Win32:JunkPoly [Cryp]

Hey all

Just recieved an alert from Avast whilst downloading a file.

Using the template from the sticky, heres the info

  1. It was detected through Avast as the file was downloading
  2. http://files.filefront.com/Area+51+Sponsored+by+the+US+Air+Force/;11928815;/fileinfo.html
    Its the game Area 51, just be released for free with advertising in
  3. I started the download about 30mins ago, stopped it about 15mins ago when Avast alerted me
  4. midway_area51_sw_FileFront.exe downloaded to my E:/Downloads folder
  5. Sign of “Win32:JunkPoly [Cryp]” has been found in “E:\Downloads\midway_area51_sw_FileFront.exe$INSTDIR\A51” file.
  6. A

Its still in the vault if that helps with things

Many thanks for any help given, would be sucky to spend my birthday dealing with this all night :wink:

EDIT:
Hijackthis report

Logfile of HijackThis v1.99.1
Scan saved at 19:37:40, on 02/10/2008
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\SysWOW64\HsMgr.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
E:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files (x86)\Razer\DeathAdder\razertra.exe
C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
C:\Program Files (x86)\Opera\opera.exe
E:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [DeathAdder] “C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [QuickTime Task] “E:\Program Files (x86)\QuickTime\QTTask.exe” -atboottime
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU..\Run: [Core Temp] C:\Program Files\Coretemp\Core Temp.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Steam] “e:\program files (x86)\steam\steam.exe” -silent
O4 - HKCU..\Run: [igndlm.exe] E:\Program Files (x86)\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files (x86)\Windows Live\Mail\mailcomm.dll
O20 - AppInit_DLLs: C:\Windows\SysWOW64\guard32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Hi kazz_uk,

Are the data found here: http://virscan.org/report/77c6221f9453e82add8f8200240dfc8b.html
familiar to what was flagged at your machine? Please try to upload the file in question to virustotal and let us know what scanners detect this as malware.
Your hjt log txtfile did not bring anything out of the ordinairy as far as I can establish. But you presented a logfile from an older hjt version, download the latest and file anew. The latest version of hijackthis can be downloaded from here:
http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/

You might also try to update and patch to the latest versions of all critical software you have running there, like sun java etc.
You do not seem to run an active software firewall. Critical for your security, as you should have one.
But we could not detect an active firewall.

Overview of running tasks: (Click on the task for more info)

HsMgr.exe

Unknown task

Unknown task
TeaTimer.exe

Application

Spybot S&D Realtime Scanner
msnmsgr.exe

Application

MSN Messenger
msnmsgr.exe

Application

Messenger

Steam.exe

Unknown task

Unknown task
razerhid.exe

Driver

Mouse Driver
ashDisp.exe

Virusscan

Avast AntiVirus
jusched.exe

Backgroundtask

Sun Java Update Scheduler
ObjectDock.exe

Backgroundtask

Stardock ObjectDock
razertra.exe

Backgroundtask

Configuration Tool
razerofa.exe

Backgroundtask

Razer OFA - On-the-Fly Sensitivity Adjustment
opera.exe

Backgroundtask

Opera Browser
HijackThis.exe

Application

Merijn Hijackthis

polonus

Thanks for the reply.
Yeah, thats the one that was flagged on my pc. Ran the latest hjt with the same results. About the firewall, i have Comodo firewall pro installed, does the hjk info say i havnt got one running?

Good to know I’m not the only one who got this alert

I got the same install file the other day, and the same alert about the same file

Altho Avast didnt bring up the alert, until after I had installed it

My post is here http://forum.avast.com/index.php?topic=39101.0

Your log is clean but you can tick these then tick fix checked

Close browsers

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe”

O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe”

O4 - HKLM..\Run: [QuickTime Task] “E:\Program Files (x86)\QuickTime\QTTask.exe” -atboottime

O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

I would uninstall all previous versions of Java and keep 1.6.0.7 (the latest version)

O13 - Gopher Prefix:

paul and poster
the 02 no file is MSN messanger
WTF
one of the 04’ is spybot t-timer
the others can easily be changed with their program or with a startup manager
no reason to use hjt

I would uninstall all previous versions of Java and keep 1.6.0.7 (the latest version) yes check for old versions of java and remove- there are dangerous
do you use GOPHER?

Teatimer can be annoying and can block things from writing to the registry and installs / whatever can fail.

Its not always a good idea to keep it running in the background

Fully agree. Also, it has very little usage nowadays… It’s more a sensation of protection than an antimalware shield, specially if user click where he/she shouldn’t…

however t-timer is easy to turn off from with spybot
no need to use hjt
User needs to have a replacement ready for real time anti spyware before turning off t-timer
What are you suggesting
incidentally t-timer 1.6 has changed greatly- now more like bo-clean
I’d like to see a comparison

avast can do that job.

Then simply disable it in the S&D program.

This one is the JAVA update checker
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe”

Whilst it has never worked for me even when enabled it is a legit entry

Avast has no replacement for t-timer IMHO
although I think MBAM paid or SAS paid would
I would like to see a test but with Spywarewarrior not doing this kind of testing I do not know who
would
I like to see a face off
Windows Defender
Spyware Doctor Free/ paid
MBAM
SAS
T-Timer
Spywareterminator
B O Clean
Counterspy
Spysweeper
etc for real time spyware/ malware prevention

“Teatimer can be annoying and can block things from writing to the registry and installs / whatever can fail.”
Blocking unauthorized changes such as writing to the registry and unauthorized installs/ whatever is exactly what T-timer is supposed to do

True, but then if people arent aware of this, they’ll get rather peed off, if something they want to install doesnt install properly. Or doesnt work like it should. If it stays enabled

I’ve seen this myself in a forum I go to in NZ. People have had probs, because teatimer is / has been running in the background

Well the resident protection, which includes tea-timer is off by default as far as I remember from my previous use of S&D, but it no longer has HDD space on my system.

I hate autonomous blocking tools where the user doesn’t get notified and asked for a decision, then again many users couldn’t give an informed answer to many of the questions that would be thrown up.

The user has to be aware when they install new applications, or update them, etc. that changes will be made to their system so should be ready for any question about and such change. The amount of time I have seen the avast icon killed by S&D in these forums is rife and I can’t believe they wouldn’t have received an alert to the change, rather than S&D simply killing the start-up entry and file without notification.

I gave up on S&D prior to the latest version as I felt it was no longer a top ranked anti-spyware. This might well have improved, but if the tea-timer is autonomous I would recommend users leave it disabled by default.

You can set t-timer up either way
Spybot resident is an install time option
default is a baloon tht notifies
If you do not have an active anti-spyware how do you protect against drive by downloads and things like 2009 AV or worse?
Avast does not pick up this class of threats, the quitsey screensaver, codecs etc
anything that requires a socially engineered click will bypass most other protection, and what about the click through i-frame problem

I’m not advocating spybot as a specific program
I gave a list my the previous post
I do think most now perfect users would be advised to have one of them installed
It would be interesting to visit their forums and see who has the least problems with XP-antivirus and friends
Incidentally those who have been following all the threads have seen cases where spybot, a-squared and spybot have found infections completly missed by MBAM and SAS-
The MBAM forum recommends Spybot as an alternate scanner- still reliable
may not find as much of this round of infections as some but still a valuable tool
And the rankings could and will change with the next round of infections


Teatimer works correctly to protect the registry when it is installed with the default settings. It does not block installations (as some are saying) unless it is told to do so by the user/installer. With default settings, it warns with a balloon of impending registry changes and the user is given a choice to allow the change or to block the change within the registry.

If the default settings have been changed and a program does not install, then it is due to a decision made by the user/installer and not the fault of Teatimer.

Please place responsibility were resposibility is due … the user/installer of the discussed program and any other program electively installed.


Fully agree.