Trojan Installer logfile

TheChef

TheChef

New Member
My friend has Norton AntiVirus, and contracted a trojan called something like installer.trojan, at least thats what he thinks it is. He contracted a lot of other viruses as well from the installer. Here is a logfile. It will take two posts. He could not run the suggested programs (adAware, HouseCall, Spybot etc.) due to a very lagged internet connection.

Logfile of HijackThis v1.99.1
Scan saved at 2:38:19 PM, on 8/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\zpdtrtd.exe
C:\Program Files\Adaptec\Easy CD Creator
5\DirectCD\DirectCD.exe
C:\WINDOWS\MMKeybd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon06.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Viewpoint\Viewpoint
Manager\ViewMgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\Eileen\LOCALS~1\Temp\sysnet.exe
C:\WINDOWS\System32\jaqnnj.exe
C:\DOCUME~1\Eileen\LOCALS~1\Temp\wrapperouter.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 6.0\aoltray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sony Corporation\Image
Transfer\SonyTray.exe
C:\PROGRA~1\VBouncer\VBOUNC~1.EXE
C:\PROGRA~1\VBouncer\ADDEST~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\cbwvosjb.exe
C:\WINDOWS\cbwvosjb.exe
C:\PROGRA~1\VBouncer\VIRTUA~1.EXE
C:\PROGRA~1\ADDEST~1\ADDEST~1.EXE
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\system\umlpqsiwu.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Eileen\Local
Settings\Temp\Temporary Directory 1 for
hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://business.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://business.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://www.exactsearch.net/sidesearch
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) -
{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program
Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe
C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program
Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program
Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [NAV Agent]
C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [BearShare] C:\Program
Files\BearShare\BearShare.exe /m
O4 - HKLM\..\Run: [WinampAgent] "C:\Program
Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program
Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program
Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program
Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06]
C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program
Files\Common Files\Symantec Shared\Security
Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program
Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program
Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PSof1]
C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe]
C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver]
C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE
C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [lanbrup]
C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program
Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [Sysnet]
C:\DOCUME~1\Eileen\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [winsync]
C:\WINDOWS\System32\jaqnnj.exe reg_run
O4 - HKLM\..\Run: [tsnT37X] cryfx12n.exe
O4 - HKLM\..\Run: [VBouncer]
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
/auto
O4 - HKLM\..\Run: [phmpeh]
c:\windows\system32\zpdtrtd.exe r
O4 - HKLM\..\Run: [BullsEye Network] C:\Program
Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program
Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program
Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [System service62]
C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe]
C:\WINDOWS\VCMnet11.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program
Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program
Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk =
C:\Program Files\Common Files\Adobe\Calibration\Adobe
Gamma Loader.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk
= C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk =
C:\Program Files\Sierra Imaging\Image Expert
2000\IXApplet.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk =
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk =
C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
 
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM -
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Corel\Suite8\Programs\CCWin\Aim\aim.exe
O9 - Extra button: (no name) -
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide -
{E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program
Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader -
http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} -
http://www.alwaysupdatednews.com/install/aun_0011.exe
O18 - Filter: text/html -
{8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program
Files\Cas\Client\casmf.dll
O23 - Service: IMAPI CD-Burning COM Service
(ImapiService) - Roxio Inc. -
C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple
Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service
(navapsvc) - Symantec Corporation - C:\Program
Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) -
America Online, Inc. -
C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) -
Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service
(SNDSrvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) -
Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec
Corporation - C:\Program Files\Common Files\Symantec
Shared\Security Center\SymWSC.exe



__________________________________________________
 
The installer is called Epolvy, can your friend download anything? If not you'll need to download these programs and tranfer them to their comp with a usb stick or cd.

Ewido.
Nailfix.
Ccleaner.
CWShredder.
Killbox.

Download and update all these programs, don't run anything yet, if your friend has got AdawareSE and Spybot, update them and do full scans in safemode. Reboot and post a new log when you have access to the computer, don't reboot until you hear from myself or Byteman.
 
Last edited:
You must log in or register to reply here.
Back
Top