Results 1 to 5 of 5

Thread: Win32 trojan & extras

  1. 2006-08-29, 02:32 #1
    HellspA
    HellspA is offline
    Junior Member
    Join Date
    Aug 2006
    Posts
    2

    Angry Win32 trojan & extras

    Okay folks Nod32 has found multiple problems:

    HTP//85.255.114.166/1/rdgAu2404.exe -->infection from the net ?? Nod says a varient of win32/trojanDownloader.busky trojan

    usyp_0002-n91m1708netinstaller.exe
    iddDBB7.tmp dialer.U trojan
    Dialer.HPD
    U trojan
    busky. am trojan

    Me cuddly panda results:


    Incident Status Location

    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jai Crewdson\Cookies\jai crewdson@ad.yieldmanager[1].txt
    Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Jai Crewdson\Cookies\jai crewdson@adtech[2].txt
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jai Crewdson\Cookies\jai crewdson@advertising[2].txt
    Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Jai Crewdson\Cookies\jai crewdson@as-eu.falkag[2].txt
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jai Crewdson\Cookies\jai crewdson@atdmt[2].txt
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jai Crewdson\Cookies\jai crewdson@casalemedia[2].txt
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jai Crewdson\Cookies\jai crewdson@doubleclick[1].txt
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jai Crewdson\Cookies\jai crewdson@mediaplex[1].txt
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Jai Crewdson\Cookies\jai crewdson@serving-sys[1].txt
    Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Jai Crewdson\Cookies\jai crewdson@stats1.reliablestats[2].txt
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jai Crewdson\Cookies\jai crewdson@tribalfusion[1].txt
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jai Crewdson\Cookies\jai crewdson@zedo[1].txt
    Dialer:Dialer.HPD Not disinfected C:\Documents and Settings\Jai Crewdson\Local Settings\Temporary Internet Files\Content.IE5\A6TF5Z4U\srvuor[1].exe
    Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\Jai Crewdson\Local Settings\Temporary Internet Files\Content.IE5\FSWCY89G\srvewi[1].exe
    Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\Jai Crewdson\Local Settings\Temporary Internet Files\Content.IE5\RSTUVNXY\srvkxj[1].exe
    Dialer:Dialer.HPD

    hijackthis results:



    Logfile of HijackThis v1.99.1
    Scan saved at 10:22:55 AM, on 29/08/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    C:\WINDOWS\system32\nvraidservice.exe
    C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Jai Crewdson\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ozhiphop.com/
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124770295608
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
    O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
    O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

    Anything more i need to add I shall do. I have already downloaded killbox & atf cleaner if needed.
  2. 2006-08-29, 05:51 #2
    HellspA
    HellspA is offline
    Junior Member
    Join Date
    Aug 2006
    Posts
    2

    Default

    no one can help?
  3. 2006-09-01, 14:31 #3
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to the forum, please see this information: http://forums.spybot.info/showthread.php?t=1137
    Volunteer resources are stretched at all malware removal forums (some of which have five day waiting sticky topics) and we are seeing difficult infections which take longer to remove.

    Please do not bump your topic. (posting such as hello, anyone there, bump, nudge etc)
    Doing so could actually delay a response as Helpers may think you are already being assisted because of the post count.

    All I see in this HJT log is:

    1) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

    2) http://forums.spybot.info/showpost.p...80&postcount=2
    an out of date Java program: http://forums.spybot.info/showpost.p...80&postcount=2

    If you have a problem please provide more information, especially the full name and location (pathway) of items being found by Nod32. Any error messages you are receiving "word for word" Any symptoms that might help us identify your problem.

    Thanks
  4. 2006-09-05, 01:19 #4
    tashi
    tashi is offline
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,964

    Default

    HellspA, do you still require assistance?
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016
  5. 2006-09-05, 17:54 #5
    tashi
    tashi is offline
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,964

    Default

    This topic has been archived due to lack of a response.
    If you need it re-opened please send me a private message (pm) and provide a link to the thread.

    Applies only to the original topic starter.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules