robotnik
2008-05-24, 16:36
referring to: http://forums.spybot.info/showthread.php?t=28428
First I'd like to mention another 'bug' I found today:
Trojan.Downloader-25540 (Clamwin)
Win32/TrojanDownloader.Agent.KHJ (nod32)
file: D:\WINDOWS\system32\dmsvct.dll
I didn't detect it earlier because I never looked at the nod32-logfile and nod32 was running in silent mode :bigthumb:
scanning was done in safe mode and also removal of the file. however, this didn't do anything about my bluescreen problem .. I'm getting seriously annoyed :alien:
clamwin log (I feel uncomfortable with online scanners, so I used this):
D:\WINDOWS\system32\dmsvct.dll: Trojan.Downloader-25540 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 294742
Engine version: 0.93
Scanned directories: 7514
Scanned files: 43435
Infected files: 1
Data scanned: 8656.82 MB
Time: 9325.369 sec (155 m 25 s)
--------------------------------------
Completed
here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:46, on 24.05.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\rundll32.exe
C:\PROGRAM FILES\ATI Tray Tools\atitray.exe
C:\PROGRAM FILES\PowerDesk\pddlghlp.exe
C:\PROGRAM FILES\Launchy\Launchy.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
D:\WINDOWS\system32\taskmgr.exe
C:\PROGRAM FILES\nod32\nod32krn.exe
D:\Program Files\UPHClean\uphclean.exe
D:\WINDOWS\system32\svchost.exe
E:\downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = UPDATE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programme\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programme\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &TerraTec Home Cinema - {AD6E6555-FB2C-47D4-8339-3E2965509877} - C:\PROGRA~2\TERRAT~1\THCDES~1.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\PROGRAM FILES\ATI Tray Tools\atitray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dialog Helper.lnk = C:\PROGRAM FILES\PowerDesk\pddlghlp.exe
O4 - Startup: Launchy.lnk = C:\PROGRAM FILES\Launchy\Launchy.exe
O4 - Startup: LOGON_DUDE.lnk = C:\skripthost\LOGON_DUDE.bat
O4 - Startup: taskmgr_switch.lnk = C:\skripthost\taskmgr_switch.exe
O4 - Global Startup: Launchy.lnk = C:\PROGRAM FILES\Launchy\Launchy.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~2\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\Office\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &Xdrive - res://c:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~2\NEOTRA~1\NTXtoolbar.htm (HKCU)
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188359786337
O17 - HKLM\System\CCS\Services\Tcpip\..\{36C21F27-5E51-4A82-80B0-B5078D48D166}: NameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{429585E5-172F-4E6B-B67E-0E2DC9A8379D}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - c:\Program Files\AVG Anti-Spyware\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: gearsec - GEAR Software - D:\WINDOWS\system32\gearsec.exe
O23 - Service: HamachiSrvAny - Unknown owner - c:\program files\hamachi\srvany.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCD\InCDsrv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\PROGRAM FILES\nod32\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
--
End of file - 5537 bytes
a few notes to clarify things:
-the files in 'skripthost' are my own. I use them for automation.
-I use a custom dns server.
-I also have a HJT log for safe mode if needed
-I removed (!?) the trojan after log-creation
hope someone can help me resolve this issue ;-)
cheers
Hey
sorry for posting again, but perhaps this helps the cause:
bluescreen msg:
STOP: 0x00000023 (0x0011012F, 0x00000705, 0x00000000, 0x00000000)
this error report doesn't change.
It (spybot) does something with my floppy drive when it happens .. the light is still on until I restart.
some things I did meanwhile:
-cleaned the registry from keys associated with 'folder lock', e.g. winDrvNt was in my device drivers, the .sys didn't exist anymore.
I read that folderlock can cause bluescreens, so now it's gone and it didn't help...
-found nsynas32 in the driver list. could be another copyprotection product
http://www.file.net/process/nsynas32.sys.html
First I'd like to mention another 'bug' I found today:
Trojan.Downloader-25540 (Clamwin)
Win32/TrojanDownloader.Agent.KHJ (nod32)
file: D:\WINDOWS\system32\dmsvct.dll
I didn't detect it earlier because I never looked at the nod32-logfile and nod32 was running in silent mode :bigthumb:
scanning was done in safe mode and also removal of the file. however, this didn't do anything about my bluescreen problem .. I'm getting seriously annoyed :alien:
clamwin log (I feel uncomfortable with online scanners, so I used this):
D:\WINDOWS\system32\dmsvct.dll: Trojan.Downloader-25540 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 294742
Engine version: 0.93
Scanned directories: 7514
Scanned files: 43435
Infected files: 1
Data scanned: 8656.82 MB
Time: 9325.369 sec (155 m 25 s)
--------------------------------------
Completed
here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:46, on 24.05.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\rundll32.exe
C:\PROGRAM FILES\ATI Tray Tools\atitray.exe
C:\PROGRAM FILES\PowerDesk\pddlghlp.exe
C:\PROGRAM FILES\Launchy\Launchy.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
D:\WINDOWS\system32\taskmgr.exe
C:\PROGRAM FILES\nod32\nod32krn.exe
D:\Program Files\UPHClean\uphclean.exe
D:\WINDOWS\system32\svchost.exe
E:\downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = UPDATE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programme\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programme\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &TerraTec Home Cinema - {AD6E6555-FB2C-47D4-8339-3E2965509877} - C:\PROGRA~2\TERRAT~1\THCDES~1.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\PROGRAM FILES\ATI Tray Tools\atitray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dialog Helper.lnk = C:\PROGRAM FILES\PowerDesk\pddlghlp.exe
O4 - Startup: Launchy.lnk = C:\PROGRAM FILES\Launchy\Launchy.exe
O4 - Startup: LOGON_DUDE.lnk = C:\skripthost\LOGON_DUDE.bat
O4 - Startup: taskmgr_switch.lnk = C:\skripthost\taskmgr_switch.exe
O4 - Global Startup: Launchy.lnk = C:\PROGRAM FILES\Launchy\Launchy.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~2\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\Office\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &Xdrive - res://c:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~2\NEOTRA~1\NTXtoolbar.htm (HKCU)
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188359786337
O17 - HKLM\System\CCS\Services\Tcpip\..\{36C21F27-5E51-4A82-80B0-B5078D48D166}: NameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{429585E5-172F-4E6B-B67E-0E2DC9A8379D}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - c:\Program Files\AVG Anti-Spyware\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: gearsec - GEAR Software - D:\WINDOWS\system32\gearsec.exe
O23 - Service: HamachiSrvAny - Unknown owner - c:\program files\hamachi\srvany.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCD\InCDsrv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\PROGRAM FILES\nod32\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
--
End of file - 5537 bytes
a few notes to clarify things:
-the files in 'skripthost' are my own. I use them for automation.
-I use a custom dns server.
-I also have a HJT log for safe mode if needed
-I removed (!?) the trojan after log-creation
hope someone can help me resolve this issue ;-)
cheers
Hey
sorry for posting again, but perhaps this helps the cause:
bluescreen msg:
STOP: 0x00000023 (0x0011012F, 0x00000705, 0x00000000, 0x00000000)
this error report doesn't change.
It (spybot) does something with my floppy drive when it happens .. the light is still on until I restart.
some things I did meanwhile:
-cleaned the registry from keys associated with 'folder lock', e.g. winDrvNt was in my device drivers, the .sys didn't exist anymore.
I read that folderlock can cause bluescreens, so now it's gone and it didn't help...
-found nsynas32 in the driver list. could be another copyprotection product
http://www.file.net/process/nsynas32.sys.html