Inactive Trojan program Backdoor.Win32.Small.ive

hd_pulse · 2010/02/18

[Inactive] Trojan program Backdoor.Win32.Small.ive

I got this virus which infected explorer.exe. I have tried to reformat my whole hard drive, reinstalled windows XP then installed KIS(Kaspersky). After that, I scanned explorer.exe and found no virus but when the KIS(Kaspersky antivirus) was done updating, i again scanned my explorer.exe, which is by the way located at C:\WINDOWS\explorer.exe, and detected the virus once again. And just like the first time before I reformatted, it prompted me to delete the virus because it cannot disinfect it AND do it after restart. As expected, KIS deleted my explorer.exe and it resulted to missing desktop icons and taskbar.

CTRL+ALT+DELETE(windows task manager) is the only way to open programs via the "New Task..." button. Any form of help or advise would be much appreciated. Thanks..

Admin. · 2010/02/18

Hi,

Read this post as indicated at the top of this forum & follow the instructions.

hd_pulse · 2010/02/19

DDS (Ver_09-12-01.01) - NTFSx86
Run by hemant at 19:06:49.96 on Fri 02/19/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2039.1535 [GMT 0:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ZTE EV-DO\bin\EVDO.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\hemant\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Service Pack 3 Internet Explorer
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SBCONVERT Class: {31b27f2d-6bc6-451b-b3d2-4eab36b2fc3b} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\speedb~1\toolbar\grabber.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll
uRun: [WordWeb] "c:\program files\wordweb\wweb32.exe" -startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe "
mRun: [ZTE-EVDO] "c:\program files\zte ev-do\bin\EVDO.exe "
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
dRun: [msnsc] c:\windows\system32\msnsc.exe
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll "
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TCP: {5CE0AF48-905A-4EFE-939B-3551F9831A73} = 218.248.255.193 218.248.240.181
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hemant\applic~1\mozilla\firefox\profiles\bkky7s0c.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-6-15 128016]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-2-16 296976]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-7-3 303376]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-5-13 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
R3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\drivers\ZTEusbser.sys [2010-2-16 94080]

=============== Created Last 30 ================

2010-02-19 18:55:40 72 --sha-w- c:\windows\klif.spi
2010-02-19 02:43:46 40 ----a-w- c:\windows\Video Desktop-loc.cfg
2010-02-19 02:42:47 0 d-----w- c:\program files\Video Desktop Company
2010-02-19 02:42:29 796672 ----a-w- c:\windows\GPInstall.exe
2010-02-19 02:41:23 0 d-----w- c:\program files\SpeedBit Video Downloader
2010-02-19 01:48:15 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll
2010-02-19 01:48:15 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe
2010-02-19 01:47:29 0 d-----w- c:\windows\Applian Director
2010-02-19 01:40:39 0 d-----w- c:\windows\Replay Media Catcher
2010-02-19 01:40:38 0 d-----w- c:\program files\Replay Media Catcher
2010-02-19 01:05:48 1191616 ------w- c:\windows\wweb32.dll
2010-02-19 01:05:47 0 d-----w- c:\program files\WordWeb
2010-02-18 22:12:52 0 d-----w- c:\docume~1\alluse~1\applic~1\WEBREG
2010-02-18 22:06:49 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2010-02-18 22:06:48 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2010-02-18 22:06:37 121344 ----a-w- c:\windows\system32\hpf3l6eo.dll
2010-02-18 22:06:36 271704 ----a-r- c:\windows\system32\hpzids01.dll
2010-02-18 22:06:30 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2010-02-18 22:05:56 737280 ----a-r- c:\windows\system32\hposwia_d01a.dll
2010-02-18 22:05:56 602112 ----a-r- c:\windows\system32\hpost_d01a.dll
2010-02-18 22:05:56 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2010-02-18 22:05:56 307200 ----a-r- c:\windows\system32\hposc_d01a.dll
2010-02-18 22:03:35 0 d-----w- c:\program files\common files\HP
2010-02-18 22:03:33 0 d-----w- c:\program files\common files\Hewlett-Packard
2010-02-18 22:02:39 0 d-----w- c:\program files\HP
2010-02-18 22:02:26 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-02-18 22:02:24 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-02-18 21:59:56 404 ------w- c:\windows\hpomdl34.dat
2010-02-18 21:59:56 149502 ----a-w- c:\windows\hpoins34.dat
2010-02-17 20:27:25 3255 ----a-w- c:\windows\system32\wbem\Outlook_01cab00f9de8acf0.mof
2010-02-16 19:13:05 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2010-02-16 19:03:06 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-02-16 19:03:06 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-02-16 19:02:02 0 d-----w- c:\program files\Kaspersky Lab
2010-02-16 19:02:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2010-02-16 19:01:18 0 d-----w- c:\docume~1\hemant\applic~1\ZTEEVDO
2010-02-16 19:01:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-02-16 18:56:12 0 d-----w- c:\program files\ZTE EV-DO
2010-02-16 18:46:33 0 d-----w- c:\program files\Realtek
2010-02-16 18:33:25 0 d-----w- c:\program files\Microsoft ActiveSync
2010-02-16 18:27:42 0 d-sh--w- c:\documents and settings\all users\DRM
2010-02-16 18:27:15 0 d--h--w- c:\program files\WindowsUpdate
2010-02-16 18:27:11 0 d-----w- c:\program files\Online Services
2010-02-16 18:26:10 0 d-----w- c:\program files\common files\MSSoap
2010-02-16 18:24:26 0 d-----w- c:\program files\Unlocker
2010-02-16 18:20:43 0 d-----w- c:\program files\MSN Messenger
2010-02-16 18:19:48 0 d-----w- c:\program files\Windows NT
2010-02-16 18:16:02 0 d-----w- c:\program files\common files\ODBC
2010-02-16 18:15:14 0 d-----r- c:\documents and settings\all users\Documents
2010-02-16 15:05:57 0 d-----w- c:\program files\VideoLAN

==================== Find3M ====================

2010-02-16 18:46:26 315392 ----a-w- c:\windows\HideWin.exe
2010-02-16 18:29:33 2293 ----a-w- c:\windows\mozver.dat
2010-02-16 18:24:57 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 19:07:47.51 ===============

hd_pulse · 2010/02/19

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/16/2010 6:30:03 PM
System Uptime: 2/19/2010 6:51:22 PM (1 hours ago)

Motherboard: | | LakePort
Processor: Intel(R) Pentium(R) 4 CPU 2.93GHz | Socket 775 | 2933/133mhz
Processor: Intel(R) Pentium(R) 4 CPU 2.93GHz | Socket 775 | 2933/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 67.918 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 78 GiB total, 72.807 GiB free.
F: is FIXED (NTFS) - 88 GiB total, 86.913 GiB free.
G: is FIXED (NTFS) - 67 GiB total, 66.802 GiB free.
H: is Removable
I: is Removable
J: is Removable
K: is Removable
L: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_813610EC&REV_01\4&1B41B794&0&00E0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_10EC&DEV_8136&SUBSYS_813610EC&REV_01\4&1B41B794&0&00E0
Service:

==== System Restore Points ===================

RP1: 2/16/2010 6:33:16 PM - Installed Microsoft Office Professional Edition 2003
RP2: 2/16/2010 6:46:32 PM - Installed Realtek High Definition Audio Driver
RP3: 2/16/2010 7:01:52 PM - Installed Kaspersky Internet Security 2010.
RP4: 2/16/2010 2:53:32 AM - System Checkpoint
RP5: 2/19/2010 12:28:58 AM - System Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.5
BufferChm
Copy
Destination Component
DeviceDiscovery
DJ_AIO_04_F735_Software_Min
F735
GPBaseService2
HP Customer Participation Program 12.0
HP Deskjet F735 All-in-one Driver Software 12.0 Rel .4
HP Imaging Device Functions 12.0
HP Smart Web Printing
HP Solution Center 12.0
HP Update
HPProductAssistant
HPSSupply
Intel(R) Graphics Media Accelerator Driver
Kaspersky Internet Security 2010
MarketResearch
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.5.8)
Realtek High Definition Audio Driver
Scan
Shop for HP Supplies
SmartWebPrinting
Software Update for Web Folders
SolutionCenter
SpeedBit Video Downloader
Status
Toolbox
TrayApp
UnloadSupport
VLC media player 1.0.2
WebReg
WinRAR archiver
WordWeb
ZTE EV-DO

==== Event Viewer Messages From Past Week ========

2/18/2010 11:57:06 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
2/16/2010 7:02:58 PM, error: PSched [14107] - QoS [Adapter NDISWANIP]: The Packet Scheduler could not initialize the virtual miniport with NDIS.
2/16/2010 6:32:23 PM, information: Windows File Protection [64032] - Windows File Protection is not active on this system.
2/16/2010 6:30:14 PM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
2/16/2010 4:41:08 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2/16/2010 11:13:00 PM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
2/16/2010 10:56:05 PM, error: Srv [2000] - The server's call to a system service failed unexpectedly.

==== End Of File ===========================

broni · 2010/02/19

Well, I'm not sure how to address this situation.
Let me start with asking a question.
Was the computer physically connected (ethernet cable) to the net while you're performing format and Windows reinstallation?

hd_pulse · 2010/02/20

No,the computer was not connected to net while performng format and reinstallation.

broni · 2010/02/20

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

hd_pulse · 2010/02/26

I copied the explorer.exe file from my friend's pc and pasted in the windows directory and everything is now back to normal.

thanks for all the contributions

How to mark the problem 'solved'?

broni · 2010/02/26

I'll do it.
Good news

Log in or Sign up

Inactive Trojan program Backdoor.Win32.Small.ive

hd_pulse Inactive Thread Starter

Admin. Administrator Administrator Staff

hd_pulse Inactive Thread Starter

hd_pulse Inactive Thread Starter

broni Moderator Malware Analyst

hd_pulse Inactive Thread Starter

broni Moderator Malware Analyst

hd_pulse Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive Trojan program Backdoor.Win32.Small.ive

hd_pulse Inactive Thread Starter

Admin. Administrator Administrator Staff

hd_pulse Inactive Thread Starter

hd_pulse Inactive Thread Starter

broni Moderator Malware Analyst

hd_pulse Inactive Thread Starter

broni Moderator Malware Analyst

hd_pulse Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches