Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Win32:alphabet-b Trojan


  • Please log in to reply
1 reply to this topic

#1 pyrotech

pyrotech

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 01 July 2007 - 11:28 AM

Hello All ive just registered as a member 1st time im posting. Please help, this morning i updated Avast anti-virus and it ran a scan of system and found alphabet-b trojan on system. Ive tried attempting to delete but what seems to be happpening is it continues to find the virus continuesly with random numbers as a file name from my documents & setting/local/temp folder. everytime it has been found im quarinteing them.

this forums been a great help. so far ive downloaded hijack, sdfix,combofix and downloaded and run ccleaner which has cleared all temp files from internet explorer and mozilla even the system temp files. still cant get rid of the trojan.

can someone take a look at the hijack scan and tell me what i should be deleting. the lines in bold is what i believe i should get rid of. thanks in advance

Logfile of HijackThis v1.99.1
Scan saved at 16:20:19, on 01/07/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\CLI.EXE
D:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\avp.exe
C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\cli.exe
H:\Combat_Virus&Trojans\HijackThis\HijackThis.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files (x86)\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [avast!] D:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [szarkrmf.exe] C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\system32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\system32\sclgntfy.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2saag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: NBService - Nero AG - D:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

Also saved the startup list as follows

StartupList report, 01/07/2007, 16:15:15
StartupList version: 1.52.2
Started from : H:\Combat_Virus&Trojans\HijackThis\HijackThis.EXE
Detected: Windows 2003 SP2 (WinNT 5.02.3790)
Detected: Internet Explorer v6.00 SP1 (6.00.3790.1830)
* Using default options
==================================================

Running processes:

D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\CLI.EXE
D:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\avp.exe
C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\cli.exe
H:\Combat_Virus&Trojans\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = D:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMAXPnP = C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
SoundMAX = "C:\Program Files (x86)\Analog Devices\SoundMAX\Smax4.exe" /tray
ATICCC = "C:\Program Files (x86)\ATI Technologies\ATI.ACE\CLIStart.exe"
avast! = D:\PROGRA~2\ALWILS~1\Avast4\ashDisp.exe
avp = C:\WINDOWS\avp.exe
szarkrmf.exe = C:\Documents and Settings\All Users\Application Data\szarkrmf.exe
SManager = smanager.7.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} = "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe"

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = %SystemRoot%\system32\mshta.exe "%1" %*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - D:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\syswow64\SHELL32.dll
CDBurn: C:\WINDOWS\syswow64\SHELL32.dll
WebCheck: C:\WINDOWS\SysWOW64\webcheck.dll
SysTray: C:\WINDOWS\SysWOW64\stobject.dll

Edited by pyrotech, 01 July 2007 - 11:30 AM.


BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:12 PM

Posted 13 July 2007 - 03:38 PM

Hello pyrotech and welcome to the BC HijackThis forum. There are a few interesting files in the log. Let's try a different scanner and see what else we can find.

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • In the Driver Services section click on Non-Microsoft.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users