Author Topic: UPX - Temp - Trojan (Read 3876 times)

vbs · « **on:** December 21, 2006, 07:32:18 PM »

Hi,

Avast always finds in my Temp folder win32:Horst-DZ Trojan.
It is an exe file. Like ( 90exinjs.v.exe/[UPX] ).
After deleting and a while Avast find again a trojan which named different.

Like: ( ....v.exe / [UPX] )

I searched with spyware softwares. Nothing found.
I turned-off system-restore.
Restarted the pc.
Searched with avast.

And then nothing found.

But some time ago i got avast warning again.
And then i decided to write here.

My OS is Windows XP SP2 Home Edition.

I am using;

- Avast 4.7 Home Edition
- SUPERAntiSpyware
- Spyware Blaster
- a-squared Guard

I did everything

- Turned Off System Restore
- Used Clean-Up
- a-squared Anti-Malware search, find and delete
- Avast! Boot Time Scan

But still getting the win32:Horst-DZ [Trj] trojan warning from Avast!.

Last infected (found virus) file: Temp\68exinjs.v.exe\[UPX]

I quarantined it.
Then i look up to the temp folder. And i found the others.

First it begins with conf extension like:

injs.v.exe.conf or ssd32.w.exe.conf

and then it creates exe files at the same (temp) folder like:

68exinjs.v.exe ..vs..vs.

I have smss.exe in C:\Windows\System location.

I don't know what i can do.
I really need your help.

My HiJackThis.log is:

Quote

Logfile of HijackThis v1.99.1
Scan saved at 20:30:44, on 21.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\WINDOWS\system32\svchost.exe
E:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
E:\PeerGuardian2\pg2.exe
E:\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\SpywareGuard\sgmain.exe
E:\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AILE üzerinde otomatik EPSON Stylus CX3600 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P49 "AILE üzerinde otomatik EPSON Stylus CX3600 Series" /O13 "\\AILE\Yazıcı" /M "Stylus CX3600"
O4 - HKLM\..\Run: [GOKI üzerinde otomatik EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P49 "GOKI üzerinde otomatik EPSON Stylus CX3600 Series" /O13 "\\GOKI\Yazıcı" /M "Stylus CX3600"
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [a-squared] "E:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = E:\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://D:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} (SubClassEditCtrlContainer Class) - https://sube.garanti.com.tr/lib/JaguarEditControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D76DC7E-3561-430F-8851-B0927F2E57B8}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 2,3,4,5,6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = 2,3,4,5,6
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

P.S: Excuse for bad english also.

Ripley · « **Reply #1 on:** December 21, 2006, 10:32:56 PM »

Hi vbs

I see you received some assistance over at the Avast forum and were recommended to post your log here. http://forum.avast.com/index.php?topic=25575.0

Welcome to Landzdown forum.

An expert will be reviewing your log as soon as one is available.

And by the way, your English is quite understandable.

Corrine · « **Reply #2 on:** December 22, 2006, 12:10:57 AM »

Hi, vbs. Welcome to LandzDown Forum.

From my research, that appears to be a nasty worm on your computer. Let's see what we can do to get rid of it.

Please download the Killbox © Option^Explicit.
Unzip it to the desktop

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
C:\WINDOWS\system\smss.exe
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following, if found, and press "Fix Checked":

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

Please download ATF Cleaner by Atribune from http://www.atribune.org/public-beta/ATF-Cleaner.exe . Save it to your Desktop.

Run ATF Cleaner

Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Shutdown/restart the computer.

Edit Note: It would also be a good idea to update Avast and run a full system scan after restarting your computer. Then post a fresh HijackThis log and let us know how how your PC is doing now.

vbs · « **Reply #3 on:** December 22, 2006, 02:50:33 AM »

Hi Corrine,

When i did;

Quote

Please download the Killbox © Option^Explicit.
Unzip it to the desktop

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
C:\WINDOWS\system\smss.exe
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

these instructions, an error accured:

"PendingFileNameOperations Registry Data has been Removed by External Process!"

Before your help when i am trying to fix the this trojan problem i deleted c:\windows\system\smss.exe with manually. Maybe i got "PendingFileNameOperations Registry Data has been Removed by External Process!" message because of this.

I cleaned the pc with ATF Cleaner.

vbs · « **Reply #4 on:** December 22, 2006, 02:51:21 AM »

I forgot to paste my HiJackThis Log File:

Quote

Logfile of HijackThis v1.99.1
Scan saved at 05:48:49, on 22.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
E:\Program Files\a-squared Anti-Malware\a2guard.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
E:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
F2 - REG:system.ini: Shell=explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AILE üzerinde otomatik EPSON Stylus CX3600 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" /P49 "AILE üzerinde otomatik EPSON Stylus CX3600 Series" /O13 "\\AILE\Yazıcı" /M "Stylus CX3600"
O4 - HKLM\..\Run: [GOKI üzerinde otomatik EPSON Stylus CX3600 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" /P49 "GOKI üzerinde otomatik EPSON Stylus CX3600 Series" /O13 "\\GOKI\Yazıcı" /M "Stylus CX3600"
O4 - HKLM\..\Run: [a-squared] "E:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX3600 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE" /P26 "EPSON Stylus CX3600 Series" /M "Stylus CX3600" /EF "HKCU"
O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://D:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {0FC8B38E-9293-424C-9D0E-CE60775679CF} (SubClassEditCtrlContainer Class) - https://sube.garanti.com.tr/lib/JaguarEditControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D76DC7E-3561-430F-8851-B0927F2E57B8}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 2,3,4,5,6
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = 2,3,4,5,6
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = 2,3,4,5,6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = 2,3,4,5,6
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Corrine · « **Reply #5 on:** December 22, 2006, 10:07:23 PM »

Hi, vbs. I meant to ask you last night -- do you recognize the 017 entry for 192.168.0.1?

vbs · « **Reply #6 on:** December 23, 2006, 10:55:02 PM »

Hi Corrine,

It's my routers IP.

LandzDown Forum

News:

Author Topic: UPX - Temp - Trojan (Read 3876 times)

vbs

UPX - Temp - Trojan

Ripley

Re: UPX - Temp - Trojan

Corrine

Re: UPX - Temp - Trojan

vbs

Re: UPX - Temp - Trojan

vbs

Re: UPX - Temp - Trojan

Corrine

Re: UPX - Temp - Trojan

vbs

Re: UPX - Temp - Trojan