Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Activedst.exe a Trojan file?


  • This topic is locked This topic is locked
3 replies to this topic

#1 LostOne96

LostOne96

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 12 December 2009 - 02:23 PM

Hello!

I recently was infected by a trojan file, activedst.exe, which I believe is contained, but I would like some help cleaning my system. I'm running Windows XP, Media Center Edition (2002 version), updated to Service Pack 3. My security program is Kaspersky Internet Security 2009, and I also run SuperAntiSpyware (SAS) and Malware Byte's Anti-Malware (MBAM) programs.

According to Kaspersky, here is the series of events:

0.008989111490346868.exe (events: 8)
12/12/2009 10:13:08 AM Placed in group Low Restricted
12/12/2009 10:13:12 AM Process start C:\DOCUME~1\Morbius\LOCALS~1\Temp\0.008989111490346868.exe
12/12/2009 10:13:21 AM Setting debug privileges Allowed: KLPrivileges/KLPermissionSystem/KLPermissionPrivileges/KLSetDbgPrivilege
12/12/2009 10:13:21 AM Setting debug privileges Allowed: KLPrivileges/KLPermissionSystem/KLPermissionPrivileges/KLSetDbgPrivilege
12/12/2009 10:13:21 AM Delete C:\Documents and Settings\Morbius\Local Settings\Temp\0.008989111490346868.exe
12/12/2009 10:13:21 AM Modification C:\Documents and Settings\Morbius\Local Settings\Temp\~TM43.tmp
12/12/2009 10:13:21 AM Rename C:\Documents and Settings\Morbius\Local Settings\Temp\~TM43.tmp
12/12/2009 10:13:21 AM Process exit C:\DOCUME~1\Morbius\LOCALS~1\Temp\0.008989111490346868.exe

wpv981253129279.exe (events: 6)
12/12/2009 10:14:05 AM Placed in group Low Restricted
12/12/2009 10:14:05 AM Process start C:\WINDOWS\temp\wpv981253129279.exe
12/12/2009 10:14:05 AM Create C:\WINDOWS\system32\acledith.exe
12/12/2009 10:14:06 AM Delete C:\WINDOWS\system32\acledith.exe
12/12/2009 10:14:06 AM Create C:\WINDOWS\system32\activedst.exe
12/12/2009 10:14:13 AM Process exit C:\WINDOWS\temp\wpv981253129279.exe

wpv221253131464.exe (events: 6)
12/12/2009 10:14:06 AM Placed in group Low Restricted
12/12/2009 10:14:06 AM Process start C:\WINDOWS\temp\wpv221253131464.exe
12/12/2009 10:14:07 AM Process start C:\WINDOWS\temp\wpv221253131464.exe
12/12/2009 10:14:09 AM Access to protected storage Allowed: KLPrivileges/KLPermissionSystem/KLPermissionStrange/KLPrtStgAccess
12/12/2009 10:14:12 AM Process exit C:\WINDOWS\temp\wpv221253131464.exe
12/12/2009 10:14:13 AM Process exit C:\WINDOWS\temp\wpv221253131464.exe

HpqPSmon (events: 5)
12/12/2009 10:14:11 AM Placed in group Untrusted
12/12/2009 10:14:12 AM Process start C:\WINDOWS\system32\activedst.exe
12/12/2009 10:14:12 AM Autorun Denied: KLPrivileges/KLSelfStart
12/12/2009 10:14:12 AM Autorun Denied: KLPrivileges/KLSelfStart
12/12/2009 10:14:12 AM Process exit C:\WINDOWS\system32\activedst.exe

wpv691257453440.exe (events: 4)
12/12/2009 10:14:09 AM Placed in group Untrusted : HEUR:Trojan.Win32.Generic
12/12/2009 10:14:09 AM Process start C:\WINDOWS\temp\wpv691257453440.exe
12/12/2009 10:14:09 AM Autorun Denied: KLPrivileges/KLSelfStart
12/12/2009 10:14:09 AM Process exit C:\WINDOWS\temp\wpv691257453440.exe

wpv081257849029.exe (events: 4)
12/12/2009 10:14:15 AM Placed in group Untrusted : HEUR:Worm.Win32.Generic
12/12/2009 10:14:15 AM Process start C:\WINDOWS\temp\wpv081257849029.exe
12/12/2009 10:14:15 AM Autorun Denied: KLPrivileges/KLSelfStart
12/12/2009 10:14:15 AM Process exit C:\WINDOWS\temp\wpv081257849029.exe

The last 3 entries show me moving the three programs to Kaspersky's Untrusted zone. To clear the program, I ran CCleaner, then MBAM, then SAS, and finally Kaspersky. Both MBAM and SAS cleared programs from the system; Kaspersky did not find anything. However, the activedst.exe file is still on my system.

I've pretty much exhausted my knowledge of system cleaning and would appreciate any help you can give.

Thanks!

BC AdBot (Login to Remove)

 


#2 petewills

petewills

  • Members
  • 1,377 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, UK
  • Local time:01:32 AM

Posted 12 December 2009 - 02:28 PM

Please post your problem in the Security, Am I Infected? What do I do? forum.
The guys there can help you more.

#3 LostOne96

LostOne96
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:07:32 PM

Posted 12 December 2009 - 02:30 PM

Yeah, I just realized that, too. Thanks!

#4 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,078 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:05:32 PM

Posted 12 December 2009 - 04:18 PM

I have moved your post to the more appropriate forum for a quicker response as the HJT forum is currently backlogged. Also it was moved to the lack of a HJT log included in the post.

You can find it here: http://www.bleepingcomputer.com/forums/t/278310/activedstexe-a-trojan/

To avoid confusion and duplicate information this thread is closed. All further assistance should be offered in the thread linked above.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users