Support Forum for TrojanHunter anti-malware remover and other products, including freeware

Welcome, Guest. Please Login or Register.

Search

Members

Login

Register

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Trojans Found

« Previous topic | Next topic »

Pages: 1

Notify of replies

Send Topic

Author

Topic: Trojans Found (Read 3924 times)

Londoe_Black
Newbie

Gender:

Posts: 11

Trojans Found
« on: Dec 14^th, 2008, 9:08am »

Quote

Modify

My scan report:
TrojanHunter Scan Report
Saved 2008-12-14 at 02:41

Scanning drives C:\ D:\
Found trojan file: C:\System Volume Information\_restore{D673A610-40F6-48AC-B5C6-DF0203E91CF5}\RP7\A0007841. exe (TrojanDropper.Delf.797)
Found NTFS alternate data stream attached to directory: D:\Documents and Settings\All Users\Application Data\TEMP:C6B34D36:$DATA
Found trojan file: D:\System Volume Information\_restore{D673A610-40F6-48AC-B5C6-DF0203E91CF5}\RP0\A0006047. exe (StartPage.242)

Oh ya, my drive letters are reversed for some reason, D drive is my windows drive. C drive is back up.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:43 AM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
D:\Program Files\VolumeTray\VolumeTray.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\TrojanHunter 5.0\THGuard.exe
D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
D:\Program Files\Logitech\QuickCam\Quickcam.exe
D:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\uTorrent\uTorrent.exe
D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
D:\Program Files\DAEMON Tools\daemon.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\eMule\emule.exe
D:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
D:\Documents and Settings\gimp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
D:\Program Files\Click-N-Type\Click-N-Type.exe
D:\Program Files\Secunia\PSI\psi.exe
C:\Downloads\TRANSPARENT DESKTOP CLOCK\SmartClock.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\The KMPlayer1431\KMPlayer.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - D:\Program Files\WinAVI FLV Converter\FLVTune.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VolumeTray] D:\Program Files\VolumeTray\VolumeTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "D:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "D:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WeatherEye] D:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKCU\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "D:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Active Desktop Calendar] D:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\gimp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [eMuleAutoStart] D:\Program Files\eMule\emule.exe -AutoStart
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - S-1-5-18 Startup: Click-N-Type.LNK = D:\Program Files\Click-N-Type\Click-N-Type.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Secunia PSI.lnk = D:\Program Files\Secunia\PSI\psi.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Click-N-Type.LNK = D:\Program Files\Click-N-Type\Click-N-Type.exe (User 'Default user')
O4 - .DEFAULT Startup: Secunia PSI.lnk = D:\Program Files\Secunia\PSI\psi.exe (User 'Default user')
O4 - Startup: Click-N-Type.LNK = D:\Program Files\Click-N-Type\Click-N-Type.exe
O4 - Startup: Secunia PSI.lnk = D:\Program Files\Secunia\PSI\psi.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download FLV by WinAVI... - D:\Program Files\WinAVI FLV Converter\flv_link.htm
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - D:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - D:\Program Files\WinAVI FLV Converter\FLVTune.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O13 - Gopher Prefix:
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - D:\Program Files\Common Files\logishrd\Bluetooth\LBTServ.exe
O23 - Service: LVCOMSer - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10592 bytes

« Last Edit: Dec 14^th, 2008, 9:35am by Londoe_Black »

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: Trojans Found
« Reply #1 on: Dec 14^th, 2008, 9:57am »

Quote

Modify

Welcome to the forum Londoe_Black Cheesy

- There is nothing malicious showing up in your HJT scan log.

Quote:

Found trojan file: C:\System Volume Information\_restore{D673A610-40F6-48AC-B5C6-DF0203E91CF5}\RP7\A0007841. exe (TrojanDropper.Delf.797)

Found trojan file: D:\System Volume Information\_restore{D673A610-40F6-48AC-B5C6-DF0203E91CF5}\RP0\A0006047. exe (StartPage.242)

- Concerning the above two items, you need to clear out your system restore folder, System Volume Information, per the instructions in the link below

http://www.misec.net/forum/board/FAQ/1139255588

Quote:

Found NTFS alternate data stream attached to directory: D:\Documents and Settings\All Users\Application Data\TEMP:C6B34D36:$DATA

- Concerning the NFTS above, the next time you scan with TH scanner, let it complete the scan. Then right click NTFS ADS above and instruct TH to delete the alternate data stream. The file will be retained...only the ADS will be removed.

- You can do some dress up via Hijackthis.

1. Run another Hijackthis scan. When the scan is completed, place a check mark in the box next to the following item. BE SURE that this is the only item checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

2. Close your browser

3. Click on Fix Checked located at the lower left of the HJT window. Confirm that you want HJT to fix the item.

4. After the fix is completed, close HJT.

That is all I see that needs attention.

IP Logged

______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.

Londoe_Black
Newbie

Gender:

Posts: 11

Re: Trojans Found
« Reply #2 on: Dec 15^th, 2008, 9:14am »

Quote

Modify

Thanks for your help. I was able to clear up the first problem, but didn't understand "Concerning the NFTS above, the next time you scan with TH scanner, let it complete the scan. Then right click NTFS ADS above and instruct TH to delete the alternate data stream. The file will be retained...only the ADS will be removed."

There was nothing to click on. The problem only shows up in my scan report.

If it's nothing malicious, then I'm not really concerned about it. Thanks again for the help.

Londoe_Black.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: Trojans Found
« Reply #3 on: Dec 15^th, 2008, 9:27am »

Quote

Modify

Quote:

There was nothing to click on. The problem only shows up in my scan report.

If it's nothing malicious, then I'm not really concerned about it. Thanks again for the help.

The next time you run a TrojanHunter scan, if it shows up in your scan report when the scan is completed, right click on the scan report line Found NTFS alternate data stream attached to directory: D:\Documents and Settings\All Users\Application Data\TEMP:C6B34D36:$DATA. In the pop up menu that appears, select Delete Alternate Data Stream. Confirm that you want to delete it and let TH remove the ADS.

IP Logged

Londoe_Black
Newbie

Gender:

Posts: 11

Re: Trojans Found
« Reply #4 on: Dec 16^th, 2008, 1:07pm »

Quote

Modify

OK, I ran the scan, it doesn't show up in the TH scan report window, but it does show up in the scan report folder text file. also that temp folder showed empty when I checked it.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: Trojans Found
« Reply #5 on: Dec 16^th, 2008, 11:53pm »

Quote

Modify

Quote:

OK, I ran the scan, it doesn't show up in the TH scan report window, but it does show up in the scan report folder text file. also that temp folder showed empty when I checked it.

Check the time/date on the scan report. It sounds like you may be viewing a previous scan report. Note that TH does not create a scan report if nothing malicious or alert-worthy is found during the scan.

I suspect that Temp file was a transient file that got cleared out.

IP Logged

Londoe_Black
Newbie

Gender:

Posts: 11

Re: Trojans Found
« Reply #6 on: Dec 17^th, 2008, 4:09pm »

Quote

Modify

it shows up in the scan report folder daily, I scan everyday.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 7358

Re: Trojans Found
« Reply #7 on: Dec 17^th, 2008, 10:46pm »

Quote

Modify

I have a couple of these "Temp" NTFS items that always show up on my Vista computer. They keep coming back even if I delete the ADS. It's nothing to worry about in this case. Windows is adding the ADS for whatever reason.

IP Logged

Londoe_Black
Newbie

Gender:

Posts: 11

Re: Trojans Found
« Reply #8 on: Dec 18^th, 2008, 11:50am »

Quote

Modify

ok, thank you very much for your time & advice

IP Logged

Pages: 1

Notify of replies

Send Topic


« Previous topic \| Next topic »