Start a Conversation

Unsolved

This post is more than 5 years old

1149

May 26th, 2009 20:00

BN*.tmp trojan keep detected by antivirus at %temp% folder and a process svchost.exe spawn

​Hi, yesterday I try to downloaded a software crack, which is a .exe file. Just after I double click on it, its shutdown my windows firewall and my antivirus (F-prot) immediately detected a list of viruses/trojans attack. I quickly turn back on my firewall and everything seem back to normal, but didn't I knew that a process svchost.exe keep spawn automatically in every few seconds with the size about 3060kb, I didn't know that until Windows warn me my virtual memory is low. I then logoff my windows and login again, then I see my antivirus detected a virus/trojan with file name BN??.tmp keep spawn up automatically together with the svchost.exe process in every few seconds. However I manage to stop this automatic spawning by disconnect my internet access.​

​Here is my Hijackthis log :-​

​Logfile of Trend Micro HijackThis v2.0.2​
​Scan saved at 10:17:04 AM, on 27/05/2009​
​Platform: Windows XP SP3 (WinNT 5.01.2600)​
​MSIE: Internet Explorer v7.00 (7.00.6000.16827)​
​Boot mode: Normal​

​Running processes:​
​C:\WINDOWS\System32\smss.exe​
​C:\WINDOWS\system32\winlogon.exe​
​C:\WINDOWS\system32\services.exe​
​C:\WINDOWS\system32\lsass.exe​
​C:\WINDOWS\system32\Ati2evxx.exe​
​C:\WINDOWS\system32\svchost.exe​
​C:\WINDOWS\System32\svchost.exe​
​C:\Program Files\Intel\Wireless\Bin\EvtEng.exe​
​C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe​
​C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe​
​C:\WINDOWS\system32\spoolsv.exe​
​C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe​
​C:\Program Files\Prevx\prevx.exe​
​C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe​
​C:\Program Files\Java\jre6\bin\jqs.exe​
​C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe​
​C:\WINDOWS\system32\svchost.exe​
​C:\WINDOWS\system32\Ati2evxx.exe​
​C:\Program Files\Prevx\prevx.exe​
​C:\WINDOWS\Explorer.EXE​
​C:\WINDOWS\system32\ctfmon.exe​
​C:\WINDOWS\system32\rundll32.exe​
​C:\Program Files\Java\jre6\bin\jusched.exe​
​C:\Program Files\Synaptics\SynTP\SynTPEnh.exe​
​C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe​
​C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe​
​C:\WINDOWS\system32\wuauclt.exe​
​C:\WINDOWS\stsystra.exe​
​C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe​
​C:\Program Files\Dell\MediaDirect\PCMService.exe​
​C:\Program Files\Feitian\USBToken2000\ep2k_certd.exe​
​C:\Program Files\HP\HP Software Update\HPWuSchd.exe​
​C:\Program Files\HP\hpcoretech\hpcmpmgr.exe​
​C:\Program Files\Dell AIO 810\dlcgmon.exe​
​C:\WINDOWS\system32\dla\tfswctrl.exe​
​C:\Program Files\X-Key\VhkTray.exe​
​C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe​
​C:\Program Files\QuickTime\QTTask.exe​
​C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe​
​C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe​
​C:\Program Files\Common Files\Real\Update_OB\realsched.exe​
​C:\WINDOWS\system32\dlcgcoms.exe​
​C:\Program Files\ATI Technologies\ATI.ACE\cli.exe​
​C:\Program Files\NetWaiting\netWaiting.exe​
​C:\Program Files\Dell Support\DSAgnt.exe​
​C:\Program Files\Messenger\msmsgs.exe​
​C:\Program Files\Microsoft ActiveSync\wcescomm.exe​
​C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe​
​C:\Program Files\I8kfanGUI\I8kfanGUI.exe​
​C:\PROGRA~1\MICROS~4\rapimgr.exe​
​C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe​
​C:\WINDOWS\system32\conime.exe​
​C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE​
​C:\Program Files\Digital Line Detect\DLG.exe​
​C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe​
​C:\Program Files\UltimateZip\uzqkst.exe​
​C:\Program Files\Tudou\硉Tudou\TudouVa.exe​
​C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe​
​C:\Program Files\ATI Technologies\ATI.ACE\cli.exe​
​C:\Documents and Settings\hkmak\Desktop\HiJackThis.exe​
​C:\Documents and Settings\hkmak\hkmak.exe​
​C:\Documents and Settings\hkmak\hkmak.exe​

​O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll​
​O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll​
​O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll​
​O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll​
​O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll​
​O2 - BHO: TSWLObj Class - {8A7B6C4E-282C-4000-8336-27859E0A38FF} - C:\Program Files\X-Key\TsWebLock.dll​
​O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll​
​O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll​
​O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll​
​O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup​
​O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet​
​O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start​
​O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32​
​O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC​
​O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC​
​O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName​
​O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"​
​O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe​
​O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"​
​O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless​
​O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe​
​O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup​
​O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start​
​O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"​
​O4 - HKLM\..\Run: [ep2k_certd] C:\Program Files\Feitian\USBToken2000\ep2k_certd.exe -r -s -a​
​O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"​
​O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"​
​O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe​
​O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
​O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"​
​O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent​
​O4 - HKLM\..\Run: [PSDrvCheck] C:\WINDOWS\system32\PSDrvCheck.exe​
​O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe​
​O4 - HKLM\..\Run: [VhkTray] C:\Program Files\X-Key\VhkTray.exe​
​O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\FlashGet.exe /min​
​O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"​
​O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime​
​O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe​
​O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"​
​O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot​
​O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay​
​O4 - HKLM\..\Run: [360Install] "C:\Program Files\QvodPlayer\installer.exe" "qvod"​
​O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe​
​O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup​
​O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background​
​O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet​
​O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe​
​O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"​
​O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe​
​O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup​
​O4 - HKCU\..\Run: [hkmak] C:\Documents and Settings\hkmak\hkmak.exe /i​
​O4 - HKCU\..\Run: [] C:\Documents and Settings\hkmak\.exe /i​
​O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')​
​O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')​
​O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip\uzqkst.exe​
​O4 - Startup: 启动飞速土豆.lnk = tTudou\TudouVa.exe​
​O4 - Global Startup: Bluetooth.lnk = ?​
​O4 - Global Startup: Digital Line Detect.lnk = ?​
​O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe​
​O8 - Extra context menu item: &ㄏノ FlashGet 更 - C:\Program Files\FlashGet\jc_link.htm​
​O8 - Extra context menu item: &场ㄏノ FlashGet 更 - C:\Program Files\FlashGet\jc_all.htm​
​O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000​
​O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm​
​O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll​
​O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll​
​O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll​
​O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL​
​O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe​
​O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe​
​O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe​
​O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe​
​O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe​
​O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe​
​O15 - Trusted Zone: ​​http://mail.awlp.net​
​O15 - ESC Trusted Zone: ​​http://*.update.microsoft.com​
​O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - ​​http://go.microsoft.com/fwlink/?linkid=39204​
​O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file:///D:/components/hidinputmonitorx.ocx​
​O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - ​​http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe​
​O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file:///D:/components/A9.ocx​
​O16 - DPF: {B8A48F42-30E1-48f8-AE87-7BD7C75DB8AA} (System Requirements Lab) - ​​http://www.systemrequirementslab.com/srl_bin/sysreqlab_test.cab​
​O17 - HKLM\System\CCS\Services\Tcpip\..\{00D2EBF2-A1D0-4E54-B6CE-E11EE1FE927F}: NameServer = 202.188.1.5,202.188.0.132​
​O17 - HKLM\System\CS1\Services\Tcpip\..\{00D2EBF2-A1D0-4E54-B6CE-E11EE1FE927F}: NameServer = 202.188.1.5,202.188.0.132​
​O17 - HKLM\System\CS2\Services\Tcpip\..\{00D2EBF2-A1D0-4E54-B6CE-E11EE1FE927F}: NameServer = 202.188.1.5,202.188.0.132​
​O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL​
​O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe​
​O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe​
​O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe​
​O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe​
​O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe​
​O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe​
​O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe​
​O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe​
​O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe​
​O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe​
​O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe​
​O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe​
​O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe (file missing)​
​O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe​

​--​
​End of file - 12762 bytes​

No Responses!
No Events found!

Top