Trojan's getting through

Avast Free Antivirus / Premium Security
1

I have had two occasions in the last 12 months when I have found active viruses on the system when I do a ‘Start Antivirus’ from the blue on access button.
I do not understand how these can get into the system from outside with Avast running.
Windows XP3. Firewalled Router. Avast 4.8 Professional
I have a full scheduled scan of all HDD on the computer overnight every night.
How are they getting in undetected please? Why is the scan not highlighting them and/or quarantining/removing them?
Also, the infected files in the chest I have now deleted and yet the sessions history still shows 2 infected files. What are these and where are they?
I’m just a little concerned as to how these trojans are getting in.
Help please!
Roger

2

Hello dryitout

get mbam, update, do a full system scan : http://www.malwarebytes.org/mbam-download.php

post the log back.

nmb

3

Log file below. Avast halted scan twice for Trojanls in a restore directory which I asked it to delete then carried on to complete:

Malwarebytes’ Anti-Malware 1.41
Database version: 2998
Windows 5.1.2600 Service Pack 3

20/10/2009 16:28:32
mbam-log-2009-10-20 (16-28-27).txt

Scan type: Full Scan (C:|)
Objects scanned: 193537
Time elapsed: 37 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) → No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

4
Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) -> No action taken.
Your log says "No action taken"

Scan again (quick scan) and after the scan you click the button “remove selected” to quarantine anything found

5

its only left overs of a malware. nothing to worry.

but do a scan of run scanner : http://www.runscanner.net/runscanner.exe

select the beginner mode

deselect the online malware analysis.

do not fix anything(you cannot fix anything if you select the begginer mode. so do not select the expert mode)

just do a scan post the log and run file here. or upload it to mediafire.com and give the share link here.

nmb

6

Yes I have done this.
So how have they got in?
What steps do i need to take to ensure this doesn’t happen again?
I am now running this on the other two computers on the network here, both with the same basic setup and both are showing infected files as the scan progresses.
I am now getting more worried…
Rog

7

Sorry - crossed posts.
Run this latest software and the results are:
Runscanner logfile

  • = signed file
  • = file not found

General info

Computer name : 2009DC
Creation time : 20/10/2009 17:09:05
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 8.0.6001.18702
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 3
RunScanner Version : 1.9.0.9
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS

Running processes

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe (Adobe Systems Inc.)

  • C:\WINDOWS\System32\alg.exe (Microsoft Corporation)
  • C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
  • C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
  • C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
  • C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
  • C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
  • C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
  • C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
    C:\Program Files\Bonjour\mDNSResponder.exe (Apple Computer, Inc.)
  • C:\WINDOWS\system32\BRMFRSMG.EXE (Brother Industries, Ltd.)
    C:\WINDOWS\system32\Brmfrmps.exe (Brother Industries, Ltd.)
    C:\WINDOWS\system32\brss01a.exe (brother Industries Ltd)
    C:\WINDOWS\system32\brsvc01a.exe (brother Industries Ltd)
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (Advanced Micro Devices Inc.)
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe (ATI Technologies Inc.)
  • C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)
  • C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
    C:\Program Files\D4\D4.exe (Thinking Man Software)
    C:\Program Files\D4\D4.exe (Thinking Man Software)
  • C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
  • C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
  • C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
  • C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
  • C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
  • C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
  • C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
  • C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
  • C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
  • C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
  • C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
  • C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
  • C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
  • C:\Program Files\LivePerson\hc.exe
  • C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)
  • C:\Program Files\Mozilla Thunderbird\thunderbird.exe (Mozilla Corporation)
  • C:\Plus18\Myobplus.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org)
    C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org)
    C:\Program Files\Scansoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
  • c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
  • C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Trusteer Ltd.)
  • C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (Trusteer Ltd.)
  • C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
  • C:\WINDOWS\system32\mstsc.exe (Microsoft Corporation)
  • C:\Documents and Settings\Roger Banks\Local Settings\Temporary Internet Files\Content.IE5\A3M9EWEI\runscanner[1].exe (Runscanner.net)
  • C:\WINDOWS\system32\services.exe (Microsoft Corporation)
    C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe (Scansoft, Inc.)
  • C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)
  • C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
  • C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)
  • c:\windows\System32\smss.exe (Microsoft Corporation)
8

Unrated items

002 * C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
002 C:\Program Files\D4\D4.exe (Thinking Man Software)
002 C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
002 C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
002 C:\Program Files\Scansoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
002 C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
002 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
003 * C:\Program Files\CCleaner\CCleaner.exe (Piriform Ltd)
004 C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE (Adobe Systems, Inc.)
004 * C:\PROGRA~1\LIVEPE~1\hc.exe
004 C:\PROGRA~1\OPENOF~1.ORG\program\QUICKS~1.EXE
005 C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\AcroTray.exe (Adobe Systems Inc.)
005 C:\PROGRA~1\Scansoft\PAPERP~1\SmartUI\SmartUI.exe (Scansoft, Inc.)
010 C:\Program Files\Bonjour\mDNSResponder.exe (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##)
010 C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe LM Service)
010 C:\WINDOWS\system32\ati2sgag.exe (ATI Smart)
010 * C:\Program Files\Alwil Software\Avast4\ashServ.exe (avast! Antivirus)
010 * C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (avast! iAVS4 Control Service)
010 * C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (avast! Mail Scanner)
010 * C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (avast! Web Scanner)
010 C:\WINDOWS\system32\Brmfrmps.exe (Brother Popup Suspend service for Resource manager)
010 C:\WINDOWS\system32\brsvc01a.exe (BrSplService)
010 C:\Program Files\D4\D4.exe (Dimension4)
010 C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (FLEXnet Licensing Service)
010 * C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (getPlus(R) Installer)
010 C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (InstallDriver Table Manager)
010 * c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Licensing V2)
010 * C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (Rapport Management Service)
011 * C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys (aswFsBlk)
011 * C:\WINDOWS\system32\drivers\aswRdr.sys (aswRdr)
011 * C:\WINDOWS\system32\drivers\Aavmker4.sys (avast! Asynchronous Virus Monitor)
011 * C:\WINDOWS\system32\drivers\aswTdi.sys (avast! Network Shield Support)
011 * C:\WINDOWS\system32\drivers\aswSP.sys (avast! Self Protection)
011 * C:\WINDOWS\system32\drivers\aswMon2.sys (avast! Standard Shield Support)
011 C:\WINDOWS\System32\Drivers\maximio.sys (MaxIm Port I/O)
011 * C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys (RapportKELL)
011 * C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG)
031 C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
031 C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation) {E1D2BF42-A96B-11d1-9C6B-0000F875AC61}
031 C:\PROGRA~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation) {E1D2BF40-A96B-11d1-9C6B-0000F875AC61}
052 C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) {E7E6F031-17CE-4C07-BC86-EABFE594F69C}
061 * C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
061 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll (Advanced Micro Devices, Inc.) {5E2121EE-0300-11D4-8D3B-444553540000}
061 * c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll (Corel Corporation) {DE902992-61FC-4A01-8091-53E1895C9775}
061 * c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll (Corel Corporation) {F9633464-9E18-4C06-9D3A-E131C036A9FA}
061 * c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll (Corel Corporation) {7DDDBFE0-09C4-4680-9E13-8CE7D00EDE57}
061 * c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll (Corel Corporation) {1462EBAA-96E7-4D93-9A66-0E4068DE4FCF}
061 * c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll (Corel Corporation) {DE902994-61FC-4A01-8091-53E1895C9775}
061 * c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll (Corel Corporation) {7DDDBFE2-09C4-4680-9E13-8CE7D00EDE57}
061 * c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll (Corel Corporation) {1462EBAC-96E7-4D93-9A66-0E4068DE4FCF}
061 * c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll (Corel Corporation) {DE902993-61FC-4A01-8091-53E1895C9775}
061 * c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll (Corel Corporation) {F9633465-9E18-4C06-9D3A-E131C036A9FA}
061 * c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll (Corel Corporation) {7DDDBFE1-09C4-4680-9E13-8CE7D00EDE57}
061 * c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll (Corel Corporation) {1462EBAB-96E7-4D93-9A66-0E4068DE4FCF}
061 C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll (Sun Microsystems, Inc.) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
061 C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll (Sun Microsystems, Inc.) {087B3AE3-E237-4467-B8DB-5A38AB959AC9}
061 C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll (Sun Microsystems, Inc.) {63542C48-9552-494A-84F7-73AA6A7C99C1}
061 C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll (Sun Microsystems, Inc.) {3B092F0C-7696-40E3-A80F-68D74DA84210}
062 C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll (Sun Microsystems, Inc.) {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}
062 * c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll (Corel Corporation) {8EF5DC20-419C-4E43-A088-DE5B5625CA47}
069 C:\WINDOWS\system32\pdfports.dll (Adobe Systems Incorporated.)
100 ShellNext HKCU : http://windowsupdate.microsoft.com/
104 * C:\WINDOWS\Downloaded Program Files\PhotoUploader55.ocx (The Facebook) {8100D56A-5661-482C-BEE8-AFECE305D968}
104 * C:\WINDOWS\Downloaded Program Files\EPUWALcontrol.dll (eBay, Inc.) {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB}
104 GUID / CLSID not found {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
105 Google Sidewiki… : res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_803138DCE93649E4.dll/cmsidewiki.html
107 C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
136 * C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
170 {5b30a142-7d21-11de-95e8-806d6172696f} : D:\SkyAtNight_Win.exe
173 * C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
221 * C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
223 * C:\Program Files\Malwarebytes’ Anti-Malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
225 * C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
225 * C:\Program Files\Alwil Software\Avast4\ashShell.dll (ALWIL Software) {472083B0-C522-11CF-8763-00608CC02F24}
225 * C:\Program Files\Malwarebytes’ Anti-Malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
225 * C:\Program Files\Malwarebytes’ Anti-Malware\mbamext.dll (Malwarebytes Corporation) {57CE581A-0CB6-4266-9CA0-19364C90A0B3}
229 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll (Advanced Micro Devices, Inc.) {5E2121EE-0300-11D4-8D3B-444553540000}
231 * c:\Program Files\Common Files\Corel\Shared\Shell Extension\ShellXP.dll (Corel Corporation) CDR Column Info
231 C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll (Sun Microsystems, Inc.) OpenOffice.org Column Handler

9

Missing files

011 C:\WINDOWS\system32\drivers\Abiosdsk.sys
011 C:\WINDOWS\system32\drivers\abp480n5.sys
011 C:\WINDOWS\system32\drivers\adpu160m.sys
011 C:\WINDOWS\system32\drivers\Aha154x.sys
011 C:\WINDOWS\system32\drivers\aic78u2.sys
011 C:\WINDOWS\system32\drivers\aic78xx.sys
011 C:\WINDOWS\system32\drivers\AliIde.sys
011 C:\WINDOWS\system32\drivers\amsint.sys
011 C:\WINDOWS\system32\drivers\asc.sys
011 C:\WINDOWS\system32\drivers\asc3350p.sys
011 C:\WINDOWS\system32\drivers\asc3550.sys
011 C:\WINDOWS\system32\drivers\Atdisk.sys
011 C:\WINDOWS\system32\drivers\cd20xrnt.sys
011 C:\WINDOWS\system32\drivers\Changer.sys
011 C:\WINDOWS\system32\drivers\CmdIde.sys
011 C:\WINDOWS\system32\drivers\Cpqarray.sys
011 C:\WINDOWS\system32\drivers\dac2w2k.sys
011 C:\WINDOWS\system32\drivers\dac960nt.sys
011 C:\WINDOWS\system32\drivers\dpti2o.sys
011 C:\WINDOWS\system32\drivers\hpn.sys
011 C:\WINDOWS\system32\drivers\i2omgmt.sys
011 C:\WINDOWS\system32\drivers\i2omp.sys
011 C:\WINDOWS\system32\drivers\ini910u.sys
011 C:\WINDOWS\system32\drivers\IntelIde.sys
011 C:\WINDOWS\system32\drivers\lbrtfdc.sys
011 C:\WINDOWS\system32\drivers\mraid35x.sys
011 C:\WINDOWS\system32\drivers\PCIDump.sys
011 C:\WINDOWS\system32\drivers\PDCOMP.sys
011 C:\WINDOWS\system32\drivers\PDFRAME.sys
011 C:\WINDOWS\system32\drivers\PDRELI.sys
011 C:\WINDOWS\system32\drivers\PDRFRAME.sys
011 C:\WINDOWS\system32\drivers\perc2.sys
011 C:\WINDOWS\system32\drivers\perc2hib.sys
011 C:\WINDOWS\system32\drivers\ql1080.sys
011 C:\WINDOWS\system32\drivers\Ql10wnt.sys
011 C:\WINDOWS\system32\drivers\ql12160.sys
011 C:\WINDOWS\system32\drivers\ql1240.sys
011 C:\WINDOWS\system32\drivers\ql1280.sys
011 C:\WINDOWS\system32\drivers\Simbad.sys
011 C:\WINDOWS\system32\drivers\Sparrow.sys
011 C:\WINDOWS\system32\drivers\sym_hi.sys
011 C:\WINDOWS\system32\drivers\sym_u3.sys
011 C:\WINDOWS\system32\drivers\symc810.sys
011 C:\WINDOWS\system32\drivers\symc8xx.sys
011 C:\WINDOWS\system32\drivers\TosIde.sys
011 C:\WINDOWS\system32\drivers\ultra.sys
011 C:\WINDOWS\system32\drivers\ViaIde.sys
011 C:\WINDOWS\system32\drivers\WDICA.sys
061 deskpan.dll

10

post the log using additional options > attach

This is a new analysis tool. so let me try.

nmb

11

Here you go…

12

I got to take a closer look into drivers folder.

  1. upload these files to virustotal.com and give the link:

C:\Plus18\Myobplus.exe

  1. post a scan of hijacthis log : http://www.filehippo.com/download_hijackthis/download/8571e06e5eb8ab03c649f3b5d647c599/

post using additional options.

nmb

13

I couldn’t find anything fishy in the runscanner log. but upload the file which I indicated in my previous post. lets see.

and you told there were two files in the chest. can you tell in which folder it was found? something like: [drive:][folder-name][file-name.xxxx]

nmb

14

@dryitout

I see C:\Program Files\Adobe\Acrobat 5.0 which is very vulnerable to attack.

Go to Add/Remove Programs and un-install Adobe Reader.

Use Cool PDF Reader:
http://www.pdf2exe.com/reader.html

15

This gets more interesting.
I ran Malwarebytes on another computer. It pulled up about 8 infected files. I deleted these.
All of a sudden Windows warns of finding spyware and I cannot delete it - every time I remove to chest or delete it it keeps repeating.
I have had to do a system restore to recover to pre-Mals so stop thi shappening.
Is Mals BRINGING IN spyware…??

16

Malware can really screw with ones computer
I tend to use Malwarebytes and Super Anti Spyware both free
update them then deleat Any restore points (because viruses hide there and can not be removed by avast)
start in safe mode scan computer with those two programs then run a boot time scan

That never fails for me, but it will take a long time

17

No single AV will detect or prevent all malware from getting on a system. That is why you should use other security scanners periodically. Sometimes it’s a persistent browser-hijacker and usually malware will hide in System Restore. Malwarebytes, SuperAntiSpyware, and A-squared are what I use as scanners every two weeks or so. I would use a 3rd party browser instead of IE, because most malware is targeting IE. You might also look into learning about and using, Sandboxie, Returnil and Disk-Imaging.