Kavos [Trj], Moved to chest
Number of searched folders: 6558
Number of tested files: 69660
Number of infected files: 29

----------------------------------------
06/29/2009 21:22
Scan of all local drives

Number of searched folders: 6418
Number of tested files: 62378
Number of infected files: 0

----------------------------------------
06/29/2009 22:40
Scan of all local drives

Number of searched folders: 6418
Number of tested files: 62423
Number of infected files: 0

----------------------------------------
06/30/2009 05:36
Scan of all local drives

Number of searched folders: 6418
Number of tested files: 62460
Number of infected files: 0

----------------------------------------
07/02/2009 19:13
Scan of all local drives

Number of searched folders: 6472
Number of tested files: 62582
Number of infected files: 0

----------------------------------------
07/02/2009 21:42
Scan of all local drives

Number of searched folders: 6477
Number of tested files: 62665
Number of infected files: 0

----------------------------------------
07/07/2009 19:21
Scan of all local drives

File C:\gyaa.exe is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000013.dll is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000040.dll is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000074.dll is infected by Win32:Trojan-gen {Other}, Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000118.exe is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000136.exe is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000140.exe is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000141.dll is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000157.exe is infected by Win32:Rootkit-gen [Rtk], Moved to chest
Number of searched folders: 6492
Number of tested files: 62889
Number of infected files: 9


I would like to know how to completely clean my computer as well as to figure out if I have done any damage by deleting the infected files. Sorry for my ignorance and thanks so much for your help!!

Offline .: L' arc :.

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1780
  • Thinking with Portals
Re: Win32:trojan gen and Suspicious Files
« Reply #1 on: July 07, 2009, 02:11:02 PM »
-= Install Malwarebyes Antimalware and TrendMicro Hijack This.. Please remember to update them..

-= Then, if its ok with you, disconnect from the internet, disable system restore & clean up your system restore points & temporary files using Disk Cleanup Utility of Windows.. Scan using Malwarebytes.. If possible, post here the results of the scan.. Reenable System Restore & create a new System Restore Point.. Reboot.. Then using Hijack This, post/attach the log in this topic..

-= Hope it helps..
« Last Edit: July 07, 2009, 02:14:29 PM by -= Fenrir =- »
Windows 7 (64-bit) Home Premium SP1
avast! 9 RC1

Offline gospelwing

  • Newbie
  • *
  • Posts: 5
Re: Win32:trojan gen and Suspicious Files
« Reply #2 on: July 07, 2009, 02:20:15 PM »
I just finished running a scan with Malwarebytes and this is the result:

Malwarebytes' Anti-Malware 1.38
Database version: 2384
Windows 5.1.2600 Service Pack 3

7/7/2009 9:10:30 PM
mbam-log-2009-07-07 (21-10-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 141339
Time elapsed: 30 minute(s), 25 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\WINDOWS\AhnRpta.exe (Trojan.Backdoor) -> No action taken.

Memory Modules Infected:
C:\WINDOWS\system32\e8main0.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\ahnfgss1.dll (Spyware.OnlineGames) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{af4da69b-e1d6-469a-855b-6445294857d4} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{af4da69b-e1d6-469a-855b-6445294857d4} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\iehlprobj.iehlprobj.1 (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{af4da692-e1d6-469a-855b-6445294857d4} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{af4da69c-e1d6-469a-855b-6445294857d4} (Spyware.OnlineGames) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af4da69b-e1d6-469a-855b-6445294857d4} (Spyware.OnlineGames) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{bb4c402f-882a-4526-8c08-51278ea437c1} (Spyware.OnlineGames) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bb4c402f-882a-4526-8c08-51278ea437c1} (Spyware.OnlineGames) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahnsoft (Spyware.OnlineGames) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ahnxsds0.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\e8main0.dll (Spyware.OnlineGames) -> No action taken.
C:\autorun.inf (Trojan.Agent) -> No action taken.
c:\xrcd.bat (Trojan.Agent) -> No action taken.
C:\WINDOWS\AhnRpta.exe (Trojan.Backdoor) -> No action taken.
c:\WINDOWS\system32\ahnfgss0.dll (Spyware.OnlineGames) -> No action taken.
c:\WINDOWS\system32\ahnfgss1.dll (Spyware.OnlineGames) -> No action taken.
c:\WINDOWS\system32\ahnfgss2.dll (Spyware.OnlineGames) -> No action taken.
C:\WINDOWS\system32\ahnsbsb.exe (Spyware.OnlineGames) -> No action taken.

Offline gospelwing

  • Newbie
  • *
  • Posts: 5
Re: Win32:trojan gen and Suspicious Files
« Reply #3 on: July 07, 2009, 02:22:54 PM »
I have read several posts about "Hijack This" but I am not familiar with how to use it. Can anyone help? Everything I've read makes it sound as though you need some level of expertise to use the program as well as to interpret the results.

Man, I'm a bit of a drooling simpleton when it comes to computers. Thanks for your help!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67201
Re: Win32:trojan gen and Suspicious Files
« Reply #4 on: July 07, 2009, 02:26:41 PM »
I'm not an expert on HijackThis.

You can find more info in the links of the last column of this table.
That info could guide you on the cleaning process.
Anyway, if you have doubts, just post here.
Also, take a careful look at the first column of the table:

1. If you don't recognize a legit program in one of the items marked as FIX IF UNKNOWN, please post it back here and maybe we can help you. Or, if you're sure it's a malware item, you can remove it as posted bellow.

2. If you agree with the automatic classification of the infected items marked as FIX (CHECK NOTES!), you can turn back to HijackThis program, check the box of this item and then remove it using the button 'Fix checked'.

Hope it helps.

If you want to do it by yourself, click here to download HJTsetup.exe

  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
There are automated analysis here: http://hjt.networktechs.com/
« Last Edit: July 07, 2009, 02:28:26 PM by Tech »
The best things in life are free.

Offline gospelwing

  • Newbie
  • *
  • Posts: 5
Re: Win32:trojan gen and Suspicious Files
« Reply #5 on: July 07, 2009, 02:46:24 PM »
Okay, I just downloaded Hijack This and here are the scan results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:12 PM, on 7/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Network Assistant\ezi_hnm2.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\AhnRpta.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


Offline gospelwing

  • Newbie
  • *
  • Posts: 5
Re: Win32:trojan gen and Suspicious Files
« Reply #6 on: July 07, 2009, 02:46:55 PM »
continued...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080228
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1080228
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: IEHlprObj Class - {AF4DA69B-E1D6-469A-855B-6445294857D4} - C:\WINDOWS\system32\ahnxsds0.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ahnsoft] C:\WINDOWS\system32\ahnsbsb.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\CDS300\__CDS2.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10159 bytes

The malwarebytes scan gave me a list of files that are all checked and my options are to "remove checked" or "ignore". Which should I do?

Offline .: L' arc :.

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1780
  • Thinking with Portals
Re: Win32:trojan gen and Suspicious Files
« Reply #7 on: July 07, 2009, 03:58:30 PM »
-= Regarding Malwarebytes, I suggest you let MBAM delete what it offers you to delete.. MBAM has low false positive rate so, hopefully, there wont be any complications for deleting some of those..

-= HJT Log Analysis:

(1) Firewall
       You are using Windows XP Firewall.. Xp's Firewall does not have Outbound protection.. Enhance XP's protection by installing a firewall with Outbound protection.. Examples are: PCTools, Agnitum Outpost, Online Armor.

(2) Keys

O2 - BHO: IEHlprObj Class - {AF4DA69B-E1D6-469A-855B-6445294857D4} - C:\WINDOWS\system32\ahnxsds0.dll
       -= A possible part of Vundo..
           Reference

C:\WINDOWS\AhnRpta.exe
       -= I cannot assure harmlessness of this one.. I suggest you send AhnRpta.exe to VirusTotal.. This can be a possible part of the key above..
            Reference

O4 - HKCU\..\Run: [ahnsoft] C:\WINDOWS\system32\ahnsbsb.exe
       -= I cannot assure harmlessness of this one.. I suggest you send ahnsbsb.exe to VirusTotal.. This can be a possible part of the key above..
           Reference
« Last Edit: July 07, 2009, 04:00:44 PM by -= Fenrir =- »
Windows 7 (64-bit) Home Premium SP1
avast! 9 RC1