referring to: http://forums.spybot.info/showthread.php?t=28428
First I'd like to mention another 'bug' I found today:
Trojan.Downloader-25540 (Clamwin)
Win32/TrojanDownloader.Agent.KHJ (nod32)
file: D:\WINDOWS\system32\dmsvct.dll
I didn't detect it earlier because I never looked at the nod32-logfile and nod32 was running in silent mode :bigthumb:
scanning was done in safe mode and also removal of the file. however, this didn't do anything about my bluescreen problem .. I'm getting seriously annoyed
clamwin log (I feel uncomfortable with online scanners, so I used this):
D:\WINDOWS\system32\dmsvct.dll: Trojan.Downloader-25540 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 294742
Engine version: 0.93
Scanned directories: 7514
Scanned files: 43435
Infected files: 1
Data scanned: 8656.82 MB
Time: 9325.369 sec (155 m 25 s)
--------------------------------------
Completed
here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:46, on 24.05.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\rundll32.exe
C:\PROGRAM FILES\ATI Tray Tools\atitray.exe
C:\PROGRAM FILES\PowerDesk\pddlghlp.exe
C:\PROGRAM FILES\Launchy\Launchy.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
D:\WINDOWS\system32\taskmgr.exe
C:\PROGRAM FILES\nod32\nod32krn.exe
D:\Program Files\UPHClean\uphclean.exe
D:\WINDOWS\system32\svchost.exe
E:\downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = UPDATE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programme\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programme\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &TerraTec Home Cinema - {AD6E6555-FB2C-47D4-8339-3E2965509877} - C:\PROGRA~2\TERRAT~1\THCDES~1.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\PROGRAM FILES\ATI Tray Tools\atitray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dialog Helper.lnk = C:\PROGRAM FILES\PowerDesk\pddlghlp.exe
O4 - Startup: Launchy.lnk = C:\PROGRAM FILES\Launchy\Launchy.exe
O4 - Startup: LOGON_DUDE.lnk = C:\skripthost\LOGON_DUDE.bat
O4 - Startup: taskmgr_switch.lnk = C:\skripthost\taskmgr_switch.exe
O4 - Global Startup: Launchy.lnk = C:\PROGRAM FILES\Launchy\Launchy.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~2\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\Office\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &Xdrive - res://c:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~2\NEOTRA~1\NTXtoolbar.htm (HKCU)
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1188359786337
O17 - HKLM\System\CCS\Services\Tcpip\..\{36C21F27-5E51-4A82-80B0-B5078D48D166}: NameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{429585E5-172F-4E6B-B67E-0E2DC9A8379D}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - c:\Program Files\AVG Anti-Spyware\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: gearsec - GEAR Software - D:\WINDOWS\system32\gearsec.exe
O23 - Service: HamachiSrvAny - Unknown owner - c:\program files\hamachi\srvany.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCD\InCDsrv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\PROGRAM FILES\nod32\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
--
End of file - 5537 bytes
a few notes to clarify things:
-the files in 'skripthost' are my own. I use them for automation.
-I use a custom dns server.
-I also have a HJT log for safe mode if needed
-I removed (!?) the trojan after log-creation
hope someone can help me resolve this issue ;-)
cheers
Hey
sorry for posting again, but perhaps this helps the cause:
bluescreen msg:
STOP: 0x00000023 (0x0011012F, 0x00000705, 0x00000000, 0x00000000)
this error report doesn't change.
It (spybot) does something with my floppy drive when it happens .. the light is still on until I restart.
some things I did meanwhile:
-cleaned the registry from keys associated with 'folder lock', e.g. winDrvNt was in my device drivers, the .sys didn't exist anymore.
I read that folderlock can cause bluescreens, so now it's gone and it didn't help...
-found nsynas32 in the driver list. could be another copyprotection product
http://www.file.net/process/nsynas32.sys.html
First I'd like to mention another 'bug' I found today:
Trojan.Downloader-25540 (Clamwin)
Win32/TrojanDownloader.Agent.KHJ (nod32)
file: D:\WINDOWS\system32\dmsvct.dll
I didn't detect it earlier because I never looked at the nod32-logfile and nod32 was running in silent mode :bigthumb:
scanning was done in safe mode and also removal of the file. however, this didn't do anything about my bluescreen problem .. I'm getting seriously annoyed
clamwin log (I feel uncomfortable with online scanners, so I used this):
D:\WINDOWS\system32\dmsvct.dll: Trojan.Downloader-25540 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 294742
Engine version: 0.93
Scanned directories: 7514
Scanned files: 43435
Infected files: 1
Data scanned: 8656.82 MB
Time: 9325.369 sec (155 m 25 s)
--------------------------------------
Completed
here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:46, on 24.05.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\rundll32.exe
C:\PROGRAM FILES\ATI Tray Tools\atitray.exe
C:\PROGRAM FILES\PowerDesk\pddlghlp.exe
C:\PROGRAM FILES\Launchy\Launchy.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
D:\WINDOWS\system32\taskmgr.exe
C:\PROGRAM FILES\nod32\nod32krn.exe
D:\Program Files\UPHClean\uphclean.exe
D:\WINDOWS\system32\svchost.exe
E:\downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = UPDATE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programme\FlashGet\jccatch.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programme\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &TerraTec Home Cinema - {AD6E6555-FB2C-47D4-8339-3E2965509877} - C:\PROGRA~2\TERRAT~1\THCDES~1.DLL
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\PROGRAM FILES\ATI Tray Tools\atitray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Dialog Helper.lnk = C:\PROGRAM FILES\PowerDesk\pddlghlp.exe
O4 - Startup: Launchy.lnk = C:\PROGRAM FILES\Launchy\Launchy.exe
O4 - Startup: LOGON_DUDE.lnk = C:\skripthost\LOGON_DUDE.bat
O4 - Startup: taskmgr_switch.lnk = C:\skripthost\taskmgr_switch.exe
O4 - Global Startup: Launchy.lnk = C:\PROGRAM FILES\Launchy\Launchy.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download All with FlashGet - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~2\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\Office\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &Xdrive - res://c:\Program Files\Xdrive\Xdrive Desktop\xdrive.exe/std.html
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~2\NEOTRA~1\NTXtoolbar.htm (HKCU)
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1188359786337
O17 - HKLM\System\CCS\Services\Tcpip\..\{36C21F27-5E51-4A82-80B0-B5078D48D166}: NameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{429585E5-172F-4E6B-B67E-0E2DC9A8379D}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - c:\Program Files\AVG Anti-Spyware\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: gearsec - GEAR Software - D:\WINDOWS\system32\gearsec.exe
O23 - Service: HamachiSrvAny - Unknown owner - c:\program files\hamachi\srvany.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCD\InCDsrv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\PROGRAM FILES\nod32\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - D:\Program Files\WinPcap\rpcapd.exe
--
End of file - 5537 bytes
a few notes to clarify things:
-the files in 'skripthost' are my own. I use them for automation.
-I use a custom dns server.
-I also have a HJT log for safe mode if needed
-I removed (!?) the trojan after log-creation
hope someone can help me resolve this issue ;-)
cheers
Hey
sorry for posting again, but perhaps this helps the cause:
bluescreen msg:
STOP: 0x00000023 (0x0011012F, 0x00000705, 0x00000000, 0x00000000)
this error report doesn't change.
It (spybot) does something with my floppy drive when it happens .. the light is still on until I restart.
some things I did meanwhile:
-cleaned the registry from keys associated with 'folder lock', e.g. winDrvNt was in my device drivers, the .sys didn't exist anymore.
I read that folderlock can cause bluescreens, so now it's gone and it didn't help...
-found nsynas32 in the driver list. could be another copyprotection product
http://www.file.net/process/nsynas32.sys.html
Last edited by a moderator:
