Trojan in run32dll.exe????

Discussion in 'malware problems & news' started by charger69, Jul 23, 2004.

Thread Status:
Not open for further replies.
  1. charger69

    charger69 Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    8
    My computer is very slow. TDS shows a RAT.BlueAdeptz: HKEY_CURRENT_USER trojan. I delete this with TDS and it shows up again. It appears that it is in the run32dll.exe file. I believe that this file also contains Windows processes, so I do not know what to do.
    Attached is the HJT log and the TDS dump.
    NOTE: The ..csw_keyfile start page is OK.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:50:10 PM, on 07/21/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\Program Files\Network Associates\Remote Desktop 32\CONNSRV.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE
    C:\WINNT\rundll32.exe
    C:\OfficeScan NT\PccNTMon.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINNT\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\America Online 8.0\waol.exe
    C:\Program Files\America Online 8.0\shellmon.exe
    C:\Program Files\America Online 8.0\aolwbspd.exe
    C:\WINNT\System32\SCardSvr.exe
    C:\Program Files\Citrix\ICA Client\Wfcrun32.exe
    C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
    C:\Documents and Settings\jasons\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://csw_keyfile/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE"
    O4 - HKCU\..\Run: [rundll32] C:\WINNT\rundll32.exe
    O4 - Global Startup: OfficeScanNT Monitor.lnk = C:\OfficeScan NT\PccNTMon.exe
    O4 - Global Startup: Microsoft Find Fast.lnk.disabled
    O4 - Global Startup: Service Manager.lnk.disabled
    O4 - Global Startup: Office Startup.lnk.disabled
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Real.com (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E7D8182-23F2-4FEB-8203-9BEB4811535A}: NameServer = 206.13.30.12,64.160.192.70
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DDFFFE96-037D-489D-B9E2-461413DB8568}: NameServer = 205.188.146.146


    Scan Control Dumped @ 16:32:40 21-07-04
    (Deleted) RegVal Trace: RAT.BlueAdeptz (in process memory): HKEY_CURRENT_USER
    File: Software\Microsoft\Windows\CurrentVersion\Run [RunDLL32=C:\WINNT\rundll32.exe]

    RegVal Trace: RAT.BlueAdeptz: HKEY_CURRENT_USER
    File: Software\Microsoft\Windows\CurrentVersion\Run [RunDLL32=C:\WINNT\rundll32.exe]

    Thank you in advance for your assistance.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    charger,

    As posted over here https://www.wilderssecurity.com/showthread.php?t=42148 we have changed our policy in regard to unasked HJT logs. Since you are obviously a (registered) TDS user, please drop an DCS Moderator an IM. In case s/he feels this has to be addressed, this thread will be moved to the TDS forum and handled by the DCS Moderator from there.

    regards.

    paul
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.