Trojan not detected until I opened the actual folder in Explorer

Hi,
New on the forum, having used Avast a year now, I discovered something strange today:

I scanned the full disk with Avast Home (thorough scan) and didn’t detect anything. After that, I used Symantec’s online tool and detected w32.beagle.eb.

Now, I opened the folder where the Trojan “lived” and… Avast reacted with a warning on the opening of the folder :o

Any idea why Avast didn’t detect the Trojan in the thorough scan and still reacted when the folder was opened in Windows Explorer?

Thanks,

Andrew

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

What was the malware name given by avast, also in the above details ?

What is the sensitivity of the Standard Shield, Normal is the default.

There is every likelihood that it may be a newly added signature.

Thanks for your response :slight_smile:

File names:
C:\windows\system32\wintems.exe
C:\windows\exefnd\294378774.exe and two similar with other numbers in the file name.

The Avast name of the threat: Win32:Trojan-gen {other} (found in the files mentioned above). The Symantec tool named it w32.beagle.eb

The sensitivity of the Standard Shield is set to High.

That’s probably part of the infection. I you want to go on, please run the following programs in order posted and attach the logs.

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[]Please, never rename Combofix unless instructed.
[
]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  1. they certainly look like good detections, google the wintems.exe and you will get many hits, this is just one http://www.processlibrary.com/directory/files/wintems/. Some also mention the other file name style you gave and wintems.exe is also detected as beagle and another trojan name. Some more info on wintems.exe http://www.prevx.com/filenames/X24391788074978555-X1/WINTEMS.EXE.html

There is no standard naming convention, so there are often aliases, though I’m surprised avast didn’t name it beagle as it has a number of beagle/bagle signatures already.

  1. avast has been improving beagle detections recently and many new signatures are being continually added to the VPS.

  2. I think had you not had the had the sensitivity on High it might not have alerted until accessed or tried to open the file. I can only assume that there was a new/modified signature after the thorough scan or the files might not have been scanned. Was there a list of files unable to be scanned after the thorough scan ?

I don’t like mysteries either and beagle can be a bit of a pig and there might be other elements, so oldman’s additional scan is very advisable.

Thank you so much, DavidR and oldman, for your help! I’m amazed by the time and energy you put into assisting us in our fight :wink:

I attached the ComboFix log because of the size.

This is the HijackThis log:

`btrez
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:27:21, on 23.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Eazy-Ware\ezSched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Ericsson\COMMUN~1\MOBILE~1\DbgOut.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/no/nor/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/no/nor/gen/default.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM..\Run: [DLPSP] “c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE”
O4 - HKLM..\Run: [mssSort] C:\Program Files\Maxtor\Maxtor Quick Start\msssort.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Acronis Scheduler2 Service] “C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe”
O4 - HKLM..\Run: [trueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM..\Run: [EazyScheduler] C:\Program Files\Eazy-Ware\ezSched.exe
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE”
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sf-anytime.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/13dd754286f211ddfb20/netzip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - c:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: MySql - Unknown owner - c:\eZpublish\mysql\bin\mysqld-nt.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TabletService - Unknown owner - C:\WINDOWS\system32\Tablet.exe (file missing)
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe


End of file - 8344 bytes
`

Hi, combofix nabbed one more file associated with beagle. It was the file responsible for the lists of sites to contact.

DavidR had a question

3. I think had you not had the had the sensitivity on High it might not have alerted until accessed or tried to open the file. I can only assume that there was a new/modified signature after the thorough scan or the files might not have been scanned. Was there a list of files unable to be scanned after the thorough scan ?

I also am curious.

The online scan detected C:\windows\system32\wintems.exe and avast detected the others? Or did avast detect them all?

What happened to the folder, did you delete it as it doesn’t show up in the combofix log.

I’d don’t see anything else in the log.

In HJT there is a 015 line, it is associated with Warner Brothers

http://www.timewarner.com/corp/newsroom/pr/0,20812,845389,00.html

It’s in the trusted zone,did you put it there?

One question regarding combofix. Did you follow the instructions as far as disabling your security programs? I got some strange timeouts that I’m looking into.

Thanks

Hi again,

Your questions:

Was there a list of files unable to be scanned after the thorough scan ?

No, not as far as I can see. However, three weeks ago I had a number of warnings that I didn’t notice until two days ago, when I checked the log. They all started with: AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI] and ended with returning error, 0000A413. What is that?

The online scan detected C:\windows\system32\wintems.exe and avast detected the others? Or did avast detect them all?

Both the online scan and Avast detected all, but Avast didn’t detect them until I opened the folders where they resided, based on the info from the online scan. And, yes, I deleted the exefnd folder.

The 015 line in HJT is OK - I put it in some sort of trusted zone a long time ago; I actually have forgot about it and what program’s zone I put it into :-[

One question regarding combofix. Did you follow the instructions as far as disabling your security programs?

Yes, I stopped Avast, which is the only “online” security I use apart from Win XP and my router firewalls.

For the timeouts - are they strange in general or have you seen them before?

Thank you for your help :slight_smile:

As far as I know it’s a warning from webhield, it couldn’t scan a file. Could you go to this folder

C:\program files\alwil software\avast4\data\logs

in the right hand panel, locate the warning log. Open it with notepad and post the complete error message here?

When you opened the folder you “accessed” the files, the on access scanner caught them. You would have thought the on demand would have picked them up also. What settings are you using for on demand scanning?

Your’s was the first one I got the timeout message in a log, though I’ve had one more since. Still checking.

You should really have an antispyware or two. Superantispyware (free version) makes a good on demand scanner. A trip to the General Discusion forum will give you some leads on a resident scanner.

We’ll clean up the tools you used.

  • Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u

Double click OTCleanIt, click the Clean Up button.

You may get prompted by your firewall that OTCleanit/OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

  • Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  • Remove old restore points
  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u5-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

  • Clear the java cache

http://www.java.com/en/download/help/5000020300.xml

  • If you are using windows firewall, please note that it doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

or

http://forum.avast.com/index.php?topic=33530.0