Trojan Horse Downloader Keenval.E

Discussion in 'adware, spyware & hijack cleaning' started by Ana Martini, Jun 30, 2004.

Thread Status:
Not open for further replies.
  1. Ana Martini

    Ana Martini Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    3
    I found this virus on my computer and then find this address on Google (https://www.wilderssecurity.com/showthread.php?t=15913) telling users what to do. I did exactly as told choosing Spybot S&D to run my computer. My log file is added below:
    _____________________________________________________
    Logfile of HijackThis v1.97.7
    Scan saved at 14:04:21, on 30/6/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\VetMsgNT.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Arquivos de programas\Ahead\InCD\InCD.exe
    C:\Arquivos de programas\Arquivos comuns\Logitech\QCDriver3\LVCOMS.EXE
    C:\Arquivos de programas\Logitech\ImageStudio\LogiTray.exe
    C:\ARQUIV~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    C:\Arquivos de programas\Real\RealPlayer\RealPlay.exe
    C:\Arquivos de programas\QuickTime\qttask.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Altnet\Points Manager\Points Manager.exe
    C:\WINDOWS\Driver Cache\unmc.exe
    C:\ARQUIV~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
    C:\Arquivos de programas\WinZip\WZQKPICK.EXE
    C:\Arquivos de programas\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
    C:\Arquivos de programas\Logitech\ImageStudio\LowLight.exe
    C:\Arquivos de programas\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\_Install\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.predialnet.com.br/
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\ARQUIV~1\INCRED~1\BHO\INCFIN~1.DLL
    R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Arquivos de programas\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\ARQUIV~1\INCRED~1\BHO\INCFIN~1.DLL
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Arquivos de programas\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Arquivos de programas\Arquivos comuns\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Arquivos de programas\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Arquivos de programas\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [VetTray] C:\ARQUIV~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    O4 - HKLM\..\Run: [RealTray] C:\Arquivos de programas\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
    O4 - HKLM\..\Run: [kdsv] C:\WINDOWS\kdsv.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Arquivos de programas\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [unmc] C:\WINDOWS\Driver Cache\unmc.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\ARQUIV~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C410FCAC-4CB8-41F8-84D6-0B4C840AEACF}: NameServer = 200.218.176.7,200.218.176.8
    ______________________________________________________

    Seems to me something horrible has happen to my machine.
    I'll be waiting for some reply.
    Thanks in advance.

    Ana Martini
     
    Last edited: Jun 30, 2004
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    HI Ana

    If you have any concern at all for the security of your computer, you should uninstall Kazaa now

    It is the source of all your problems, now and in the future.....

    Read this about all the malware it contains......and malware/ spyware free alternatives.

    http://forums.winamp.com/showthread.php?threadid=64964

    Should you then decide to get rid of Kazaa....... do this.....

    Uninstall Kazaa from Add/remove programs in control panel....

    Do the same with P2P Networking .... it's a useless Kazaa add on that's been proven to slow down systems.......... If/when asked whether you also want to remove Altnet components, say 'Yes'

    Warning...Before running Kazaabegone Save any music files etc, thet you have in Kazaa shared folders ... once you run Kazaabegone ... these will be lost forever

    If you have removed Kazaa from your computer....run this program as well... kazaabegone <<< Click here it will remove all the rubbish left behind by the Kazaa uninstall.

    Check the following items in Hijackthis - close AL windows\browsers except Hijackthis and click "Fix checked":

    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\ARQUIV~1\INCRED~1\BHO\INCFIN~1.DLL
    R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Arquivos de programas\MyWay\myBar\1.bin\MYBAR.DLL

    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\ARQUIV~1\INCRED~1\BHO\INCFIN~1.DLL

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Arquivos de programas\MyWay\myBar\1.bin\MYBAR.DLL

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime <-----optional

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe

    O4 - HKLM\..\Run: [kdsv] C:\WINDOWS\kdsv.exe

    O4 - HKLM\..\Run: [KAZAA] C:\Arquivos de programas\Kazaa\kazaa.exe /SYSTRAY

    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE <--- optional

    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:\Arquivos de programas\MyWay
    C:\WINDOWS\sysupd.exe
    C:\WINDOWS\kdsv.exe

    Then reboot and use AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Then use the Disk Cleanup Utility to empty all your Temp folders.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.
     
  3. Ana Martini

    Ana Martini Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    3
    Hi Marianna,

    I did everything as you say and I think my problem is over. The second log HijackThis gave is below:
    ___________________________________
    Logfile of HijackThis v1.97.7
    Scan saved at 23:01:38, on 30/6/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Arquivos de programas\Ahead\InCD\InCD.exe
    C:\Arquivos de programas\Arquivos comuns\Logitech\QCDriver3\LVCOMS.EXE
    C:\Arquivos de programas\Logitech\ImageStudio\LogiTray.exe
    C:\ARQUIV~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    C:\Arquivos de programas\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\Driver Cache\unmc.exe
    C:\ARQUIV~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
    C:\Arquivos de programas\WinZip\WZQKPICK.EXE
    C:\Arquivos de programas\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\VetMsgNT.exe
    C:\Arquivos de programas\Logitech\ImageStudio\LowLight.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\_Install\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.predialnet.com.br/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Arquivos de programas\Arquivos comuns\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Arquivos de programas\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Arquivos de programas\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [VetTray] C:\ARQUIV~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
    O4 - HKLM\..\Run: [RealTray] C:\Arquivos de programas\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [unmc] C:\WINDOWS\Driver Cache\unmc.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\ARQUIV~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C410FCAC-4CB8-41F8-84D6-0B4C840AEACF}: NameServer = 200.218.176.7,200.218.176.8
    ____________________________________

    But when I ran The EZAV e_Trust I have installed on my computer he told me there are 48 files unable to be scanned. Are these files separated from the others not to infect my machine again? That´s my doubt.
    Other thing, running the Spybot S&D will my computer be protected?
    Thanks a lot for your attention.

    Ana Martini
     
  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi Ana,

    Great job - log looks clean to me :)

    Could it be these are the files in system restore?? Didn't EZ tell you which files??

    I would run Ad aware PLUS Spybots&D at least once a week - and look often for updates! I also would recommend:

    a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
    b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html

    plus - do NOT forget to enable immunize in SpybotS&D.

    Keep your AV up-to-date and once in a while go for a "second opinion" and run an -online scan.

    HTH :)
     
Thread Status:
Not open for further replies.