TheTechGuide Forum

General Category => Tech Clinic => Topic started by: bennyboyler on August 28, 2007, 04:42:40 AM

Title: Trojan.Win32.Kolweb.n
Post by: bennyboyler on August 28, 2007, 04:42:40 AM

Hi,

I'm receiving messages from my antivirus (Kapersky) that saying that it's infected with Trojan.Win32.Kolweb.n.  It simply can't remove it.

I've seen other posts relating to this problem but wasn't sure whether the same fixes can be applied to all computers.

Below is a copy of my hijackthis log....

Thanks for you help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:53 AM, on 8/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WIN2\System32\smss.exe
C:\WIN2\system32\winlogon.exe
C:\WIN2\system32\services.exe
C:\WIN2\system32\lsass.exe
C:\WIN2\system32\svchost.exe
C:\WIN2\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WIN2\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WIN2\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WIN2\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~2\Dantz\RETROS~1\wdsvc.exe
C:\WIN2\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WIN2\Explorer.EXE
C:\WIN2\LTSMMSG.exe
C:\WIN2\SOUNDMAN.EXE
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\WIN2\System32\WDBtnMgr.exe
C:\Program Files\WDC\SetIcon.exe
C:\WIN2\System32\mrtMngr.EXE
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WIN2\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WIN2\System32\HPZipm12.exe
C:\WIN2\System32\HPZinw12.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ (http://\"http://www.cnn.com/\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C5409798-47E6-412E-B1E6-0769BCE5B3E3} - C:\WIN2\system32\werwed.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN2\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WIN2\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~2\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WIN2\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WIN2\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WIN2\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-448539723-1229272821-725345543-1003\..\Run: [ctfmon.exe] C:\WIN2\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WIN2\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WIN2\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WIN2\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WIN2\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WIN2\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~2\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9072 bytes

Title: Trojan.Win32.Kolweb.n
Post by: bennyboyler on August 28, 2007, 04:44:40 AM

oh - one other thing....

I saw on the other post that you suggested removing older versions of Java Runtime.  I've now already done this.  Hope this doesn't confuse issues...

Thanks

Title: Trojan.Win32.Kolweb.n
Post by: guestolo on August 28, 2007, 09:09:14 AM

I'm just on my way to work, in the meantime, can you do the following please
Download [color=\"#008000\"]Deckard's System Scanner (dss.exe)[/color] (http://\"http://deckard.geekstogo.com/dss.exe\") to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of just main.txt

Title: Trojan.Win32.Kolweb.n
Post by: bennyboyler on August 29, 2007, 06:20:08 AM

Deckard's System Scanner v20070826.66
Run by Hutch on 2007-08-29 13:08:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.

 

-- HijackThis (run as Hutch.exe) -----------------------------------------------


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 ATWPKT2 - c:\win2\system32\drivers\atwpkt2.sys (file missing)
3 AWINDIS5 (AWINDIS5 Protocol Driver) - c:\win2\system32\awindis5.sys <Not Verified; AMBIT Microsystems Corporation.; AMBIT WinDis32 Protocol Driver for Windows>
2 ohciusb (Open Host Controller Miniport USB Driver) - c:\win2\system32\drivers\ohciusb.sys
3 Pfc (Padus ASPI Shell) - c:\win2\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
3 PRISM_ICB (NETGEAR WG511 Wireless LAN Driver) - c:\win2\system32\drivers\wg511icb.sys <Not Verified; LAN-Express; >
3 qcusbmdm (Vodafone Mobile Connect - 3G Modem) - c:\win2\system32\drivers\qcusbmdm.sys <Not Verified; Vodafone; Vodafone USB Modem/Serial Device Driver>
3 qcusbser (Vodafone Mobile Connect - 3G Diagnostics Interface) - c:\win2\system32\drivers\qcusbser.sys <Not Verified; Vodafone; Vodafone USB Modem/Serial Device Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 aawservice (Ad-Aware 2007 Service) - c:\program files\lavasoft\ad-aware 2007\aawservice.exe
2 C-DillaSrv - c:\win2\system32\drivers\cdantsrv.exe <Not Verified; C-Dilla Ltd; CD-Secure/CD-Compress Windows NT>
2 Irmon (Infrared Monitor) - c:\win2\system32\svchost.exe
2 RetroLauncher (Retrospect Launcher) - c:\program files\dantz\retrospect\retrorun.exe <Not Verified; Dantz Development Corporation; Retrospect>
2 RetroWDSvc (Retrospect WD Service) - c:\program files\dantz\retrospect\wdsvc.exe <Not Verified; Dantz Development Corporation; Retrospect>
2 uploadmgr (Upload Manager) - c:\win2\system32\svchost.exe
2 WinVNC4 (VNC Server Version 4) - c:\program files\realvnc\vnc4\winvnc4.exe


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Scheduled Tasks -------------------------------------------------------------

2007-08-22 17:11:00       284 --a------ C:\WIN2\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-07-29 and 2007-08-29 -----------------------------

2007-08-29 13:07:09     95744 --a------ C:\WIN2\System32\werwee.exe
2007-08-29 13:07:09    148992 --a------ C:\WIN2\System32\werwee.dll
2007-08-29 13:07:04     95744 --a------ C:\WIN2\System32\werwee_redux.exe
2007-08-29 10:01:38     81786 --a------ C:\WIN2\werwed_redux.exe
2007-08-28 11:36:38         0 d-------- C:\Program Files\Trend Micro
2007-08-28 07:32:14         0 d-------- C:\Program Files\Lavasoft
2007-08-28 07:32:09         0 d-------- C:\Documents and Settings\All Users.WIN2\Application Data\Lavasoft
2007-08-28 07:21:32     81786 --a------ C:\WIN2\System32\werwed_redux.exe
2007-08-27 11:12:34         0 d-------- C:\Program Files\DupKiller
2007-08-26 07:48:23    148992 --a------ C:\WIN2\System32\werwed.dll
2007-08-25 16:52:08    152064 --a------ C:\WIN2\System32\werwec.dll
2007-08-25 16:50:57      4096 --a------ C:\WIN2\System32\drivers\ohciusb.sys


-- Find3M Report ---------------------------------------------------------------

2007-08-28 11:19:10         0 d-------- C:\Program Files\Common Files
2007-08-28 11:12:25         0 d-------- C:\Program Files\Java
2007-08-28 08:30:54         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-06 08:17:58         0 d-------- C:\Documents and Settings\Hutch.DAVID-D2E2Q9ON5\Application Data\Adobe
2007-08-06 00:04:38         0 d-------- C:\Program Files\Common Files\Adobe
2007-07-04 00:30:22         0 d-------- C:\Program Files\Picasa2
2007-07-02 14:36:36         0 d-------- C:\Documents and Settings\Hutch.DAVID-D2E2Q9ON5\Application Data\Skype


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADF08889-BF54-40A8-A4AE-FCABE6229D43}]
08/29/2007 01:07 PM 148992 --a------ C:\WIN2\system32\werwee.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTSMMSG"="LTSMMSG.exe" [03/30/2002 02:07 AM C:\WIN2\LTSMMSG.exe]
"NvCplDaemon"="C:\WIN2\System32\NvCpl.dll" [08/13/2003 06:12 AM]
"nwiz"="nwiz.exe" [08/13/2003 06:12 AM C:\WIN2\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [08/15/2003 03:34 PM C:\WIN2\SOUNDMAN.EXE]
"WG511WLU"="C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe" [02/24/2003 08:20 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [03/27/2003 05:43 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/27/2003 05:43 PM]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [10/03/2002 03:41 AM]
"QAGENT"="C:\Program Files\QUICKENW\QAGENT.EXE" [01/25/2002 06:39 AM]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [11/02/2004 05:59 PM]
"Symantec NetDriver Monitor"="C:\PROGRA~2\SYMNET~1\SNDMon.exe" [06/28/2005 02:33 AM]
"WD Button Manager"="WDBtnMgr.exe" [08/26/2005 09:29 PM C:\WIN2\system32\WDBtnMgr.exe]
"SetIcon"="\Program Files\WDC\SetIcon.exe" [01/30/2004 09:03 PM]
"eFax 4.1"="C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" [12/17/2005 01:59 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04/28/2006 02:05 PM]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [03/27/2006 05:57 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/17/2005 05:11 AM]
"kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [03/25/2006 01:09 AM]
"@"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/26/2006 12:58 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/2006 03:36 PM]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [06/16/2007 01:15 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WIN2\System32\ctfmon.exe" [03/31/2003 02:00 PM]
"DW4"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/28/2007 06:23 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"checkregistry"=C:\WIN2\System32\werwee_redux.exe werwed.dll werwed.exe r

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"checkregistry"=C:\WIN2\System32\werwee_redux.exe werwed.dll werwed.exe r

C:\Documents and Settings\All Users.WIN2\Start Menu\Programs\Startup\
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [8/18/2005 9:55:22 PM]
HotSync Manager.lnk - C:\Program Files\palmOne\Hotsync.exe [6/10/2004 4:16:08 AM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/5/2004 1:28:24 AM]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [11/5/2004 1:50:52 AM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

 


-- Hosts -----------------------------------------------------------------------

192.168.0.158 HP00156048874B


-- End of Deckard's System Scanner: finished at 2007-08-29 13:12:26 ------------

Title: Trojan.Win32.Kolweb.n
Post by: bennyboyler on August 29, 2007, 06:24:13 AM

Title: Trojan.Win32.Kolweb.n
Post by: guestolo on August 29, 2007, 04:45:26 PM

==Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

 

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"checkregistry"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"checkregistry"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ADF08889-BF54-40A8-A4AE-FCABE6229D43}]

Close down your browser windows again
Double click on fix.reg and allow to add/merge to the registry at the prompt

Come back here
Download [color=\"blue\"]OTMoveIt[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe\") by OldTimer:

• Save it to your desktop.
  
• Please double-click OTMoveIt.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
  ================================================
  
  C:\WIN2\System32\werwee.exe
  C:\WIN2\System32\werwee.dll
  C:\WIN2\System32\werwee_redux.exe
  C:\WIN2\werwed_redux.exe
  C:\WIN2\System32\werwed_redux.exe
  C:\WIN2\System32\werwed.dll
  C:\WIN2\System32\werwec.dll
  
  ======================================================
  
• Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
  
• Click the red "[color=\"red\"]MoveIt![/color]" button.
  
• Close OTMoveIt.
  

[color=\"red\"]Note[/color]:  If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

OTMoveIt will create a log here
C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log
I'll need to see it later please

Can you post all the following back, even if it takes more than one reply to do so

1. Post a fresh hijackthis log
2. Post the log from OTMoveIt
3. I've had this file scanned before, but can you scan again please
Go to the following link
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Copy>>Paste (You may have to use the Ctrl + V keys to paste)
to the open field under Upload a file
(Or you can manually browse to the filename)

The exact line in bold below

c:\win2\system32\drivers\ohciusb.sys

Then click the Send File button, wait for the scan to finish
Post back the results of the scan please

Title: Trojan.Win32.Kolweb.n
Post by: bennyboyler on August 30, 2007, 04:31:18 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:25 AM, on 8/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WIN2\System32\smss.exe
C:\WIN2\system32\winlogon.exe
C:\WIN2\system32\services.exe
C:\WIN2\system32\lsass.exe
C:\WIN2\system32\svchost.exe
C:\WIN2\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WIN2\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WIN2\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WIN2\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~2\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WIN2\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WIN2\Explorer.EXE
C:\WIN2\LTSMMSG.exe
C:\WIN2\SOUNDMAN.EXE
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\WIN2\System32\mrtMngr.EXE
C:\WIN2\System32\WDBtnMgr.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WIN2\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WIN2\System32\HPZipm12.exe
C:\WIN2\system32\NOTEPAD.EXE
C:\Documents and Settings\Hutch.DAVID-D2E2Q9ON5\Desktop\OTMoveIt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ (http://\"http://www.cnn.com/\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN2\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WIN2\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~2\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [eFax 4.1] "C:\Program Files\eFax Messenger 4.1\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WIN2\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WIN2\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WIN2\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-448539723-1229272821-725345543-1003\..\Run: [ctfmon.exe] C:\WIN2\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WIN2\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WIN2\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WIN2\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WIN2\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WIN2\System32\HPZipm12.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~2\Dantz\RETROS~1\wdsvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9311 bytes

Title: Trojan.Win32.Kolweb.n
Post by: bennyboyler on August 30, 2007, 04:36:23 AM

OTMoveIT

C:\WIN2\System32\werwee.exe moved successfully.
C:\WIN2\System32\werwee.dll unregistered successfully.
C:\WIN2\System32\werwee.dll moved successfully.
C:\WIN2\System32\werwee_redux.exe moved successfully.
C:\WIN2\werwed_redux.exe moved successfully.
C:\WIN2\System32\werwed_redux.exe moved successfully.
File/Folder C:\WIN2\System32\werwed.dll not found.
C:\WIN2\System32\werwec.dll unregistered successfully.
C:\WIN2\System32\werwec.dll moved successfully.
 
Created on 08/30/2007 10:50:17

Title: Trojan.Win32.Kolweb.n
Post by: bennyboyler on August 30, 2007, 04:39:32 AM

File ohciusb.sys received on 08.30.2007 10:56:42 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 50 and 71 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
 Compact Print results  
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
 Email:  
 

Antivirus Version Last Update Result
AhnLab-V3 2007.8.29.0 2007.08.30 -
AntiVir 7.4.1.66 2007.08.30 -
Authentium 4.93.8 2007.08.29 -
Avast 4.7.1029.0 2007.08.29 -
AVG 7.5.0.484 2007.08.29 -
BitDefender 7.2 2007.08.30 -
CAT-QuickHeal 9.00 2007.08.30 -
ClamAV 0.91.2 2007.08.29 -
DrWeb 4.33 2007.08.30 -
eSafe 7.0.15.0 2007.08.29 -
eTrust-Vet 31.1.5095 2007.08.30 -
Ewido 4.0 2007.08.29 -
FileAdvisor 1 2007.08.30 -
Fortinet 3.11.0.0 2007.08.30 -
F-Prot 4.3.2.48 2007.08.29 -
F-Secure 6.70.13030.0 2007.08.30 -
Ikarus T3.1.1.12 2007.08.30 -
Kaspersky 4.0.2.24 2007.08.30 -
McAfee 5108 2007.08.29 -
Microsoft 1.2803 2007.08.30 -
NOD32v2 2491 2007.08.30 -
Norman 5.80.02 2007.08.29 -
Panda 9.0.0.4 2007.08.29 -
Prevx1 V2 2007.08.30 -
Rising 19.38.31.00 2007.08.30 -
Sophos 4.21.0 2007.08.30 -
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.30 -
TheHacker 6.1.9.175 2007.08.30 -
VBA32 3.12.2.3 2007.08.28 -
VirusBuster 4.3.26:9 2007.08.29 -
Webwasher-Gateway 6.0.1 2007.08.30 -
Additional information
File size: 4096 bytes
MD5: 88cb769ebcdae664a242450aa1fb1eca
SHA1: e22e989ff4df20918712e636732442b68a374acc

Thanks so much for your help!

Title: Trojan.Win32.Kolweb.n
Post by: bennyboyler on August 31, 2007, 05:14:17 PM

bump

Title: Trojan.Win32.Kolweb.n
Post by: guestolo on September 02, 2007, 09:22:16 AM

Sorry for the delay, the last log looked good and the file comes clean
Can you still do the following please
Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning


I would add a bit more protection to this computer
Install
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")  

*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

If there are other user profiles on the computer, have them login and
click the "enable all protections" with Spywareblaster under the Protection tab

Let's remove some files/folders that we used/produced

• Please double-click OTMoveIt.exe to run it.
  Click the Cleanup! button
  A list will be downloaded>>Allow it Internet access if prompted by your Firewall
  Select Yes at the prompt
  Wait for the confirmation box to open to reboot the computer
  Select Yes to reboot Now
  

After reboot you can empty your recycle bin

Take note of the following:
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

It appears that you are not fully updated from Windows Updates
Can you manually visit Windows updates
In Internet Explorer click on TOOLS>>Windows updates
Run the Express scan
Install all latest high priority updates
Reboot when prompted, revisit till you have all latest high priorities
This will include Service pack 2

Hope that helps

Title: Trojan.Win32.Kolweb.n
Post by: bennyboyler on September 04, 2007, 08:36:18 AM

thanks for your help - i'll give it a go