mazorra
2009-09-01, 12:43
Hi all,
first of all, I'm running a Windows XP Pro SP2 on a Pentium 4 and, as refered, I have Avira's Antivir, the free edition, installed. I don't have any other proteccion (should probably work on that, thinking about getting Comodo's firewall). Yesterday morning an actualization for the Java virtual machine poped up and I accepted and since then Antivir keeps on sending infection message, most of them on start up, saying:
C:\WINDOWS\system32\ms32clod.exe
Is the TR/Spy.Agent.azob.2 Trojan
I have been denying access every time. I've succesfully deleted all the files in the C:\Archivos de Programa\Java (yeah, it's in spanish :S, it just says Program files) folder using Unlocker to get access to them. I tried deleting also the ms32clod.dll file, but when I rebooted it was back. It is just a guess, but i think at least explorer.exe, taskmgr.exe, firefox.exe and Belkinwcui.exe (the process of my WiFi module) have already been infected. I say so because antivir pops up a message everytime I activate any of these porcesses. I tried entering on safe mode but it doesn't seem to be available, i even powered dopwn my computer while running to force the safe mode, but it didn't work.
Apart from that, I had been having many problem with several messenger programs (Windows live messenger, MSN messenger 7, even Windows Messenger), they would crash directly after loggin, but I don't think that has much to do with this actual problem ...
Iwas recomended to scan my computer with RootRepeal, but I dont get much of what it says on the report, I can see that there is activity from unknown sources in the register keys, but I don't know what to do about it. I'm posting the report in case it is of any help.
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/31 23:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAD67000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D69000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA846C000 Size: 49152 File Visible: No Signed: -
Status: -
SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7f5c246
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7f5c23c
#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7f5c24b
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7f5c255
#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7f5c25a
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7f5c228
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7f5c22d
#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7f5c264
#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7f5c25f
#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7f5c250
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7f5c237
==EOF==
Thanks in advance for your attention and I hope I can learn something from this experience.
EDIT: I downloaded Highjack this and did the scan and saved the report, and here it is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:15, on 01/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Belkin\F5D9050\Belkinwcui.exe
C:\Archivos de programa\Unlocker\UnlockerAssistant.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mazawer\Escritorio\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [F5D9050] C:\Archivos de programa\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Archivos de programa\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Archivos de programa\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1247066789670
O17 - HKLM\System\CCS\Services\Tcpip\..\{33D5B743-C14B-4512-85EF-268E45F6F797}: NameServer = 62.14.2.1,62.151.2.8
O20 - AppInit_DLLs: ms32clod.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Archivos de programa\Java\jre6\bin\jqs.exe (file missing)
--
End of file - 3392 bytes
first of all, I'm running a Windows XP Pro SP2 on a Pentium 4 and, as refered, I have Avira's Antivir, the free edition, installed. I don't have any other proteccion (should probably work on that, thinking about getting Comodo's firewall). Yesterday morning an actualization for the Java virtual machine poped up and I accepted and since then Antivir keeps on sending infection message, most of them on start up, saying:
C:\WINDOWS\system32\ms32clod.exe
Is the TR/Spy.Agent.azob.2 Trojan
I have been denying access every time. I've succesfully deleted all the files in the C:\Archivos de Programa\Java (yeah, it's in spanish :S, it just says Program files) folder using Unlocker to get access to them. I tried deleting also the ms32clod.dll file, but when I rebooted it was back. It is just a guess, but i think at least explorer.exe, taskmgr.exe, firefox.exe and Belkinwcui.exe (the process of my WiFi module) have already been infected. I say so because antivir pops up a message everytime I activate any of these porcesses. I tried entering on safe mode but it doesn't seem to be available, i even powered dopwn my computer while running to force the safe mode, but it didn't work.
Apart from that, I had been having many problem with several messenger programs (Windows live messenger, MSN messenger 7, even Windows Messenger), they would crash directly after loggin, but I don't think that has much to do with this actual problem ...
Iwas recomended to scan my computer with RootRepeal, but I dont get much of what it says on the report, I can see that there is activity from unknown sources in the register keys, but I don't know what to do about it. I'm posting the report in case it is of any help.
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/31 23:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAD67000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D69000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA846C000 Size: 49152 File Visible: No Signed: -
Status: -
SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7f5c246
#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7f5c23c
#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7f5c24b
#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7f5c255
#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7f5c25a
#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7f5c228
#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7f5c22d
#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7f5c264
#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7f5c25f
#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7f5c250
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7f5c237
==EOF==
Thanks in advance for your attention and I hope I can learn something from this experience.
EDIT: I downloaded Highjack this and did the scan and saved the report, and here it is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:56:15, on 01/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Belkin\F5D9050\Belkinwcui.exe
C:\Archivos de programa\Unlocker\UnlockerAssistant.exe
C:\Archivos de programa\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mazawer\Escritorio\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [F5D9050] C:\Archivos de programa\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Archivos de programa\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Archivos de programa\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1247066789670
O17 - HKLM\System\CCS\Services\Tcpip\..\{33D5B743-C14B-4512-85EF-268E45F6F797}: NameServer = 62.14.2.1,62.151.2.8
O20 - AppInit_DLLs: ms32clod.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Archivos de programa\Java\jre6\bin\jqs.exe (file missing)
--
End of file - 3392 bytes