Solved I have a Trojan

[Resolved] I have a Trojan

Hello

My computer crashed this morning, so I decided to look into it. Here is what I found.

Microsoft (R) Windows Debugger Version 6.11.0001.402 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini041809-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\local cache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Unable to load image \WINDOWS\system32\TUKERNEL.EXE, Win32 error 0n2
*** WARNING: Unable to verify timestamp for TUKERNEL.EXE
*** ERROR: Module load completed but symbols could not be loaded for TUKERNEL.EXE
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805634c0
Debug session time: Sat Apr 18 09:35:10.546 2009 (GMT-5)
System Uptime: 0 days 0:09:21.234
Unable to load image \WINDOWS\system32\TUKERNEL.EXE, Win32 error 0n2
*** WARNING: Unable to verify timestamp for TUKERNEL.EXE
*** ERROR: Module load completed but symbols could not be loaded for TUKERNEL.EXE
Loading Kernel Symbols
I decided to make this post here
http://www.windowsbbs.com/windows-xp/83431-windows-crashed-again.html

It was recommended that I post here and I decided that they may be right.

So here is my DDS log


DDS (Ver_09-03-16.01) - NTFSx86
Run by William R F***** at 14:17:01.87 on Sat 04/18/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1285 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090417-0] *On-access scanning enabled* (Updated)
FW: PC Tools Firewall Plus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\PC Tools Firewall Plus\FWService.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSMain.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Skynergy\HotKeyz\HotKeyz.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\kpicom.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\William R Farrar\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CIEDownload Object: {67bcf957-85fc-4036-8dc4-d4d80e00a77b} - c:\program files\smart technologies\notebook software\NotebookPlugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe "
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TPSMain] TPSMain.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
mRun: [HotKeyz.exe Startup] c:\program files\skynergy\hotkeyz\HotKeyz.exe Startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [ctra] c:\windows\kpicom.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\willia~1\startm~1\programs\startup\anapod~1.lnk - c:\program files\red chair software\anapod explorer\anamgr.exe
StartupFolder: c:\docume~1\willia~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-9-6 114768]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-1-23 159600]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-9-6 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-9-6 138680]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-1-23 73840]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2008-9-6 146800]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-9-6 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-9-6 352920]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2009-1-23 95640]
S2 SMART Display Controller;SMART Display Controller;c:\program files\smart technologies\smart board drivers\ucservice.exe --> c:\program files\smart technologies\smart board drivers\UCService.exe [?]

=============== Created Last 30 ================

2009-04-18 08:36 50,688 a------- c:\windows\system32\ff_acm.acm
2009-04-14 19:04 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-14 19:04 35,328 -c------ c:\windows\system32\dllcache\sc.exe
2009-04-14 19:04 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-14 19:04 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-14 19:04 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-14 19:04 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 19:04 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-14 19:04 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-14 19:04 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-14 19:04 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-14 19:02 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-14 19:02 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 19:02 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-11 22:35 <DIR> --d----- c:\program files\Replay Media Catcher
2009-04-11 20:55 719,872 a------- c:\windows\system32\devil.dll
2009-04-11 20:55 318,976 a------- c:\windows\system32\avisynth.dll
2009-04-11 20:39 237,568 a------- c:\windows\system32\rmc_rtspdl.dll
2009-04-11 20:39 156,672 a------- c:\windows\system32\rmc_fixasf.exe
2009-04-11 20:38 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL
2009-04-11 20:38 <DIR> --d----- c:\windows\Replay Media Catcher
2009-04-11 19:32 <DIR> --d----- C:\hidownload
2009-04-09 19:40 103,744 a------- c:\windows\system32\drivers\AnyDVD.sys
2009-04-07 19:52 <DIR> --d----- c:\windows\Replay Converter 3
2009-04-07 19:51 737,280 a------- c:\windows\iun6002.exe
2009-04-04 15:15 <DIR> --d----- c:\program files\Names and Numbers
2009-03-29 13:18 127 a------- c:\documents and settings\william r farrar\Autorun.exe
2009-03-21 12:30 <DIR> --d----- c:\documents and settings\william r farrar\IETldCache
2009-03-21 11:50 <DIR> --d----- c:\windows\Offline Web Pages
2009-03-21 09:06 989,696 -c------ c:\windows\system32\dllcache\kernel32.dll
2009-03-19 20:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Texas Instruments
2009-03-19 20:00 <DIR> --d----- c:\docume~1\willia~1\applic~1\Texas Instruments
2009-03-19 19:57 <DIR> --d----- c:\program files\TI Education

==================== Find3M ====================

2009-03-17 19:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-12 18:37 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-26 20:27 4,096 a------- c:\windows\d3dx.dat
2009-02-23 21:49 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-02-23 21:48 95,640 a------- c:\windows\system32\drivers\pctplfw.sys
2009-02-20 13:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-17 08:33 89,256 a------- c:\windows\system32\ElbyCDIO.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 05:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 14:17:39.64 ===============

Can you help??????????

 

For the saints and angels here, for your information here is a link to the original thread though Ranger SVO does seem to have covered all the bases.

 

Hello, I ran a Malwarebytes scan, it found nothing

Malwarebytes' Anti-Malware 1.36
Database version: 2009
Windows 5.1.2600 Service Pack 3

4/19/2009 10:31:15 AM
mbam-log-2009-04-19 (10-31-15).txt

Scan type: Quick Scan
Objects scanned: 81941
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Are we sure that TUKERNEL.exe is an infection???

Anybody home?

 

Hi Ranger,

Please upload the TUKERNEL.EXE file to my submission channel for analysis. Leave a link back to this topic.

 

Thank you for responding, I have discovered what TUKERNEL.EXE is. I have a modified bootscreen in my computer. I used Tune Up utilities to install it. Tune Up utilities created and placed that file there.

I deleated TUKERNEL.EXE and I now have the default Windows Boot screen. Also I have rebooted the computer a number of times and it has not returned. I think jotti was right and it was nothing.

I will reinstall my custom boot screen later, but first I wanna make sure that Windows continues to run normal.

I you really want a copy let me know, I can reinstall the boot screen this week

I sincerely thank you for your time.

 

Noahfear, I did reinstall my custom boot screen and TUKERNEL is back, I did send it to you as requested.

 

I suspected, as wildfire suggested, that the file was related to TuneUp Utilities. No need to do anything else, in my opinion, and we can mark this resolved.

 

Thank you for your time, It is appreciated.

 

You betcha!