Trojan in run32dll.exe????

Discussion in 'malware problems & news' started by charger69, Jul 23, 2004.

Thread Status:
Not open for further replies.
  1. charger69

    charger69 Registered Member

    Joined:
    Jun 28, 2004
    Posts:
    8
    My computer is very slow. TDS shows a RAT.BlueAdeptz: HKEY_CURRENT_USER trojan. I delete this with TDS and it shows up again. It appears that it is in the run32dll.exe file. I believe that this file also contains Windows processes, so I do not know what to do.
    Attached is the HJT log and the TDS dump.
    NOTE: The ..csw_keyfile start page is OK.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:50:10 PM, on 07/21/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\cisvc.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\Program Files\Network Associates\Remote Desktop 32\CONNSRV.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE
    C:\WINNT\rundll32.exe
    C:\OfficeScan NT\PccNTMon.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINNT\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\America Online 8.0\waol.exe
    C:\Program Files\America Online 8.0\shellmon.exe
    C:\Program Files\America Online 8.0\aolwbspd.exe
    C:\WINNT\System32\SCardSvr.exe
    C:\Program Files\Citrix\ICA Client\Wfcrun32.exe
    C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
    C:\Documents and Settings\jasons\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://csw_keyfile/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.msn.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRCLEAN.EXE"
    O4 - HKCU\..\Run: [rundll32] C:\WINNT\rundll32.exe
    O4 - Global Startup: OfficeScanNT Monitor.lnk = C:\OfficeScan NT\PccNTMon.exe
    O4 - Global Startup: Microsoft Find Fast.lnk.disabled
    O4 - Global Startup: Service Manager.lnk.disabled
    O4 - Global Startup: Office Startup.lnk.disabled
    O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Real.com (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E7D8182-23F2-4FEB-8203-9BEB4811535A}: NameServer = 206.13.30.12,64.160.192.70
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DDFFFE96-037D-489D-B9E2-461413DB8568}: NameServer = 205.188.146.146


    Scan Control Dumped @ 16:32:40 21-07-04
    (Deleted) RegVal Trace: RAT.BlueAdeptz (in process memory): HKEY_CURRENT_USER
    File: Software\Microsoft\Windows\CurrentVersion\Run [RunDLL32=C:\WINNT\rundll32.exe]

    RegVal Trace: RAT.BlueAdeptz: HKEY_CURRENT_USER
    File: Software\Microsoft\Windows\CurrentVersion\Run [RunDLL32=C:\WINNT\rundll32.exe]

    Thank you in advance for your assistance.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    charger,

    As posted over here https://www.wilderssecurity.com/showthread.php?t=42148 we have changed our policy in regard to unasked HJT logs. Since you are obviously a (registered) TDS user, please drop an DCS Moderator an IM. In case s/he feels this has to be addressed, this thread will be moved to the TDS forum and handled by the DCS Moderator from there.

    regards.

    paul
     
Loading...
Thread Status:
Not open for further replies.