FileFront Forums

FileFront Forums (http://forums.filefront.com/)
-   Tech Discussion (http://forums.filefront.com/tech-discussion-398/)
-   -   Possible virus problem (http://forums.filefront.com/tech-discussion/332255-possible-virus-problem.html)

CyberRaptor September 24th, 2007 05:23 PM

Possible virus problem
 
Yeah, you read that right. It's been such a long time since I've had a serious infection on my home PC that I had almost come to believe it could never happen again. Well, here's the problem:

I've been experiencing repeated errors with Explorer. It would either terminate unexpectedly, or fail to load when logging in. I am able to launch it manually, but sometimes the screen goes black and the OS freezes solid.

Examples of these errors as they appear in the Event Log are as follows:

Faulting application explorer.exe, version 6.0.2900.3156, faulting module comctl32.dll, version 6.0.2900.2982, fault address 0x00010aec.

Faulting application explorer.exe, version 6.0.2900.3156, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x0003426f.

I didn't suspect a virus until later, when Ad-Aware found traces of it.
Also, when I started Internet Explorer (I normally use Firefox), Avast! popped up with a message saying:

Sign of "Win32:Trojano-1165 [Trj]" has been found in "C:\Documents and Settings\Venom\Local Settings\Temp\vista.exe" file.

I am running Windows XP Pro SP2. No part of Windows Vista has ever been on this machine in any form.
Clearly, such a file has no business being there. My first action was to "Move to chest", the option advised by Avast!
However, it seemed no matter how many times Avast! removed it, the file continued to replace itself. After opting to permanently delete the file and remove on startup if necessary, it appears to have stayed gone for the time being. I've run a thorough scan now with Avast! and there doesn't appear to be any further trace of malware, but I'm not entirely sure.
Bottom line: I need information, and advice on what to do next, if anything.

Edit: Hijackthis log
Spoiler:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:26:41 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Venom\Desktop\Hijackthis\HiJackThis_v2.ex e

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5E9755A1-314A-4ae6-99E1-B9F7DC7C7CF0} - C:\WINDOWS\system32\17.tmp
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188365400203
O20 - Winlogon Notify: 17 - C:\WINDOWS\system32\17.tmp
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\RpcSandraSrv.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 5141 bytes

-Slick-cRiSsI September 24th, 2007 05:46 PM

Win32: Trojano - 1165...Please Help! - PC Pitstop Forums

Not sure it's exactly the same Virus / Trojan.. but the topic name is Win32: Trojano - 1165

Hope it helps.. especially that the issue was solved in that case.
Good luck

>Omen< September 24th, 2007 05:52 PM

Good that you're using Ad-Aware, Avast, and HighjackThis, though I recommend as well CCleaner (Slim version only!), Spybot (has trojan detection support now), Windows Defender (don't use Explorer without it!) and of course a decent firewall with a backtrace feature, I use Sygate Personal (free). Make sure SpyBot is updated and immunized BEFORE you scan with it. This is good practice of course with ANY security program and ones such as SpyBot and Windows Defender that run in the background realtime should be set to update themselves.

I ran a quick check of your HjT log in this auto analyzer and there are only two entries in it that are flagged, though one with an X, which is cause for concern. This is the more suspect of the two:

"O2 - BHO: (no name) - {5E9755A1-314A-4ae6-99E1-B9F7DC7C7CF0} - C:\WINDOWS\system32\17.tmp
Must be fixed! **.tmp (* = random char or digit) - Unidentified parasite - should you have any information about this application, [xs4] - if you actually have a copy of the file, please attach it to your email for analysis. Thanks!"

As you can see, the 17.tmp appears to refer to a temp file that may have come with a download. I suspect it may have been associated with the vista.exe reference. It could be just a false positive, meaning no actual spyware. It could even be something MS uses for those upgrading from XP to vista. Try Googling vista.exe and 17.tmp and see if there have been any files with those designations asssociated with malware. My guess is if there has it was false positives, mere glitches in the security programs not updated fully for vista and/or vista related features compatibility.

I would say it is most likely safe to remove that entry containing the 17.tmp though. If HjT cannot do it you can probably do an Edit\Find search in the registry to do it manually.

The only other flag in the HjT log bearing the lowest ? warning is a one involving Winlogon Notify. However as you can see it also has the 17.tmp designation, so they appear to be related somehow.

O20 - Winlogon Notify: 17 - C:\WINDOWS\system32\17.tmp




I seriously doubt removing either of these entires will cause any harm but if you want reassurance of that from techs consult the WhatTheTech forum to get your log analyzed by experts. http://forums.whatthetech.com/forums.html

CyberRaptor September 24th, 2007 06:33 PM

Yeah, I also use, Spybot, ccleaner, and Spywareblaster. I've never used Windows Defender, but I'll give that a try now.

Quote:

I ran a quick check of your HjT log in this auto analyzer and there are only two entries in it that are flagged, though one with an X, which is cause for concern. This is the more suspect of the two:

"O2 - BHO: (no name) - {5E9755A1-314A-4ae6-99E1-B9F7DC7C7CF0} - C:\WINDOWS\system32\17.tmp
Must be fixed! **.tmp (* = random char or digit) - Unidentified parasite - should you have any information about this application, [xs4] - if you actually have a copy of the file, please attach it to your email for analysis. Thanks!"
I actually noticed that one before too, and tried to remove it in fact, but it didn't seem to work. I decided to overlook it for the moment, but after reading this about it, I'm now determined to get rid of it.

On the subject of Firewalls, is it really necessary to use a third party one, or is the Windows Firewall sufficient? I use Kerio Firewall on my older computer, but I never bothered to put one on this machine because I'm an avid gamer and firewalls seem like such a resource hog, as well as being a hassle to configure.

CyberRaptor September 24th, 2007 08:48 PM

Quote:

Originally Posted by -Slick-cRiSsI (Post 3942636)
Win32: Trojano - 1165...Please Help! - PC Pitstop Forums

Not sure it's exactly the same Virus / Trojan.. but the topic name is Win32: Trojano - 1165

Hope it helps.. especially that the issue was solved in that case.
Good luck

Good find. Turns out I had the same infection as the one talked about in that thread. It's a really nasty virus called Virtumonde (AKA Vundo) that embeds itself in Explorer, and I had to use a special tool to get rid of it. Now I'm just going scan with some various other programs to make absolutely sure that it is completely gone, and also check for traces of any other files or registry entries added by the virus, and remove them with with manually if I have to.

>Omen< September 24th, 2007 09:51 PM

Quote:

Originally Posted by CyberRaptor (Post 3942712)
On the subject of Firewalls, is it really necessary to use a third party one, or is the Windows Firewall sufficient? I use Kerio Firewall on my older computer, but I never bothered to put one on this machine because I'm an avid gamer and firewalls seem like such a resource hog, as well as being a hassle to configure.

The Windows firewall even after it was beefed up a bit is practically nothing campared to most any stand alone. Sygate isn't very inrtrusive at all and as mentioned has a backtrace feature.

Though I doubt it would really be hogging any noticable resources you can always disable it while online gaming and of course it's not necessary gaming offline if you disable your net connection.

marvinmatthew September 24th, 2007 10:17 PM

You might want to try to boot into Safe Mode and run some more scans.

World in Conflict September 25th, 2007 12:42 AM

This is all nice,I use some of the above mentioned programs but donīt you think having all together 50 anti-malware,adware,spyware,virus programs can actually prevent you from gaming ?

Itīs good to have this if you have some really important information/data on your PC....most of these viruses are yet unknown to me....where did you pick them up anyway ? Heavy porn sites ? :Puzzled:

Um...more then 3 anti-virus programs are a potentional threat of having your PC completely erased.

Protection is good,but donīt overdue it.

>Omen< September 25th, 2007 07:20 AM

No one here is advocating 50 security programs and certainly not more than one AV on a system at a time. The programs I recommend, only 4 of which run in the background and only 2 of which are needed as startup programs (Avast and Sygate), are as follows:

CCleaner
Ad Aware
SpyBot
HijackThis
Windows Defender
Sygate
Avast

If you're familiar with and trust the server you're gaming on you can disable the AV and firewall and leave only SpyBot and Windows Defender running realtime, or just SpyBot if you're not using Explorer. Neither of them are anywhere near being resource hogs and even Avast and Sygate rarely conflict with any software or do any noticible resource hogging in my experience. There are actually some game browsers and anticheat software that are far more intrusive, such as Xfire and Securom.

World in Conflict September 25th, 2007 07:26 AM

Hm,maybe I will download some of those/or buy them if I must.

So far I only have AOL active virus shield,AVG,Spyware Begone.
Blocks most of the harmfull things.

Damn, I must get informed...;)


All times are GMT -7.

Powered by vBulletin®
Copyright ©2000 - 2016, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.