Thread: Infrom.exe Trojan Horses
View Single Post
Old 07-29-2008, 10:37 PM   #4 (permalink)
BrentDemers
Registered User
 
Join Date: Jun 2008
Posts: 16
OS: win xp, service pack II


Re: Infrom.exe Trojan Horses
I recieved the trojan from sharing a usb flash drive (if that what you mean by usb stick).

My external hard drive is infected as well as my main hard drive.

I have Autorun...and I've noticed that there are alot of missing files from the list...can I just delete those?

Thanks for responding to me.




Deckard's System Scanner v20071014.68
Run by Owner on 2008-07-29 20:44:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
58: 2008-07-30 03:45:32 UTC - RP68 - Deckard's System Scanner Restore Point
57: 2008-07-29 03:14:55 UTC - RP67 - System Checkpoint
56: 2008-07-27 23:45:40 UTC - RP66 - System Checkpoint
55: 2008-07-25 03:07:21 UTC - RP65 - System Checkpoint
54: 2008-07-24 03:04:01 UTC - RP64 - Printer Driver doPDF 6 Printer Driver Installed


-- First Restore Point --
1: 2008-05-01 01:18:16 UTC - RP11 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:50 PM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\WINNT\GWHotKey.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.volcom.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Program Files\Notebook Hardware Control\nhc.exe" -quiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://qtinstall.info.apple.com/qtactivex/QTPlugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194824712278
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 3607 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - C:\WINNT\NOTEPAD.EXE "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\winnt\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 ASCTRM - c:\winnt\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 RioPNP - c:\winnt\system32\drivers\riopnp.sys <Not Verified; RioPort.com; >
R3 AWINDIS5 (AWINDIS5 Protocol Driver) - c:\winnt\system32\awindis5.sys <Not Verified; AMBIT Microsystems Corporation.; AMBIT WinDis32 Protocol Driver for Windows>
R3 nhcDriverDevice (Notebook Hardware Control Driver) - c:\winnt\system32\drivers\nhcdriver.sys <Not Verified; pBUS-167 Software - http://www.pbus-167.com; Notebook Hardware Control Driver>
R3 pfc (Padus ASPI Shell) - c:\winnt\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 WDC_SAM (WD SCSI Pass Thru driver) - c:\winnt\system32\drivers\wdcsam.sys <Not Verified; Western Digital Technologies; WD External Storage>

S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S3 ATWPKT2 - c:\progra~1\americ~1.0\atwpkt2.sys (file missing)
S3 PCDRDRV (Pcdr Helper Driver) - c:\atf\qctest\pcdoc\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\winnt\system32\drivers\pcdrnt.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\winnt\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 PACSPTISVR - "c:\program files\common files\sony shared\avlib\pacsptisvr.exe" <Not Verified; ; PACSPTISVR Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-29 20:52:00 412 --a------ C:\WINNT\Tasks\Symantec NetDetect.job
2008-07-29 20:29:38 418 --ah----- C:\WINNT\Tasks\User_Feed_Synchronization-{BCF09352-0836-419B-957E-F7E0274A374A}.job


-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 20:42:21 0 d-------- C:\Program Files\Trend Micro
2008-07-23 20:08:40 0 d-------- C:\Documents and Settings\LocalService\Application Data\Softland
2008-07-23 20:02:29 0 d-------- C:\Program Files\Softland
2008-07-07 18:47:51 0 d-------- C:\WINNT\system32\CatRoot_bak
2008-07-07 09:00:52 0 d-------- C:\ie-spyad_zo
2008-07-01 19:50:45 0 d-------- C:\Program Files\Panda Security


-- Find3M Report ---------------------------------------------------------------

2008-06-24 20:26:40 0 d-------- C:\Program Files\Quicken
2008-06-24 20:26:17 0 d-------- C:\Program Files\Common Files
2008-06-24 20:23:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-24 20:17:17 0 d-------- C:\Program Files\Common Files\Adaptec Shared
2008-06-12 12:48:40 0 d-------- C:\Program Files\SpywareBlaster
2008-06-12 12:05:59 0 d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-12 12:05:04 0 d-------- C:\Program Files\SUPERAntiSpyware


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [05/21/2003 02:21 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/22/2002 02:10 PM]
"AS00_Gear511"="C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe" [01/20/2006 02:14 PM]
"NotebookHardwareControl"="C:\Program Files\Notebook Hardware Control\nhc.exe" [05/03/2007 05:33 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/14/2001 03:03 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/14/2001 03:02 PM]
"Multi-function Keyboard"="GWHotKey.exe" [08/28/2001 10:13 AM C:\WINNT\GWHotKey.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" [08/23/2001 11:23 AM C:\WINNT\system32\ico.exe]
"KernelFaultCheck"="C:\WINNT\system32\dumprep 0 -k" []
"GWMDMpi"="C:\WINNT\GWMDMpi.exe" [06/12/2002 04:23 PM]
"GWMDMMSG"="GWMDMMSG.exe" [05/06/2002 01:12 PM C:\WINNT\GWMDMMSG.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"ewido security suite control"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"SonicStage Back-End Service"=3 (0x3)
"PrismXL"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"MSCSPTISRV"=3 (0x3)
"iPodService"=3 (0x3)
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"AresChatServer"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-07-29 20:54:37 ------------
Attached Files
File Type: txt extra.txt (14.0 KB, 2 views)
BrentDemers is offline