win32:trojan-gen(other), win32:adware-gen[adw]

Viruses and worms
1

hey guys

   need some help here. kinda dont know what either are but it is seriously slowing dowo my pc. here is a logfile from hijackthis.

Logfile of HijackThis v1.99.1
Scan saved at 3:26:51 PM, on 2/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\PWIUtilityService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Documents and Settings\rmda06\My Documents\popup\12popup.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\CMPWI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\rmda06\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [TFncKy] TFncKy.exe
O4 - HKLM..\Run: [TPSMain] TPSMain.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvvej.dll,startup
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Documents and Settings\rmda06\My Documents\popup\12popup.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip..{ABD83AC9-8343-40EA-92F8-AD26BB07886D}: NameServer = 68.28.242.11 68.28.250.11
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pantech Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Pantech\Sprint PCS Connection Manager\PWIUtilityService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

really hope u can help…

2

Lets first start with the basics before jumping into HJT.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

What actions have you taken to try and resolve the problem ?
What is your firewall ?

If avast has dealt with them then they shouldn’t be slowing your system, unless you have other problems.

Suspect Possibly Vundo infection - fix:
O4 - HKLM..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvvej.dll,startup

http://spywaredlls.prevx.com/RRICGG30897139/DRVVEJ.DLL.html

3

here is the log from avast.
2/14/2007 7:52:38 PM SYSTEM 1952 Sign of “Win32:Ldpinch-AH [Trj]” has been found in "file.
2/14/2007 7:54:35 PM SYSTEM 1952 Sign of “Win32:Agent-ECD [Trj]” has been found in "file.
2/14/2007 7:54:51 PM SYSTEM 1952 Sign of “Win32:Agent-EIE [Trj]” has been found in “” file.
2/14/2007 7:55:29 PM SYSTEM 1952 Sign of “Win32:Trojan-gen. {Other}” has been found in “” file.
2/14/2007 7:55:37 PM SYSTEM 1952 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Documents and Settings\rmda06\Local Settings\Temporary Internet Files\Content.IE5\K8CTWE3J\mulbin32[1].exe” file.
2/14/2007 8:11:14 PM rmda06 1692 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Documents and Settings\rmda06\Local Settings\Temp\win1C.tmp” file.
2/14/2007 8:17:16 PM rmda06 1692 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{CD0BACDB-7BB8-4982-9127-7CA9CF228C78}\RP27\A0004331.exe” file.
2/15/2007 2:27:50 PM rmda06 672 Sign of “Win32:Adware-gen. [Adw]” has been found in “C:\DOCUME~1\rmda06\LOCALS~1\Temp\vlhdinjb.dll” file.
2/15/2007 2:28:11 PM rmda06 672 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\DOCUME~1\rmda06\LOCALS~1\Temp\glqvdvyw.exe” file.
2/15/2007 2:33:14 PM rmda06 672 Sign of “Win32:Adware-gen. [Adw]” has been found in “http://download.cdn.winsoftware.com/files/installers/WinAntiVirusPro2006FreeInstall.exe” file.
2/15/2007 2:33:22 PM rmda06 672 Sign of “Win32:Adware-gen. [Adw]” has been found in “C:\Documents and Settings\rmda06\Local Settings\Temporary Internet Files\Content.IE5\1IEXRKOS\WinAntiVirusPro2006FreeInstall[1].exe” file.
2/17/2007 3:17:05 AM SYSTEM 680 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\DOCUME~1\rmda06\LOCALS~1\Temp\guyhtkll.exe” file.
2/17/2007 3:18:21 AM SYSTEM 680 Sign of “Win32:Adware-gen. [Adw]” has been found in “C:\DOCUME~1\rmda06\LOCALS~1\Temp\kacslvpf.dll” file.
2/18/2007 9:54:21 AM SYSTEM 556 Sign of “Win32:Downloader-DS [Trj]” has been found in “http://l.mezzicodec.net/a412/L2.exe” file.
2/19/2007 4:04:01 PM SYSTEM 584 Sign of “Win32:Adware-gen. [Adw]” has been found in “C:\DOCUME~1\rmda06\LOCALS~1\Temp\clfagnaw.dll” file.
2/19/2007 4:11:10 PM SYSTEM 584 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\DOCUME~1\rmda06\LOCALS~1\Temp\mbatfavl.exe” file.

4

Urgent
Please edit out the links to the URLs in your post so they don’t catch the curious or unwary, they are live links to infected files,
e.g. http :// l.mezzicodec.net/a412/tr.php?m=1&b=779

Are you visiting the l.mezzicodec.net and download.cdn.winsoftware.com of your own accord to get say free codecs, etc. a common hook to get you to download malware.

Most of the stuff appears to be coming down into the temp internet and temp folders, why they aren’t caught by the web shield like the others but being caught by the standard shield. So it would be worth while periodically clearing out the temp folders, ClearProg - Temp File Cleaner or CCleaner - Temp File Cleaner, etc.

Have you fixed the entry I flagged ?

5

yes i fixed the file u flagged. i am also running speedupmypc 3.0 and clean out my files everyday ??? is that any good or not?

6

i also keep running avast and ad-aware everyday. all the time web pages are just popping open. is there anything i can do to fix this? ???

7

Yes it means they don’t get to hang around and hopefully if you notice a file in use it will prompt some closer attention. However with avast most aren’t getting to stay period, my concern is how they got there in the first place without being caught by one of the resident shields, web shield mainly or P2P, etc. if you use any of the other shield applications.

Did you try moving the C:\WINDOWS\system32\drvvej.dll file to the user section of the avast chest ?
From there it could be sent to avast as it wasn’t detected although it would appear that it is adware related.

You should have rebooted afterwards and then monitor if you get any more activity.

There is most certainly something on your system and it may be a hidden rootkit.

Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm.

BlackLight - It can detect rootkits like Rootkit Revealer but can also remove them. http://www.f-secure.com/blacklight/
Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/research/archive/2006/12/14/Rootkit-cleaner.aspx

8

you know what…i didnt have anymore popups until just when i started to type this msg. i rebooted about 10 minutes ago and nothing, then as soon as i typed anything the popup opened. i am running 12 ghosts popup shouldnt that do anything to the popups?

i ran hijackthis and fixed the drvvej.dll fileand now it is not showing up when i run it again.isthere any other way to find out if the fil is still here?

which one these rootkits would be the best one to do? any opinion?

9

  1. I don’t get any pop-ups, firefox has a very effective pop-up blocker as part of the installation, at least they are so infrequent I don’t recall.
    I have never heard of 12 ghosts pop-up and there are many things that purport to do something and do the opposite. I would look for another.

  2. Yes look in the location it was reported in and that which I gave C:\WINDOWS\system32\drvvej.dll, if it is there, you may need to enable view hidden files and folders in Explorer, Tools, Folder Options, View tab, see image. If it is there you should open the avast chest, user files and select File Add and select the file.

  3. Start with the first run that and then the second. Report the findings.

10

i added the file to the chest and scanned just that file. is that what u meant to do? i am kinda computer illiterate.

11

No I meant sending it to Alwil Software for analysis and hopefully inclusion in the VPS so it can be detected in the future, protecting others. Scanning it won’t achieve anything at the moment because it is currently undetected.

Right click on the file in the chest and select email to Alwil Software.