Win32:Adloader-AC [Trj] Infection

Scanning with Avast Bart cd offers an infection of the pagefile.sys memory with Win32:Adloader-AC [Trj] on our systems.

Formating the whole disk and reinstall everything, no matter if it is an Win7 or Windows XP system makes not sure that the infection is eliminated.
Build up a connetion to the internet, maybe for an windows update and also installing software from a bootable medium like a Usb stick could be a possible trigger to reinject the trojan on a system.

If anyone know more about this Trojan feel free to tell us!

Especially :

  1. How does this Trojan spread himself on a medium?

  2. Is it possible to remove this Adloader without killing the whole system or disable the pagefile.sys?

Greetz

2. Is it possible to remove this Adloader without killing the whole system or disable the pagefile.sys?
Have you tried Malwarebytes ? www.malwarebytes.org

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have latest database
click the remove selected button to quarantine anything found
you may post the scan log here

Hi
I’m new here , so sorry for the barge in.
Is it allowed to ask for HJT-logs, mbam-logs aso… ?
Regards

Generally you would be asked to provide them if required. First you should start by creating a topic of your own in the viruses and worms forum and explain the problem and you would be advised on a course of action. If that includes MBAM and HJT scans we would ask for the logs to be attached to the posts.

HJT has become much depreciated as there are many malware infections capable of hiding from HJT, plus since they were bought by TrendMicro development has virtually ceased. However, they have recently releases version 2.0.0.4, but that is a very small .002 update.

Consider, that this could possibly be a false alarm! Pagefile.sys is Windows “Auslagerungsdatei”. Just delete it under BartPE or Linux live CD and restart the pc. Windows will create a new pagefile.sys. Recheck the Harddisk with the Avast bootcd and see, if Avast still report the Malware

Thanks for the info ;D
I only ask for logs to help other user - this isn’t allowed in a few forums and in others: No problem.
Thanks again
Sarakael

No problem, glad I could help.

Welcome to the forums.

If you Format the whole System or delete the Pagefile.sys and run the system for a couple of hours you may have it again…

Malewarebytes does not want to complete the scan, the system crashed before! ( there were defect sectors on the HD ) ;D :wink:

Greetz

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\FreePDF_XP\fpassist.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Optimization Client\bmctl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Zarafa\Zarafa Outlook Client 6\zarafa-offline.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.r2protec.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [Adobe ARM] “C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 - HKLM..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM..\Run: [UCam_Menu] “C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe” “C:\Program Files\CyberLink\YouCam” update “Software\CyberLink\YouCam\2.0”
O4 - HKLM..\Run: [QPService] “C:\Program Files\HP\QuickPlay\QPService.exe”
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Common Files\Java\Java Update\jusched.exe”
O4 - HKCU..\Run: [Infuzer] C:\Program Files\Trondent Development Corp\Infuzer\Infuzer.exe
O4 - HKCU..\Run: [Nokia.PCSync] “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe” /NoDialog
O4 - HKCU..\Run: [PC Suite Tray] “C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe” -onlytray
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘LOKALER DIENST’)
O4 - HKUS\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ‘LOKALER DIENST’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘NETZWERKDIENST’)
O4 - HKUS\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ‘NETZWERKDIENST’)
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: TrueCrypt - Start.lnk = C:\Programme\TrueCrypt\TrueCrypt.exe
O4 - Global Startup: Gyldendals Røde Ordbøger.lnk = C:\Program Files\TEXTware\Illuminator 2\Illview02.exe
O4 - Global Startup: Infuzer.lnk = ?
O8 - Extra context menu item: Google Sidewiki… - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O13 - Gopher Prefix:
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://strategi.webex.com/client/T27L/webex/ieatgpc1.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip..{DFCBBAE1-D704-4BE1-9CCE-A82EC96F4ADD}: Domain = r2p.local
O17 - HKLM\System\CCS\Services\Tcpip..{DFCBBAE1-D704-4BE1-9CCE-A82EC96F4ADD}: NameServer = 10.127.60.1
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: ShrewSoft DNS Proxy Daemon (dtpd) - Unknown owner - C:\Program Files\ShrewSoft\VPN Client\dtpd.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: ShrewSoft IKE Daemon (iked) - Unknown owner - C:\Program Files\ShrewSoft\VPN Client\iked.exe
O23 - Service: ShrewSoft IPSEC Daemon (ipsecd) - Unknown owner - C:\Program Files\ShrewSoft\VPN Client\ipsecd.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: R-Series Local Disk Service (rdiskservice) - Unknown owner - C:\Program Files\R2P\Mobile Manager\LocalDiskService\rdiskService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

End of file - 9382 bytes

Does anyone know more about this W32:Adloader-ac ???

Regards


Welcome to the forums, FRS :slight_smile:

You left off the top part of the HJT log which is needed by the analyzer.


Thanks and sry, but the whole text have had too much characters! :wink:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:08:30, on 12.08.2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Regards
FRS

There is a later version of HJT, 2.0.4, not that I have a lot of faith in HJT now as there are many malware items that are able to hide from it.

Also from your HJT header information you appear to be using the first edition of Vista and it is on SP2 now, this closes vulnerabilities and improves overall security. So you should look at updating your OS if it isn’t Vista SP2.

Given that your OS appears out of date there may be other applications in need of an update - I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.


Other than what David mentioned above, there is nothing else amiss in your HJT log.

Overview of running tasks :

taskhost.exe
Driver
Windows

Dwm.exe
System process
Desktop Window Manager

QLBCTRL.exe
Backgroundtask
QLB Controller

sttray.exe
Backgroundtask
Intel WebOutfitter service System Tray icon

SynTPEnh.exe
Driver
Synaptics touchpad tray icon

fpassist.exe
Backgroundtask
FreePDF Assistant

ashDisp.exe
Virusscan
Avast AntiVirus

MobileConnect.exe
Backgroundtask
MobileConnect.exe

SynTPHelper.exe
Backgroundtask
SynTPHelper.exe

bmctl.exe
Backgroundtask
Bytemobile Control Process

rundll32.exe
System process
Microsoft Rundll32

jusched.exe
Backgroundtask
Sun Java Update Scheduler

PcSync2.exe
Application
Nokia PC Suite

PCSuite.exe
Backgroundtask
Nokia PC Suit

soffice.exe
Backgroundtask
OpenOffice.org (1.1.0)

soffice.bin
Backgroundtask
OpenOffice Module

zarafa-offline.exe
Unknown task (related to an OutLook email plug-in)
Unknown task

conhost.exe
System process
Console Window Host

MPAPI3s.exe
Application
Nokia Mobile Phone API

NclMSBTSrv.exe
Backgroundtask
NclMSBTSrv.exe

SearchProtocolHost.exe
System process
SearchProtocolHost

explorer.exe
System process
Microsoft Windows Explorer

HijackThis.exe
Application
Merijn Hijackthis


Win32:Adloader-AC [Trj] false positiv ?¿?¿

Yes!

Wenn AV Programme in der Auslagerungsdatei von Windows etwas finden, ist es zu 99,5% ein Fehlalarm. Im laufenden Windowsbetrieb faellt das nicht auf, da Programme keinen Zugriff auf diese Datei haben…

I don´t think it is false, because if you set up an complete new system, it is away.
Deleting the Pagefile.sys hast only an effect for maybe one hour.

What want Avast tell us whith this Adloader? :-\ :wink:

http://www.google.de/search?hl=de&source=hp&q=Win32%3AAdloader-AC+[Trj]+pagefile.sys

Dahingehend denke ich, das Avast da eine sehr schwache Signatur nutzt. Auf die Betaversion des SP1 von Win7 kann man es wohl nicht schieben…

Siehe auch: http://forum.avast.de/viewtopic.php?f=24&t=2625 Avast meldet anscheinend seine eigene Signatur…

If Avast was deinstalled on the system the Adloader were still found after scanning with the bartcd…

Maybe some leftover from Avast Database. Delete the pagefile.sys, restart, and do another restart with the BartPE CD and see what happens.