Author Topic: What is this?  (Read 9856 times)

0 Members and 1 Guest are viewing this topic.

WW

  • Guest
What is this?
« on: August 15, 2004, 09:40:22 PM »
been getting some warnings lately:

8/9/2004 6:08:53 AM   NT AUTHORITY\SYSTEM   1800   Sign of "Win32:Trojano-246 [Trj]" has been found in "C:\Program Files\WindUpdates\WinKA.exe" file.
 
8/13/2004 5:28:24 PM   NT AUTHORITY\SYSTEM   1804   Sign of "Win32:Trojano-246 [Trj]" has been found in "C:\Program Files\WindUpdates\WinKA.exe" file.  

8/13/2004 5:28:25 PM   NT AUTHORITY\SYSTEM   1804   Sign of "Win32:Trojano-246 [Trj]" has been found in "C:\PROGRA~1\WINDUP~1\WinKA.exe" file.  

8/13/2004 5:28:29 PM   NT AUTHORITY\SYSTEM   1804   Sign of "Win32:Trojano-247 [Trj]" has been found in "C:\PROGRAM FILES\WINDUPDATES\COMM.DLL" file.  

8/14/2004 5:09:34 AM   NT AUTHORITY\SYSTEM   1800   Sign of "Win32:Trojano-246 [Trj]" has been found in "C:\Program Files\WindUpdates\WinKA.exe" file.  

8/14/2004 5:09:38 AM   NT AUTHORITY\SYSTEM   1800   Sign of "Win32:Trojano-247 [Trj]" has been found in "C:\PROGRAM FILES\WINDUPDATES\COMM.DLL" file.  

8/14/2004 3:04:02 PM   NT AUTHORITY\SYSTEM   1804   Sign of "Win32:Trojano-246 [Trj]" has been found in "C:\Program Files\WindUpdates\WinKA.exe" file.
 
8/15/2004 4:10:34 AM   NT AUTHORITY\SYSTEM   1800   Sign of "Win32:Trojano-246 [Trj]" has been found in "C:\Program Files\WindUpdates\WinKA.exe" file.
 
8/15/2004 7:27:26 AM   NT AUTHORITY\SYSTEM   1800   Sign of "Win32:Trojano-246 [Trj]" has been found in "C:\Program Files\WindUpdates\WinKA.exe" file.
 
8/15/2004 8:10:07 AM   NT AUTHORITY\SYSTEM   1800   Sign of "Win32:Trojano-246 [Trj]" has been found in "C:\Program Files\WindUpdates\WinKA.exe" file.
 
8/15/2004 9:18:53 AM   NT AUTHORITY\SYSTEM   1800   Sign of "Win32:Trojano-246 [Trj]" has been found in "C:\Program Files\WindUpdates\WinKA.exe" file.
 
8/15/2004 11:05:03 AM   NT AUTHORITY\SYSTEM   1800   Sign of "Win32:Trojano-247 [Trj]" has been found in "C:\System Volume Information\_restore{CBBCF61B-BBED-4BDC-B279-A0044CE04DCA}\RP89\A0015979.dll" file.  
 


Any idea where these might be coming from and what type of viruses these are?

Thanks
WW(5.0)

John-

  • Guest
Re:What is this?
« Reply #1 on: August 15, 2004, 10:23:23 PM »
It is obviously spyware/trojan horse who has infiltrated in your windows registry...  Try to remove it with a anti-spywarekiller or prevent it with "spywareblaster"

http://www.techsupportforum.com/computer/topic/11911-1.htm

for further details,.... check link above,...

remember: always try to prevent,....

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:What is this?
« Reply #2 on: August 15, 2004, 10:36:21 PM »
Please run HijackThis and post the log here.
« Last Edit: August 15, 2004, 10:36:35 PM by Eddy »

WW

  • Guest
Re:What is this?
« Reply #3 on: August 16, 2004, 01:09:48 AM »
Ok...I just did a scan of C and moved five files to the chest, then Adaware found another which I deleted.
But here is the log from HijackThis:


Logfile of HijackThis v1.98.2
Scan saved at 4:06:21 PM, on 8/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Promise\Utility\MsgAgt.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\USBToolbox\ResModify.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\HDD Thermometer\HDD Thermometer.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\WINDOWS\explorer.exe
I:\XP_Downloads\HiJackThis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fidalgo.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ResModify] C:\Program Files\USBToolbox\ResModify.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Program Files\HDD Thermometer\HDD Thermometer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=e685f42af16b4ae133fb6395c0ae1826074370b6ef2ab58c7b394a46b7785ed02dcd1d18afd71cf37a3273507e405440345a19b4981e02e4ec71b0834b3328:522a1c137ec85ca995271ab95b94951b
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F23708F-E338-45F0-AD8F-658D49A242E2}: NameServer = 66.218.206.85 66.218.206.13


WW(5.0)




Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:What is this?
« Reply #4 on: August 16, 2004, 01:22:46 AM »
Just one thing to fix, the rest is clean.

o4 - hklm\..\run: [windupdates] c:\program files\windupdates\winupdt.exe

WW

  • Guest
Re:What is this?
« Reply #5 on: August 16, 2004, 01:42:46 AM »
Done...thanks!

whocares

  • Guest
Re:What is this?
« Reply #6 on: August 16, 2004, 02:05:12 AM »

Sign of "Win32:Trojano-247 [Trj]" has been found in "C:\System Volume Information\_restore

And the above means that you must disable System RESTORE and reboot, then reenable it:

see link VirusRemoval" below in my sig on how to do ti.. ;)