Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.3
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jul 29th, 2010, 4:05pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   TH 5 - trojan or not?		 « Previous topic | Next topic »
Pages: 1 2 3  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: TH 5 - trojan or not?  (Read 5354 times)
master7
Newbie
*





   


Gender: male
 Posts: 19
TH 5 - trojan or not?
« on: Dec 2nd, 2008, 9:44am »		 Quote Quote  Modify Modify
This is coming back, every time TH delete it. How to remove this? Thanks!
 
Registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service s (matches TrojanProxy.Ranky.150)
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 6729
Re: TH 5 - trojan or not?
« Reply #1 on: Dec 2nd, 2008, 11:41pm »		 Quote Quote  Modify Modify
Welcome to the forum master7  Cheesy
 
Yes, this is the signature of an infection.
 
Please do the following steps:
 
1.  Download and install program Hijackthis per the instructions in the link below.  You do not need to run it at this point.
 
http://www.misec.net/forum/board/FAQ/1163329424
 
2.  Update the rulesets of TrojanHunter via LiveUpdate.  If you are not a licensed user, LiveUpdate is not functional.  In that case, update the rulesets manually per the instructions in the link below.
 
http://www.misec.net/trojanhunter/updating/
 
3.  Open the TrojanHunter scanner GUI.  
 
-  Click on the Options icon on the left icon bar.
-  Check mark every option except the option "Warn on executable files with double extensions"
 
4.  Close the TrojanHunter scanner GUI and reboot your computer into SAFE MODE.
 
5.  Run a FULL SCAN of your system with TrojanHunter.  Let it quarantine anything it finds.  
 
6.  Reboot your computer back into Normal Mode.
 
7.  Now run Hijackthis and post the Hijackthis scan log back here.  DO NOT attempt to fix anything just yet with Hijackthis...just post the scan log.
 
8.  Post the TH scan results.  The log is located in folder Scan Reports at C:\Program Files\TrojanHunter 5.0\Scan Reports
IP Logged
______
TrojanHunter V5.3.994...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound w/ XM satellite, Avira Premium Security Suite V10; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD Raptors, NIS 2011 Beta. Common: router, cable modem, PerfectDisk 11 Pro, Casper Backup V6.0, DisplayFusion, SpywareBlaster V4.3, HostsMan V3.2.73, CCleaner, TrojanHunter V5.3.994, etc.
master7
Newbie
*





   


Gender: male
 Posts: 19
Re: TH 5 - trojan or not?
« Reply #2 on: Dec 4th, 2008, 9:25am »		 Quote Quote  Modify Modify
Thank you siliconman01 !
 
I have done all. Yes, I'm licensed user.
Another question please: Can I have  TH Scanner & NOD32 3.0 turned on in the same time?
 
Here it is:
 
 
TrojanHunter Scan Report - Saved 2008-12-03 19:16
 
Registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service s (matches TrojanProxy.Ranky.150)
Registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service s (matches TrojanProxy.Ranky.150)
Found trojan file: C:\Documents and Settings\vmx\drwvas.exe (Agent.3234)
Found trojan file: C:\Documents and Settings\vmx\syspdte.exe (Agent.3209)
Found trojan file: C:\Program Files\TrojanHunter 5.0\Quarantine\KAikxj.dat (Agent.3209)
Removed registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service s
Quarantined file C:\Documents and Settings\vmx\drwvas.exe
Quarantined file C:\Documents and Settings\vmx\syspdte.exe
Quarantined file C:\Program Files\TrojanHunter 5.0\Quarantine\KAikxj.dat
 
 
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:15:25, on 4.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Starfield\Desktop Notifier\wben.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wben] "C:\Program Files\Starfield\Desktop Notifier\wben.exe"
O4 - HKCU\..\Run: [vmx] C:\Documents and Settings\vmx\vmx.exe /i
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1132089442421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEDB5CB0-9967-4B78-82A9-A0C0D0B9457B} : NameServer = 195.29.149.197 195.29.149.196
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
 
--
End of file - 7461 bytes
 
 
THANKS!
 
 
 
 
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 6729
Re: TH 5 - trojan or not?
« Reply #3 on: Dec 4th, 2008, 3:16pm »		 Quote Quote  Modify Modify
Quote:
Another question please: Can I have  TH Scanner & NOD32 3.0 turned on in the same time?

 
Yes, you should have no problem running the TH scanner or THGuard.exe with NOD32 3.0.
 
I've reviewed your HJT scan log and request that you do the following:
 
1.  Run another Hijackthis scan.  When the scan is completed, place a checkmark in the box next to the following items:
 
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
 
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
 
2.  Click on Fix Checked located at the bottom left of the Hijackthis window.  Confirm that you want Hijackthis to fix these items and let it fix them.
 
3.  Exit Hijackthis and immediately reboot your computer.
 
4.  After you reboot, please update your Java software to the latest version to obtain the latest security fixes in Java.
 
-  Go to the link below and download/install Java SE Runtime Environment (JRE) 6 Update 11
 
http://java.sun.com/javase/downloads/index.jsp
 
-  Once the Java Update 11 is installed, go to the Control Panel>Add and Remove Programs.  Uninstall all older Java updates.  You want to keep only Java(TM) 6 Update 11
 
5.  Reboot your computer again.
 
6.  Post a new Hijackthis scan log back here.
IP Logged
______
TrojanHunter V5.3.994...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound w/ XM satellite, Avira Premium Security Suite V10; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD Raptors, NIS 2011 Beta. Common: router, cable modem, PerfectDisk 11 Pro, Casper Backup V6.0, DisplayFusion, SpywareBlaster V4.3, HostsMan V3.2.73, CCleaner, TrojanHunter V5.3.994, etc.
master7
Newbie
*





   


Gender: male
 Posts: 19
Re: TH 5 - trojan or not?
« Reply #4 on: Dec 4th, 2008, 4:56pm »		 Quote Quote  Modify Modify
Ok, have done that, but after reboot there was system consistency problem on C: with blue screen...hopefully will not repeat after next boot, as this didn't happened before.  Sad  
Please let me know your thoughts...
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:52:10, on 4.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Starfield\Desktop Notifier\wben.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wben] "C:\Program Files\Starfield\Desktop Notifier\wben.exe"
O4 - HKCU\..\Run: [vmx] C:\Documents and Settings\vmx\vmx.exe /i
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1132089442421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEDB5CB0-9967-4B78-82A9-A0C0D0B9457B} : NameServer = 195.29.149.196 195.29.149.197
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
 
--
End of file - 7497 bytes
 
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 6729
Re: TH 5 - trojan or not?
« Reply #5 on: Dec 4th, 2008, 10:57pm »		 Quote Quote  Modify Modify
Quote:
Ok, have done that, but after reboot there was system consistency problem on C: with blue screen...hopefully will not repeat after next boot, as this didn't happened before.    
Please let me know your thoughts...

 
Did you get another BSOD on subsequent reboots?
 
Please make this adjustment in JAVA.
 
-  Go to the system Control Panel and select JAVA.
 
-  Once the Java control opens, select the Advanced tab
 
-  Click on the + sign next to Miscellaneous
 
-  Uncheck Java Quick Starter
 
-  Click on Apply and OK.
 
I am concerned about the entry below in your HJT log.
 
Quote:
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

 
This is symptomatic of a Worm.  Please do this:
 
1.  Go to the link below and download/install freebie Malwarebytes Antimalware V1.31.
 
http://www.malwarebytes.org/
 
2.  Once Malwarebytes is installed, run its Update to obtain the latest definitions.
 
3.  Then run a Complete Scan of your system with Malwarebytes.  Let it quarantine what it finds.
 
4.  Reboot.
 
5.  Post back here the Malwarebytes scan log.
 
6.  Post a new Hijackthis log.
 
Note Also:
 
When you upgraded Java, did you uncheck the box to install the MSN toolbar?  If not, and you do not want this toolbar in IE, you can delete the MSN toolbar via Add and Remove Programs in the Control Panel.
« Last Edit: Dec 4th, 2008, 11:07pm by siliconman01 » IP Logged
______
TrojanHunter V5.3.994...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound w/ XM satellite, Avira Premium Security Suite V10; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD Raptors, NIS 2011 Beta. Common: router, cable modem, PerfectDisk 11 Pro, Casper Backup V6.0, DisplayFusion, SpywareBlaster V4.3, HostsMan V3.2.73, CCleaner, TrojanHunter V5.3.994, etc.
master7
Newbie
*





   


Gender: male
 Posts: 19
Re: TH 5 - trojan or not?
« Reply #6 on: Dec 5th, 2008, 7:03am »		 Quote Quote  Modify Modify
Malwarebytes' Anti-Malware 1.31
Database version: 1463
Windows 5.1.2600 Service Pack 3
 
5.12.2008 11:32:50
mbam-log-2008-12-05 (11-32-40).txt
 
Scan type: Full Scan (C:\|)
Objects scanned: 101666
Time elapsed: 37 minute(s), 41 second(s)
 
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
 
Memory Processes Infected:
(No malicious items detected)
 
Memory Modules Infected:
(No malicious items detected)
 
Registry Keys Infected:
(No malicious items detected)
 
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Br owser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Br owser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Br owser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Br owser Settings\mu (Trojan.Agent) -> No action taken.
 
Registry Data Items Infected:
(No malicious items detected)
 
Folders Infected:
(No malicious items detected)
 
Files Infected:
C:\WINDOWS\services.exe (Backdoor.ProRat) -> No action taken.
 
 
- Interesting is that after this scan and reboot, NOD32 started to show infection with Wigon HF and Wigon BC trojan downloader !??  Huh
 
5.12.2008 12:48:42Real-time file system protectionfileC:\System Volume Information\_restore{0C2D3D16-A7A2-442D-8B30-EE3E31520734}\RP1\A0001166. exeWin32/Wigon.HF trojancleaned by deleting - quarantinedNT AUTHORITY\SYSTEM
Event occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
5.12.2008 12:13:18Real-time file system protectionfileC:\System Volume Information\_restore{0C2D3D16-A7A2-442D-8B30-EE3E31520734}\RP1\A0001165. exeWin32/TrojanDownloader.Wigon.BC trojancleaned by deleting - quarantinedNT AUTHORITY\SYSTEMEvent occurred during an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.
 
 
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:51:25, on 5.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Starfield\Desktop Notifier\wben.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wben] "C:\Program Files\Starfield\Desktop Notifier\wben.exe"
O4 - HKCU\..\Run: [vmx] C:\Documents and Settings\vmx\vmx.exe /i
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1132089442421
 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEDB5CB0-9967-4B78-82A9-A0C0D0B9457B} : NameServer = 195.29.149.196 195.29.149.197
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
 
--
End of file - 7464 bytes
 
 
 
 
IP Logged
master7
Newbie
*





   


Gender: male
 Posts: 19
Re: TH 5 - trojan or not?
« Reply #7 on: Dec 5th, 2008, 7:08am »		 Quote Quote  Modify Modify
on Dec 4th, 2008, 10:57pm, siliconman01 wrote:

 
Did you get another BSOD on subsequent reboots?

No, it didn't happen anymore, so I didn't change anything, or I still should do?
on Dec 4th, 2008, 10:57pm, siliconman01 wrote:

When you upgraded Java, did you uncheck the box to install the MSN toolbar?  If not, and you do not want this toolbar in IE, you can delete the MSN toolbar via Add and Remove Programs in the Control Panel.

Didn't allowed any toolbar  Grin
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 6729
Re: TH 5 - trojan or not?
« Reply #8 on: Dec 5th, 2008, 7:31am »		 Quote Quote  Modify Modify
Quote:
No, it didn't happen anymore, so I didn't change anything, or I still should do?

 
Just leave it alone if it no more BSOD's are occurring.
 
The MalwareBytes scan log is a little confusing.  Did it actually quarantine the infection it found?  There is a Quarantine tab on the main GUI of MalwareBytes...does the quarantine folder have anything stored in it?  
 
The detection by NOD32 below is indicating that your System Restore files are infected...which is understandable.
 
Quote:
5.12.2008 12:48:42Real-time file system protectionfileC:\System Volume Information\_restore{0C2D3D16-A7A2-442D-8B30-EE3E31520734}\RP1\A0001166

 
Please follow the instructions in the link below to clean out the System Restore file infections.
 
http://www.misec.net/forum/board/FAQ/1139255588
 
Then:
 
1.  Make all your files and folders visible via the instructions in the link below:
 
http://www.misec.net/forum/board/FAQ/1139610900
 
2.  Perform a Search of your C drive for the file named msasvc.exe
 
Please post back here as to whether you find msasvc.exe
IP Logged
______
TrojanHunter V5.3.994...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound w/ XM satellite, Avira Premium Security Suite V10; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD Raptors, NIS 2011 Beta. Common: router, cable modem, PerfectDisk 11 Pro, Casper Backup V6.0, DisplayFusion, SpywareBlaster V4.3, HostsMan V3.2.73, CCleaner, TrojanHunter V5.3.994, etc.
master7
Newbie
*





   


Gender: male
 Posts: 19
Re: TH 5 - trojan or not?
« Reply #9 on: Dec 5th, 2008, 7:45am »		 Quote Quote  Modify Modify
on Dec 5th, 2008, 7:31am, siliconman01 wrote:

The MalwareBytes scan log is a little confusing.  Did it actually quarantine the infection it found?  There is a Quarantine tab on the main GUI of MalwareBytes...does the quarantine folder have anything stored in it?  

 
Nope  Sad
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 6729
Re: TH 5 - trojan or not?
« Reply #10 on: Dec 5th, 2008, 7:57am »		 Quote Quote  Modify Modify
When MalwareBytes came to the end of the scan, it stated that it found some infected items.  Did you checkmark the boxes of what you wanted it to quarantine and then instruct it to clean them?
 
Please run another scan with MalwareBytes and see if you can get it to quarantine the registry keys and files it finds.  Then repost the Malwarebytes scan log and a new HJT log.
IP Logged
______
TrojanHunter V5.3.994...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound w/ XM satellite, Avira Premium Security Suite V10; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD Raptors, NIS 2011 Beta. Common: router, cable modem, PerfectDisk 11 Pro, Casper Backup V6.0, DisplayFusion, SpywareBlaster V4.3, HostsMan V3.2.73, CCleaner, TrojanHunter V5.3.994, etc.
master7
Newbie
*





   


Gender: male
 Posts: 19
Re: TH 5 - trojan or not?
« Reply #11 on: Dec 5th, 2008, 8:55pm »		 Quote Quote  Modify Modify
ok, have done everything you wrote, including repeated MalwareBytes scan, and NOD32 scan after new manually created restore point (Nod32 didn't find anything after that)...here are the the rest of results..
 
____________________________________________-
Malwarebytes' Anti-Malware 1.31
Database version: 1463
Windows 5.1.2600 Service Pack 3
 
5.12.2008 19:20:10
mbam-log-2008-12-05 (19-20-10).txt
 
Scan type: Full Scan (C:\|)
Objects scanned: 101610
Time elapsed: 48 minute(s), 1 second(s)
 
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
 
Memory Processes Infected:
(No malicious items detected)
 
Memory Modules Infected:
(No malicious items detected)
 
Registry Keys Infected:
(No malicious items detected)
 
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Br owser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Br owser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Br owser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Br owser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
 
Registry Data Items Infected:
(No malicious items detected)
 
Folders Infected:
(No malicious items detected)
 
Files Infected:
C:\WINDOWS\services.exe (Backdoor.ProRat) -> Quarantined and deleted successfully.
----------------------------------------------
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:18, on 6.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wben] "C:\Program Files\Starfield\Desktop Notifier\wben.exe"
O4 - HKCU\..\Run: [vmx] C:\Documents and Settings\vmx\vmx.exe /i
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
 
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1132089442421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEDB5CB0-9967-4B78-82A9-A0C0D0B9457B} : NameServer = 195.29.149.197 195.29.149.196
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
 
--
End of file - 7358 bytes
 
p.s.
I see msasvc.exe is still present, I have tried search, but nothing came up...I did make all files and folders visible...  
 
btw:
When I go to msconfig/startup, I see there is loader.exe in C: documents/locals/temp which is unchecked, I think it was trojan in the past...is this important?
« Last Edit: Dec 5th, 2008, 8:57pm by master7 » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 6729
Re: TH 5 - trojan or not?
« Reply #12 on: Dec 5th, 2008, 11:59pm »		 Quote Quote  Modify Modify
Okay, it appears that MBAM deleted and quarantined the infected items properly this time.
 
Would you please do the following so that Gavin can incorporate detection of these quarantined items into TrojanHunter's rulesets.  
 
Basically please submit the Quarantine folder of MBAM to Mischel Internet Security for analysis.
 
1.  Open Windows Explorer.
 
2.  Navigate to the Quarantine folder located at:
 
C:\Documents and Settings\"YourAcctName"\Application Data\Malwarebytes\Malwarebytes Anti-Malware
 
3.  Right click on the folder named Quarantine and select Send To>Compressed (zipped ) folder from the drop down menu.
 
4.  Select "Yes" when the alert window opens.  A ZIP file will be created which is the Quarantine folder zipped.
 
5.  Then submit the ZIP file as an attachment to an email to submit@misec.net
 
-  In the email subject line, state "Services.exe infection"
-  In the body of the email to Gavin, include a link (URL) to this forum post thread.
 
6.  After the email has submitted the file, delete the ZIPPED file from your system/disk.  
 
Quote:
p.s.  
I see msasvc.exe is still present, I have tried search, but nothing came up...I did make all files and folders visible...

 
Okay, it appears that NOD32 or TH must have quarantined this file sometime in the past and the registry entry is still left hanging.  
 
Quote:
btw:  
When I go to msconfig/startup, I see there is loader.exe in C: documents/locals/temp which is unchecked, I think it was trojan in the past...is this important?  

 
We should try to get rid of this entry in the startup registry list.
 
Are you familiar with and comfortable with how to use the registry editor REGEDIT?
 
On second thought, let's see if SuperAntiSpyware will get rid of these registry entries.  Please do the following.
 
1.  Go to the link below and download/install the free version of SuperAntiSpyware.  It's the BLUE one labeled "Download Free Version Home Users"
 
http://www.superantispyware.com/superantispywarefreevspro.html
 
2.  Once you get it installed, update its latest rulesets.  Unfortunately the Free Version requires a manual update.  
 
-  Go to the link below and click on "Download Installer"
 
http://www.superantispyware.com/definitions.html
 
-  Follow the instructions of the wizard to install the latest updates.
 
3.  Then run a Complete Scan of your system with SuperAntiSpyware.  Let it quarantine what it finds.  NOTE:  If there is anything found to Quarantine, you have to checkmark the boxes of the items before you click on Next.  This tells SAS what you want to quarantine.
 
4.  Reboot your computer if SAS quarantines anything.  
 
5.  Post back here the scan log of SAS.  It is found under the Logs and Statistics tab on the Preferences window of SAS.
 
6.  Post a new HJT log.  
 
 
« Last Edit: Dec 6th, 2008, 12:50am by siliconman01 » IP Logged
______
TrojanHunter V5.3.994...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound w/ XM satellite, Avira Premium Security Suite V10; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD Raptors, NIS 2011 Beta. Common: router, cable modem, PerfectDisk 11 Pro, Casper Backup V6.0, DisplayFusion, SpywareBlaster V4.3, HostsMan V3.2.73, CCleaner, TrojanHunter V5.3.994, etc.
master7
Newbie
*





   


Gender: male
 Posts: 19
Re: TH 5 - trojan or not?
« Reply #13 on: Dec 6th, 2008, 11:18am »		 Quote Quote  Modify Modify
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
 
Generated 12/06/2008 at 02:28 PM
 
Application Version : 4.22.1014
 
Core Rules Database Version : 3665
Trace Rules Database Version: 1645
 
Scan type  : Complete Scan
Total Scan Time : 01:08:14
 
Memory items scanned : 389
Memory threats detected   : 0
Registry items scanned    : 5714
Registry threats detected : 9
File items scanned   : 19439
File threats detected     : 208
 
 
Everything else was cookies, except:
 
 
Trojan.Downloader-IBM/Shell
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSASVC\0000#DeviceDesc
 
 
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:12:29, on 6.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MpsOnn] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe
O4 - HKLM\..\Run: [gemstrmw] C:\WINDOWS\system32\gemstrmw.exe /r
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wben] "C:\Program Files\Starfield\Desktop Notifier\wben.exe"
O4 - HKCU\..\Run: [vmx] C:\Documents and Settings\vmx\vmx.exe /i
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
 
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1132089442421
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEDB5CB0-9967-4B78-82A9-A0C0D0B9457B} : NameServer = 195.29.149.197 195.29.149.196
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
 
--
End of file - 7701 bytes
 
 
 
 
 
 
 
 
 
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 6729
Re: TH 5 - trojan or not?
« Reply #14 on: Dec 6th, 2008, 3:19pm »		 Quote Quote  Modify Modify
Did you check mark all the detected items in SuperAntiSpyware and then let SAS quarantine them?  You can check by examining the Quarantine folder of SAS.
 
-  Open SAS to its main window.
 
-  Click on "Manage Quarantine"
 
Quarantined items should show up in the Quarantine folder.  
 
Also did you reboot after letting SAS quarantine the items?
 
The reason I am asking is that the O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) is still showing up in HJT.
IP Logged
______
TrojanHunter V5.3.994...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound w/ XM satellite, Avira Premium Security Suite V10; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD Raptors, NIS 2011 Beta. Common: router, cable modem, PerfectDisk 11 Pro, Casper Backup V6.0, DisplayFusion, SpywareBlaster V4.3, HostsMan V3.2.73, CCleaner, TrojanHunter V5.3.994, etc.
Pages: 1 2 3  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register