Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Self creating folder - trojan?


  • This topic is locked This topic is locked

#1
Azra

Azra

    New Member

  • Member
  • Pip
  • 7 posts
Hello there,
I reallyr dunno what is hapening - but from few days a strange folder, named Logs, with 1 .txt file appears on my desctop in every 2-3 hours of work. here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 15:18:31, on 16.7.2005 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\SYSTEM32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\UAService7.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\tools\installs and patches\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - D:\WINDOWS\system32\UAService7.exe
  • 0

Advertisements


#2
OSC

OSC

    Malware Expert

  • Retired Staff
  • 301 posts
Hi Azra,

Welcome to geekstogo.com!

I don't see anything in your log that would be causing this. Can you describe exactly what you are doing when this thing shows up? Also, the next time the folder shows up, zip up the folder and send it to this address. I'll have a look at it and it may be able to provide clues as to what causing it. Also, are there any other user accounts on this computer?
  • 0

#3
Azra

Azra

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Well, I've send the mail to the adress you posted+ some aditional info...
  • 0

#4
OSC

OSC

    Malware Expert

  • Retired Staff
  • 301 posts
Well, that file didn't really tell me anything. It looks like it's capturing some details about your hardware configuration for some reason. I wonder if it has something to do with the MMORPG program. Are there any new programs you installed since you started seeing this?? Also, when you are working with Word, is the Word document saved to your desktop or somewhere else??

Just to be sure there's nothing else present, please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Post back the log from Silent Runners along with a fresh HJT log please. Also are there any other user accounts on this computer??
  • 0

#5
Azra

Azra

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here comes the new log... and some more info - the file apears after lgoing into the game (writing user name and pass) the only other program I use is Team Speak.

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "D:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NvCplDaemon" = "RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NeroFilterCheck" = "D:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"NvMediaCenter" = "RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"KernelFaultCheck" = "D:\WINDOWS\system32\dumprep 0 -k" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\Sandro\My Documents\My Pictures\korea-tauren-1024x.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "D:\WINDOWS\System32\logon.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "D:\Program Files\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):
"{855F3B16-6D32-4fe6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ICQToolbar\toolbaru.dll" ["ICQ Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

NVIDIA Display Driver Service, NVSvc, "D:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SecuROM User Access Service (V7), UserAccess7, "D:\WINDOWS\system32\UAService7.exe" [null data]
  • 0

#6
OSC

OSC

    Malware Expert

  • Retired Staff
  • 301 posts
Hi Azra,

the file apears after lgoing into the game (writing user name and pass)

1. Which game are you logging into?

2. Are there any new programs you installed since you started seeing this??

3. When you are working with Word, is the Word document saved to your desktop or somewhere else??

4. Are there any other user accounts on this computer??

Thanks!
  • 0

#7
Azra

Azra

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

1.  Which game are you logging into?

2.  Are there any new programs you installed since you started seeing this??

3.  When you are working with Word, is the Word document saved to your desktop or somewhere else??

4.  Are there any other user accounts on this computer??

Thanks!

View Post


Hey Osc,
first of all - I want to thank you for the atention about that problem. Its really geting frustrating - I'v checked the system with Panda, and MSAntyspyware + the other soft, you provided in one of the taged posts, but they found nothing. The log seems to do no harm, but ... I cant figure out what could it be, as it seems to pop (after being deleted) anytime when I log in somwhere (being a game, msg board, site, mail client, etc.)
Here are the answers to your questions.
1. The games are World of Warcraft, Guild Wars.
2. No, no other programs since it started.. besides txt formating software I use only TeamSpeak (downloaded from here
3. I usualy save all my working documents at the desctop and then move them to archive folders.
4. No, there is no other user accounts - only I use that PC.
  • 0

#8
OSC

OSC

    Malware Expert

  • Retired Staff
  • 301 posts
Hi Azra,

Thanks for that info. We found some info regarding this problem.

Right-click on WoW shortcut icon on desktop and select "Properties" from menu. Copy the text from "Target" box and paste into "Start in" box. Finally, edit out the program name (WoW.exe)

For example:

Target: "C:\Program Files\World of Warcraft\WoW.exe"
Start in: "C:\Program Files\World of Warcraft"

---

Secondary Fix: (If Kaf's doesn't work)

1) Delete your desktop/start menu shortcut that you're using to run World of Warcraft.
2) Delete your Log folder from your desktop
3) Create a shortcut to WoW.exe from your World of Warcraft directory by right clicking WoW.exe and selecting it from the menu. (For those of you who don't know where that is, it's default installed into C:\Program Files\World of Warcraft\WoW.exe)
4) Put the shortcut onto your desktop and run the game to the login screen and exit. Problem should be fixed.

More details here:
http://forums.worldo...mp=1#post387680

Let me know how you make out.
Thanks to Atribune for finding this!
  • 0

#9
Azra

Azra

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Heh....
I really feel ashamed for wasting your time... and for panicing so much about that... :tazz:
Thank you for your help again... and at least my HJT log is clear...
Jeez! I'm laughing at myself right now...
And thanks again for opening my eyes!

Edit:
15 minutes later - no more log folder problems... I still am amased at Blizz.. to conect the problem to their product was the last thing on my mind. NIce job for them with their patches...

Edited by Azra, 18 July 2005 - 05:44 PM.

  • 0

#10
OSC

OSC

    Malware Expert

  • Retired Staff
  • 301 posts
Hi Azra,

You are welcome! I'm glad we could help. :tazz:

Since this problem appears to be resolved, I will be closing this topic. If you have any other issues, please start a new topic.

Thanks for visiting geekstogo.com!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP