help, spyware or trojan Win XP SP2

  1. 30-03-2006  #1
    daryonorte
    daryonorte is offline Newbie

    help, spyware or trojan Win XP SP2

    hi can anyone help me with with this trojan.
    Symantec Antivirus detects 'Downloader.Trojan' at normal startup (no safe mode).
    I've installed Ad-Aware & Spybot and cleaned detected items but downloader.trojan remains. I've scanned with & without safe, with & without net... but at normal startup the downloader.trojan alert stills.
    I have posted my hijack this log if that helps plus a list of detected Symantec infected archives.
    Thanks.

    Logfile of HijackThis v1.99.1
    Scan saved at 19:41:33, on 29/03/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Archivos de programa\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\pctspk.exe
    C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
    C:\Archivos de programa\ScanSoft\OmniPagePro11.0\opware32.exe
    C:\ARCHIV~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Archivos de programa\QuickTime\qttask.exe
    C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
    C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Archivos de programa\Microsoft Firewall Client\ISATRAY.EXE
    C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Archivos de programa\Outlook Express\msimn.exe
    C:\Archivos de programa\MSN Messenger\msnmsgr.exe
    C:\Archivos de programa\Corel\Corel Graphics 12\PROGRAMS\CORELDRW.EXE
    C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
    C:\DOCUME~1\dduarte\CONFIG~1\Temp\Adobelm_Cleanup. 0001
    C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
    C:\DOCUME~1\dduarte\CONFIG~1\Temp\Adobelm_Cleanup. 0001
    C:\Documents and Settings\dduarte\Escritorio\hijackthis\HijackThis. exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.arnet.com.ar/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlid...ient?clid=3082
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = RUTH:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Archivos de programa\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Archivos de programa\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V 1.EXE /P26 "EPSON Stylus CX1500 Series" /O6 "USB001" /M "Stylus CX1500"
    O4 - HKLM\..\Run: [Omnipage] C:\Archivos de programa\ScanSoft\OmniPagePro11.0\opware32.exe
    O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [NBJ] "C:\Archivos de programa\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [kbdhept] C:\WINDOWS\system32\kbdhept.exe
    O4 - HKCU\..\Run: [MSAgentXP] C:\WINDOWS\system32\MSAgentXP.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [danim] "C:\WINDOWS\system32\danim.exe"
    O4 - HKCU\..\Run: [slbrccsp] "C:\WINDOWS\system32\slbrccsp.exe"
    O4 - HKCU\..\Run: [ddeml] "C:\WINDOWS\system32\ddeml.exe"
    O4 - HKCU\..\Run: [cnbjmon] "C:\WINDOWS\system32\cnbjmon.exe"
    O4 - HKCU\..\Run: [nvrsja] "C:\WINDOWS\system32\nvrsja.exe"
    O4 - HKCU\..\Run: [udhisapi] "C:\WINDOWS\system32\udhisapi.exe"
    O4 - HKCU\..\Run: [kbdur] "C:\WINDOWS\system32\kbdur.exe"
    O4 - HKCU\..\Run: [rasman] "C:\WINDOWS\system32\rasman.exe"
    O4 - Startup: taskmgr.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Documents and Settings\dduarte\Escritorio\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O4 - Global Startup: Monitor de conectividad del cliente del servidor de seguridad.LNK = C:\Archivos de programa\Microsoft Firewall Client\ISATRAY.EXE
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Investigador - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = diarionorte.com
    O17 - HKLM\Software\..\Telephony: DomainName = diarionorte.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = diarionorte.com
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Archivos de programa\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Archivos de programa\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Archivos de programa\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe


    ---------------------

    Symantec Antivirus Client 8.009374 (Virus History)

    Date Filename Virus Name Virus Type Action Taken Original Location Status Current Location
    29/03/2006 18:12 iasacct.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    29/03/2006 12:45 d3dramp.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    28/03/2006 22:54 ltkrn13n.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    28/03/2006 13:25 oleaccrc.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    28/03/2006 7:17 dssenh.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    27/03/2006 23:31 corpol.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    27/03/2006 18:06 kbddv.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    27/03/2006 12:00 vxblock.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    26/03/2006 14:41 wmasf.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    25/03/2006 19:42 ipnathlp.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    25/03/2006 18:47 usrfaxa.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    25/03/2006 18:24 fsusd.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    25/03/2006 17:49 wmpcore.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    25/03/2006 17:49 untfs.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    25/03/2006 17:48 msprpes.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    25/03/2006 17:48 msaatext.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    25/03/2006 17:48 kbdhe220.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    25/03/2006 17:46 cba.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    25/03/2006 17:46 bassmod.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    25/03/2006 12:06 rasman.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    25/03/2006 12:03 vbar332.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    25/03/2006 7:12 rasman.exe Download.Trojan File Left alone C:\WINDOWS\system32\ Infected C:\WINDOWS\system32\
    24/03/2006 23:28 kbdru.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    24/03/2006 20:54 kbdla.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    24/03/2006 20:53 kbdur.exe Download.Trojan File Quarantined C:\WINDOWS\system32\ Infected Quarantine
    24/03/2006 20:15 kbdur.exe Download.Trojan File Left alone C:\WINDOWS\system32\ Infected C:\WINDOWS\system32\

    ACTIONS TAKEN Primary Action Secondary Action
    FOR ALL ARCHIVES Clean virus from file Quarantine infected file

  3. 30-03-2006  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    Please download ATF Cleaner http://www.atribune.org/ccount/click.php?id=1 by Atribune.
    This program is for XP and Windows 2000 only

    It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s).
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
      Click the Empty Selected button.

    If you use Firefox browser
    • Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
    • Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
      Click the Empty Selected button.
      NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.



    Click Exit on the Main menu to close the program.





    Also, advisable to cleanout any antivirus quarantine area content.






    Please download, install, update and scan your system with the free (trial) version of Ewido trojan scanner [Developed for Windows 2000 and XP]:
    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    3. From the main ewido screen, click on update in the left menu, then click the Start update button.
    4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
    5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
    6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.


    REBOOT.




    POST A REVISED HIJACKTHIS LOG for review:
    Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
+ Reply to Thread
« HJT log file | Missing PCRE.DLL Hijack included »