Is it a virus?

[indrajit]

I’m using eTrust antivirus on my PC. A few days back it detected a virus and healed it.
The message was:

d:\software images\virus related\norton 2005 with cracks\nortonantivirusv2005allpatch.zip>Norton_AntiVirus_v2005_All_Patch.exe (Win32.Badment.D!downloader trojan)

But since then my PC has gone haywire!

1)Most of the times whenever I’m clicking on any folder or file a dialog box is appearing asking for confirmation to delete that file or folder. If I press “no� the box is appearing over and over until the PC is restarted.

2)I had kept the log of my antivirus open for some time, minimized. When I maximized it after sometime I found the lines in it were getting erased one by one by itself.

3)I don’t know if this is related or not, every now and then Download Accelerator is trying download from this location :

*a1568.g.akamai.net/7/1568/1600/200.../radio/clientdata/538/images/btn_stations.gif

I have run a full scan of my system using eTrust and Stinger but found nothing. Neither could I find anything on Google about Win32.Badment trozan.

I’m posting my HijackThis log below. Help me out guys!

Logfile of HijackThis v1.99.0
Scan saved at 12:21:42 AM, on 1/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\winser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\sdaemon.exe
C:\WINDOWS\winwd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Utility\FreeRAM XP Pro 1.40.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\Vet32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Utility\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *login.rediff.com/cgi-bin/login.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ...............iNdRaJiT's DoMaIn
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [SDaemon] C:\WINDOWS\sdaemon.exe
O4 - HKLM\..\Run: [SWd] C:\WINDOWS\winwd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\All Users\Start Menu\Programs\Utility\FreeRAM XP Pro 1.40.exe" -win
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O4 - User Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - User Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - User Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - *v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105788162828
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - *a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{58769E06-2020-4F49-AC41-2A23548D595F}: NameServer = 172.100.10.1
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\Oracle\Ora81\bin\omtsreco.exe
O23 - Service: OracleOraHome81Agent - Oracle Corporation - D:\Oracle\Ora81\bin\agntsrvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown - D:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81HTTPServer - Unknown - D:\Oracle\Ora81\Apache\Apache\apache.exe
O23 - Service: OracleOraHome81PagingServer - Unknown - D:\Oracle\Ora81/bin/pagntsrv.exe
O23 - Service: OracleOraHome81SNMPPeerEncapsulator - Unknown - D:\Oracle\Ora81\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome81SNMPPeerMasterAgent - Unknown - D:\Oracle\Ora81\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome81TNSListener - Unknown - D:\Oracle\Ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceINDRAJIT - Oracle Corporation - d:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: winser - Unknown - C:\WINDOWS\system32\winser.exe

 

[it_waaznt_me]

[quote="indrajit
C:\WINDOWS\system32\winser.exe
[/quote]
Kill this process from TaskMan ...

And then Put a checkmark next to these entries in HijackThis and Click on Fix Checked .. Delete Winser.exe after reboot ...

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O23 - Service: winser - Unknown - C:\WINDOWS\system32\winser.exe

 

[indrajit]

Thanx for the response batty! Did what you suggested, will wait for a day to check out if the problem's solved and then I'll post the result here.

 

[indrajit]

Not solved yet! Still asking for deleating confirmation sometimes when I'm clicking on anything. Did an online virus scan at TrendMicro, but found nothing. One more thing, my mouse pointer is always showing the status of "working at background".
Any more suggestion guys? I don't want to go with the laborious process of FORMAT again!

Here is my HijackThis log after deleating the entries suggested by batty:

Logfile of HijackThis v1.99.0
Scan saved at 9:21:57 PM, on 2/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\winwd.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Utility\FreeRAM XP Pro 1.40.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Utility\HijackThis\HijackThis.exe
C:\WINDOWS\system32\drwtsn32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = *login.rediff.com/cgi-bin/login.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ...............iNdRaJiT's DoMaIn
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [SDaemon] C:\WINDOWS\sdaemon.exe
O4 - HKLM\..\Run: [SWd] C:\WINDOWS\winwd.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\All Users\Start Menu\Programs\Utility\FreeRAM XP Pro 1.40.exe" -win
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O4 - User Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - User Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - User Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - *v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1105788162828
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - *a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{58769E06-2020-4F49-AC41-2A23548D595F}: NameServer = 172.100.10.1
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: EPSON Printer Status Agent2 - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\Oracle\Ora81\bin\omtsreco.exe
O23 - Service: OracleOraHome81Agent - Oracle Corporation - D:\Oracle\Ora81\bin\agntsrvc.exe
O23 - Service: OracleOraHome81ClientCache - Unknown - D:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81HTTPServer - Unknown - D:\Oracle\Ora81\Apache\Apache\apache.exe
O23 - Service: OracleOraHome81PagingServer - Unknown - D:\Oracle\Ora81/bin/pagntsrv.exe
O23 - Service: OracleOraHome81SNMPPeerEncapsulator - Unknown - D:\Oracle\Ora81\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome81SNMPPeerMasterAgent - Unknown - D:\Oracle\Ora81\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome81TNSListener - Unknown - D:\Oracle\Ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceINDRAJIT - Oracle Corporation - d:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[nirubhai]

check in the explorer->folder options->file types, the default action for the Folder item. there should be explorer & open, click on any one of them & set it default.
if this does not work, there must be some process doing this, i don't know what apps u r using but i suspect these processes
C:\WINDOWS\winwd.exe
C:\WINDOWS\Integrator.exe
3rd option is scan with nav
last is format.....

 

[swatkat]

check in the explorer->folder options->file types, the default action for the Folder item. there should be explorer & open, click on any one of them & set it default.

yes...do try this...

i don't know what apps u r using but i suspect these processes
C:\WINDOWS\winwd.exe
C:\WINDOWS\Integrator.exe
3rd option is scan with nav
last is format.....

winwd.exe is related to software PCSecurity, and Integrator.exe is related to Hare and AntiCrash.

I had kept the log of my antivirus open for some time, minimized. When I maximized it after sometime I found the lines in it were getting erased one by one by itself.

this is weird....do a thorough scan of ur system with F-Secure and Trojan Remover........
Download F-Secure here and Trojan Remover here.