Hello. Have a trojan on my system and cannot find any information on it on existing forums. Would appreciate any help anyone can offer!
System details:
Windows XP, Service pack 2
Antivirus:
Avira AntiVir Personal
(I have spyware doctor installed but usually disable it when I'm working offline because of how slow the system gets.)
My dad's thumb drive got infected by this trojan when he'd taken it for a presentation at another company. (Incidentally, the company he visited is part of the government's aerospace division. Whee!)
When he brought it home, the system refused to open the drive; accompanied by an Avira message on the screen saying: "C:\WINDOWS\system32\28463\svchost.exe is the Trojan horse TR/Spy.Ardamax.J"
However, after selecting "delete", I was able to open the drive. I noticed the following:
1. "New Folder" executable file in the main drive contents
2. .exe file with the same name as parent folder in all other folders
Since I'd seen similar viruses before, I immediately ejected the drive, but not before all other removable drives connected to the system exhibited the same symptoms. :(
[I have not tried deleting the system32\28463 folder because I wasn't sure what chain of events that might set up. Also uncertain about how deleting that will help me clean the removable drives.]
None of the applications on my system seem affected at this point apart from my registry editor (which is disabled.). I have not run any other system applications, though, so I'm not sure if this is accurate.
I ran the Deckard's System Scanner and here are the results:
--------------
Deckard's System Scanner v20071014.68
Run by Home on 2008-06-04 18:59:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
35: 2008-06-04 13:29:37 UTC - RP208 - Deckard's System Scanner Restore Point
34: 2008-06-03 04:33:04 UTC - RP207 - Installed OpenOffice.org 2.3
33: 2008-06-03 04:29:22 UTC - RP206 - Installed Java(TM) 6 Update 3
32: 2008-06-02 12:29:12 UTC - RP205 - System Checkpoint
31: 2008-06-01 06:22:15 UTC - RP204 - System Checkpoint
-- First Restore Point --
1: 2008-05-03 18:58:36 UTC - RP174 - Software Distribution Service 3.0
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Home.exe) ------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:09:11, on 04/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\28463\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\ups.exe
H:\My Downloads\My Downloads\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\TRENDM~1\HIJACK~1\Home.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about
:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [svchost Agent] C:\WINDOWS\system32\28463\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Msn Messsenger] C:\WINDOWS\system32\regsvr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -
http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) -
http://zone.msn.com/bingame/shpo/default/shapo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15E26308-B656-4F87-9967-416B5CB11D09}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{15E26308-B656-4F87-9967-416B5CB11D09}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{15E26308-B656-4F87-9967-416B5CB11D09}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 6779 bytes
-- File Associations -----------------------------------------------------------
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\NOTEPAD.EXE" "%1"
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
S3 catchme - c:\docume~1\home\locals~1\temp\catchme.sys (file missing)
S3 ydsxg - c:\windows\system32\drivers\ydsxg.sys <Not Verified; YAMAHA Corporation; YAMAHA DS-XG>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_1002&DEV_5A61&SUBSYS_D6008086&REV_00\4&1C9EB71F&0&2808
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_1002&DEV_5A61&SUBSYS_D6008086&REV_00\4&1C9EB71F&0&2808
Service:
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_D6008086&REV_82\3&61AAA01&0&A0
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_D6008086&REV_82\3&61AAA01&0&A0
Service:
-- Scheduled Tasks -------------------------------------------------------------
2008-06-04 19:03:48 420 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{FC87BDCE-17AE-4479-A7D3-B71BE90EBB5C}.job
2008-06-02 20:36:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-05-29 18:39:00 268 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-05-16 20:45:43 406 --a------ C:\WINDOWS\Tasks\Norton Security Scan.job
2007-12-31 18:39:32 390 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
-- Files created between 2008-05-04 and 2008-06-04 -----------------------------
2008-06-04 19:08:59 0 d-------- C:\Program Files\Trend Micro
2008-06-04 08:55:00 0 d-------- C:\Program Files\Panda Security
2008-06-04 08:13:30 0 d-------- C:\WINDOWS\ERUNT
2008-06-04 07:58:09 682496 -rahs---- C:\WINDOWS\system32\svchost _exe.vir
2008-06-04 07:58:09 682496 -rahs---- C:\WINDOWS\system32\REGSVR_EXE.vir
2008-06-04 07:58:09 682496 --a------ C:\WINDOWS\regsvr_exe.vir
2008-06-04 07:56:33 0 d--hs---- C:\WINDOWS\system32\28463
2008-05-28 03:41:47 453632 --a------ C:\WINDOWS\system32\stdvcl40.dll <Not Verified; Borland International; Standard VCL ActiveX Library>
2008-05-28 03:41:46 0 d-------- C:\Program Files\Web CEO
2008-05-20 13:19:39 3532 --a------ C:\drmHeader.bin
2008-05-20 04:54:47 0 d-------- C:\Program Files\PQDVD
2008-05-19 18:24:47 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-18 19:49:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-05-13 20:43:01 0 d-------- C:\Documents and Settings\Home\Application Data\Flickr
2008-05-13 20:42:25 0 d-------- C:\Program Files\Flickr Uploadr
2008-05-13 12:17:04 0 d-------- C:\Documents and Settings\Home\Application Data\Apple Computer
2008-05-12 22:54:56 0 d-------- C:\Program Files\QuickTime
2008-05-12 22:54:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-12 22:54:29 0 d-------- C:\Program Files\Apple Software Update
2008-05-12 22:54:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-10 22:37:47 0 d-------- C:\Documents and Settings\Home\Application Data\skypePM
2008-05-10 22:37:47 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-05-10 22:36:45 0 d-------- C:\Documents and Settings\Home\Application Data\Skype
2008-05-10 22:34:07 0 d-------- C:\Program Files\Skype
2008-05-10 22:34:07 0 d-------- C:\Program Files\Common Files\Skype
2008-05-10 22:33:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-08 04:49:07 0 d-------- C:\!!media
-- Find3M Report ---------------------------------------------------------------
2008-06-04 08:08:17 0 d-------- C:\Documents and Settings\Home\Application Data\uTorrent
2008-06-03 10:00:15 0 d-------- C:\Program Files\Java
2008-06-02 20:37:26 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-05-30 16:38:45 0 d-------- C:\Program Files\Last.fm
2008-05-17 23:07:03 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-16 15:00:04 0 d-------- C:\Program Files\Norton Security Scan
2008-05-10 22:34:07 0 d-------- C:\Program Files\Common Files
2008-05-03 14:17:40 0 d-------- C:\Program Files\Windows Media Connect 2
2008-04-27 22:03:49 0 d-------- C:\Program Files\Winamp
2008-04-23 06:13:09 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-23 06:12:57 0 d-------- C:\Program Files\Common Files\Real
2008-04-20 11:05:18 0 d-------- C:\Documents and Settings\Home\Application Data\Real
2008-04-14 06:48:26 0 d-------- C:\Program Files\Windows Live
2008-04-14 06:47:15 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-07 20:06:16 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-06 05:53:23 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-04-05 20:38:25 0 d-------- C:\Documents and Settings\Home\Application Data\Google
2008-04-05 20:36:52 0 d-------- C:\Program Files\Google
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 17:30]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 17:30]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 17:30]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [18/04/2008 16:58]
"RTHDCPL"="RTHDCPL.EXE" [30/11/2007 18:42 C:\WINDOWS\RTHDCPL.exe]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [02/01/2007 02:52]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [23/04/2008 06:12]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"svchost Agent"="C:\WINDOWS\system32\28463\svchost.exe" [25/01/2008 01:24]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 17:30]
"Msn Messsenger"="C:\WINDOWS\system32\regsvr.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3937c11-b843-11dc-af84-001676531ecf}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL regsvr.exe
Open\command- J:\regsvr.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3937c1c-b843-11dc-af84-001676531ecf}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL regsvr.exe
Open\command- J:\regsvr.exe
-- End of Deckard's System Scanner: finished at 2008-06-04 19:09:50 ------------
I'm really hoping this is only a minor trojan that can be gotten rid of easily. I work from home a lot and infecting the office systems would not be a good way to endear myself to the bosses!
Thanks in advance to anyone who can help me.
- T