another Newbie in need!
Hey Folks
Can anyone help me with this? When i start Avast! and it does its test of memory and startup it detects a trojan in c:\windows\system32:arotmmk.dll. If I try to send it to the chest or repair it, i get a message saying it can’t be accessed 'cause its being used by another process. When I search for that file I can’t find it anywhere. Housecall, Solo, and Stinger don’t seem to think there’s any virus in Windows. Any ideas ?
Thanx
What name of virus does avast report, exactly?
And can you see the file c:\windows\system32\arotmmk.dll in Explorer?
its listed as a Win32:Trojan-gen.(other)-Cant find the file in explorer and no mention of anything like it on Google
thnx
look at this thread this may have an awnser its all about that trojan
http://www.avast.com/forum/index.php?board=4;action=display;threadid=1856
2 pages to read
heres the hi jack log. I can see a cuppla references to that arotmmk.dll.Anything else look suspicious? If so…now what?
thanx Logfile of HijackThis v1.97.7
Scan saved at 7:49:04 AM, on 12/11/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchos1.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\SoundMan.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\Alwil Software\Avast4\ashmaisv.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PestPatrol\PPMemCheck.exe
C:\PROGRA~1\PestPatrol\CookiePatrol.exe
C:\PROGRA~1\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\EasyKey\EasyKey.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\John Larkin\Desktop\maintenence\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\ashEnhcd.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pacificcoast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.pacificcoast.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pacificcoast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pacificcoast.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Welcome to Pacific Coast Net Inc
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {74E463BC-29D9-4FC2-8DA1-70352605907C} - C:\WINDOWS\system32\mndikqw.dll
O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Zipclix - {319A68DB-06D0-46DA-9F93-A810D5A70836} - C:\Program Files\Zipclix\zipclix.dll
O4 - HKLM..\Run: [arotmmk] rundll32 C:\WINDOWS\System32:arotmmk.dll,Init 1
O4 - HKLM..\Run: [CountrySelection] pctptt.exe
O4 - HKLM..\Run: [Windows Explorer Update Build 1142] explorer32.exe
O4 - HKLM..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM..\Run: [SiSSoundMan] C:\WINDOWS\System32\SoundMan.exe
O4 - HKLM..\Run: [SiSSetCDfmt] C:\WINDOWS\System32\SetCDfmt.exe
O4 - HKLM..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [jwyrmf] “C:\WINDOWS\System32\jwyrmf.exe”
O4 - HKLM..\Run: [bbeslkg] “C:\WINDOWS\System32\bbeslkg.exe”
O4 - HKLM..\Run: [autoupd] C:\WINDOWS\autoupd\autoupd.exe
O4 - HKLM..\Run: [Configuration Loading] svchos1.exe
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\Alwil Software\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM..\Run: [PPMemCheck] C:\PROGRA~1\PestPatrol\PPMemCheck.exe
O4 - HKLM..\Run: [CookiePatrol] C:\PROGRA~1\PestPatrol\CookiePatrol.exe
O4 - HKLM..\RunServices: [Windows Explorer Update Build 1142] explorer32.exe
O4 - HKLM..\RunServices: [MS Security Hotfix] spoolsrv32.exe
O4 - HKLM..\RunServices: [Configuration Loading] svchos1.exe
O4 - HKCU..\Run: [Internet Washer Pro] C:\Program Files\Internet Washer Pro\iw.exe min
O4 - HKCU..\Run: [PopUpStopperFreeEdition] “C:\PROGRA~1\Panicware\Pop-Up Stopper Free Edition\PSFree.exe”
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKLM..\RunOnce: [*arotmmk] rundll32 C:\WINDOWS\System32:arotmmk.dll,Init 1
O4 - Global Startup: Easykey.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .midi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d2c89f68a1bb5a/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Agobots on the run, and housecall did not find them?
Let Hijackthis fix this:
O2 - BHO: (no name) - {74E463BC-29D9-4FC2-8DA1-70352605907C} - C:\WINDOWS\system32\mndikqw.dll
O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll
O4 - HKLM..\Run: [arotmmk] rundll32 C:\WINDOWS\System32:arotmmk.dll,Init 1
O4 - HKLM..\Run: [Windows Explorer Update Build 1142] explorer32.exe
O4 - HKLM..\Run: [jwyrmf] “C:\WINDOWS\System32\jwyrmf.exe”
O4 - HKLM..\Run: [bbeslkg] “C:\WINDOWS\System32\bbeslkg.exe”
O4 - HKLM..\Run: [autoupd] C:\WINDOWS\autoupd\autoupd.exe
O4 - HKLM..\Run: [Configuration Loading] svchos1.exe
O4 - HKLM..\RunOnce: [*arotmmk] rundll32 C:\WINDOWS\System32:arotmmk.dll,Init 1
4 - HKLM..\RunServices: [Windows Explorer Update Build 1142] explorer32.exe
O4 - HKLM..\RunServices: [MS Security Hotfix] spoolsrv32.exe
O4 - HKLM..\RunServices: [Configuration Loading] svchos1.exe
Please post a new log after restart. Didn´t find avast any of these Malware?
BTW: Please update your Windows via www.windowsupdate.com
Agobots on the run, and housecall did not find them?
I have alerted Trend. I got a quick reply by email saying this will be fixed shortly. Its a problem in housecall but the PC-Cillin finds them. This will be fixed by early next week
Cant seem to fix\delete those two damned arotmmk things…arrrgh!!!
.Logfile of HijackThis v1.97.7
Scan saved at 8:34:50 AM, on 12/12/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\svchos1.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\SoundMan.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\Alwil Software\Avast4\ashmaisv.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PestPatrol\PPMemCheck.exe
C:\PROGRA~1\PestPatrol\CookiePatrol.exe
C:\PROGRA~1\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\EasyKey\EasyKey.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\ashEnhcd.exe
C:\Documents and Settings\John Larkin\Desktop\maintenence\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\John Larkin\Desktop\maintenence\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pacificcoast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.pacificcoast.net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pacificcoast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pacificcoast.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Welcome to Pacific Coast Net Inc
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Zipclix - {319A68DB-06D0-46DA-9F93-A810D5A70836} - C:\Program Files\Zipclix\zipclix.dll
O4 - HKLM..\Run: [CountrySelection] pctptt.exe
O4 - HKLM..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM..\Run: [SiSSoundMan] C:\WINDOWS\System32\SoundMan.exe
O4 - HKLM..\Run: [SiSSetCDfmt] C:\WINDOWS\System32\SetCDfmt.exe
O4 - HKLM..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\Alwil Software\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM..\Run: [PPMemCheck] C:\PROGRA~1\PestPatrol\PPMemCheck.exe
O4 - HKLM..\Run: [CookiePatrol] C:\PROGRA~1\PestPatrol\CookiePatrol.exe
O4 - HKLM..\Run: [arotmmk] rundll32 C:\WINDOWS\System32:arotmmk.dll,Init 1
O4 - HKCU..\Run: [Internet Washer Pro] C:\Program Files\Internet Washer Pro\iw.exe min
O4 - HKCU..\Run: [PopUpStopperFreeEdition] “C:\PROGRA~1\Panicware\Pop-Up Stopper Free Edition\PSFree.exe”
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKLM..\RunOnce: [*arotmmk] rundll32 C:\WINDOWS\System32:arotmmk.dll,Init 1
O4 - Global Startup: Easykey.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .midi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d2c89f68a1bb5a/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Try it again in windows safe mode, and move or delete the arotmmk.dll and svchos1.exe ,too.
Raman & MacLover2000
I owe you guys a beer ( but I guess I’ll have to drink it myself)
Thanks alot