Strange Install Behavior & Trojans

[chambreneuf]

Hi! Noticed your good work here guys so thought I'd come to you with my problem.

I am currently working through the list of actions in the 'Read Me Before Before Posting a Request for Assistance' instructions, but with little else to do while kaspersky takes 25hrs to scan my drives, I thought I'd kick off the thread as it's 3.5 days since these problems started and work can't wait any longer.

So I was installing some popular photo software last friday, with the Symantec suite of anti-virus and firewall running (for over a year without major problems - paid). All was going well until Norton alerted me that a couple of trojans had been identified but that my system was safe - happy days!

Or so I thought - Norton then rolled over and demanded re-activation. Not a suprise as has happened more than once in the last year, but not in conjuction with trojan alerts.

About two days of Symantec online chat help from analysts, basically each of them repeatedly tried the same things, removal of their software with the special Norton Removal Tool and erasing all files and symantec registry items (a sledge?), etc, all to no avail... the final analyst then suggested I run their online virus scanner (no-one else had mentioned this in two days -- and I obviously wasn't aware it existed -- even after my mentioning the suspected trojan presence several times) which reported that my system had a clean bill of health.

But I still couldn't re-activate the Norton product and my install of the popular photo software was telling me that I wasn't allowed to continue because my account did not have the required privileges, try starting the program in administration user etc (I am always in admin mode!).

I'd also created a new admin user with correct privileges and attempted to re-install and activate both products with no success (in the activation part).

Search for more advice brought me here so I'm now running the scans as directed in your 'Read me first' file. I mistakenly ran the free AVG Anti-Spyware straight away in normal mode which turned up many trojans and quarantined 7 of them:

Cardst x4, Agent.afl x1, Proxcrak.A x2 (see report attached below)

Strange thing is these are all in very old files that have been on my system for quite some time in .rar's, .zip's a couple of .js files and an .exe. Obvisouly never detected by Norton scans.

Kaspersky has been at it for 17hrs now and has found a couple of viruses but they could be just dupes of the AVG findings - I'll attach the log when it's done.

So, my key objectives are to work out:

1. why when I try to install (almost anything) in admin mode I get a failure message which kindly states that I don't have the required privileges, although the install does complete successfully (this also happened when installing AVG I think - for example).

2. why I don't seem able to activate the Symantec product (not that I will now anyway) or the popular photo software.

3. why I'm getting strange messages telling me I have to be an admin user (which I am) to use or now activate (which I can't) the popular photo editing software.

Any help in the meantime while I kick my heels waiting for kapsersky to finish would be great but I understand you need to see scans n' stuff.

TIA

All scans here performed in normal mode:
kaspersky-drives-scan-log.txt

kaspersky-critial-areas-scan-log.txt

avg-antispyware-20070821.txt

Safe Mode coming soon.

[jholland1964]

Ok,first of all we need the NAME of this "popular photo software". Where did you get it? Did you purchase this program from a store or online or was it given to you, OR was it from a shareware site or P2P file sharing?

I see that these trojans were found on the "D" drive. Is this your cd-rom drive? If so then it means the cd you were using contained the trojans or infections. The Norton program warning you of this but saying your system was clean was actually correct, the disk was infected, it was scanning the disk.
Now you say it is odd that Norton didn't detect these trojans before, there is nothing odd about it, Norton is an anti-virus program not an anti-trojan program. Now it is NOT unusual for the anti-virus program to pick up something during an install, even a trojan, BUT most of the time an anti-virus program will NOT remove a trojan. The online Norton scan is looking for VIRUSES not Trojans.

It is NOT unusual to receive,"you must be an administrator" warnings to run a particular program. This does not necessarily mean you are not logged on as administrator it is just TELLING you that you must be the administrator to run the program. It is a standard warning.
Now if this all happened while trying to install this photo program then chances are the photo program may have contained these or some of these infected objects and this may very well be the reason you cannot now install it.

Yes, Kaspersky online scanner usually does take a long time, BUT, you were creating this thread WHILE the scanner was running which absolutely would slow down the scanning. You need to close all unnecessary programs while running this scan, email, im programs File Sharing (which could be where these trojans originated) You should not be using your computer at all while the scan is taking place, doing anythng else while running the scan will make it even slower because it is a very indepth scan, it is scanning each and every program, file and folder on the computer. Using even one of these files while the scan is going on will slow the scan down.

What I need now is full information about the computer...os, hard drive size, ram installed, etc., and follow the instructions for downloading, location, renaming of HiJackThis. Then run a full scan with it, save the log and post back here with that log. We can go from there. We can get the computer clean but we need to begin to see what is going on there first.
Judy

P.S.

Two of the infected objects found on your computer by Kaspersky is something called CB Bar v.2.229. This apparently is from a company called ClickBank. Here is their claim from their website;

Clickbank sells some of the hottest and newest software available on the Internet today. If you are not up on the newest products at Clickbank, then you are behind....With over 10,000 programs and ebooks, it is a little hard to find the software that you are looking for in the Clickbank Marketplace. There is not a simple way to search it. Until the CB Bar.

These infections were found to be on ClickBar on August 18, 2007 by various online scanners....3.5 days ago, when your own problems began. But this is NOT the only version of ClickBar found to contain adware, spyware, trojans, etc. Several others have also found to contain some of these. As you well know Clickbank is a shareware site. This is one risk of using shareware. There is NO guarantee that these shared files and programs are clean.

Another of these infected files found on the computer by Kaspersky is from the BitTorrent program, another file sharing program.

The four trojans found AND Quarantined by the AVG scan, were ALSO from file sharing.
You should empty that Quarantine file AND REMOVE that D:\R E S O U R C E S
from the computer. If it is a CDR THROW IT AWAY. If it is NOT a cdr and "D" is another hard drive then go into that drive in Safe Mode and DELETE that R E S O U R C E S folder or program or whatever it is.

[chambreneuf]

Hi, thanks for coming back to me.

Just back in normal mode so can update you on progress and supply remaining info.

Photo software is Photoshop. I had an old version but was installing an aquired copy of Photoshop CS3 (P2P) on a different drive to test the new features.

"D" drive is an additional hard drive. I have over 1.5m files on the PC so I'm not surprised re. the time it takes to complete each scan. "K" is a removeable hard drive which I was starting to back up my system onto but only got so far, hence contains copies of some of the files on the main system.

I mentioned Norton in connection with the trojans because their products have identified and secured me against trojans in the past. Perhaps I was expecting too much, just my understanding.

Regarding the "you must be an administrator" - it's unusual for me. I've never seen it before. I agree it's in connection with the install of CS3 as everything was fine up to that point.

Majority of the time while Kaspersky was running I was on the couch trying to stay away from the computer. But thanks for the advice - I will remember in future.

PC info:

OS: Windows XP Home Edition SP2 (WinNT 5.01.2600) - all updates installed immediately
Hard drive size: 250GB
Ram: 1 GB
CPU: 3.40GHz
Browsers: Firefox latest vesion (used every day) - IE6 (only use when forced to)

Thanks for the info on ClickBank - they are actually an digital product affiliate marketing group, I only go there to log into my account and get urls for the purpose of promoting other peoples digital products. I don't download/buy products. Interesting that you say Clickbar was downloaded. I was not aware of this. Thanks.

Thanks for the info on the infections found so far.


Here is an update on my progress since.

-------------------
AVG IN SAFE MODE
-------------------

Ran AVG in safe mode and it found pretty much the same files as the previous scan. I followed your directives to the letter but it didn't save a scan report, and the scan took 9 hours so I'm a little adverse to doing it again.

Attached is an image the quarantined files from the AVG scan:

avg-quarantined-safemode.jpg

There were some failures in quarantining the baddies after the scan so I'm going to have to go back in and re-scan I guess after I remove the "resources" folder.

----------------------------------
WINDOWS DEFENDER IN SAFE MODE
----------------------------------

Found 1 item:

Adware:Win32/TwainTech in C:\WINDOWS\smdat32.sys

Removed successfully by program.

-----------
HJT Report
-----------

hjt-220807.txt


Thanks inadvance for your help. This computer is my livelyhood and being in my 5th day without being able to work is not going down well with my clients - as you can imagine!

[jholland1964]

A quick look through your HJT log doesn't show infection, BUT it also does NOT show a firewall. This is an absolute necessity, especialy with file sharing. It also doesn't mean there aren't infections there, we know there are some there. HJT is just one of the tools we need to use to help in discovery and removal.

Several things here;
You say that you will "re-scan I guess after I remove the "resources" folder." Most definitely that folder needs to be removed. TOTALLY. If there are items in there, url's etc., that you need to keep then I would NOT back them up to another drive or cdr but I would print out what you need to save from there anything else on there that cannot be safely backed up, on paper, then I am sorry to say you will have to lose it. I say this because we know there is infection there, even if it is cleaned out first, moving to another drive or cdr runs the risk that you carry these nasty items and/or some corrupted files along to the new location.

Photo software is Photoshop. I had an old version but was installing an aquired copy of Photoshop CS3 (P2P) on a different drive to test the new features.

"Aquired" is certainly a polite term for something else, especially for a program which was just released in April, 2007. Makes me wonder where the person you aquired if from "aquired" it. Anyone can download a free trial copy of this new program to test the new features from Adobe.com.

This shows you one of the dangers of file sharing. This version of Photoshop (NEW) lists for anywhere from an upgrade cost of $195.99 to $650+ for the full brand new program. I am not saying that this brought in all the infections, some we know were all ready there, but "something" about this did trigger your Norton program to react, see below. Probably a file on this newly "shared" program which caused an old "shared" file to "kick in" or vice/versa so to speak. There lies the danger. One must weigh the actual savings of P2P...yes, you "saved" $650 on this program but "something" in there and/or one of the other shared files from long ago has cost you, as you said, 5 work days thus far. I have no idea your income, but if you only make minimum wages then for a forty hour week that would be nearly $250 lost and $50 more than just purchasing the program upgrade. This doesn't count the possible corruption of other files or programs on the computer itself. Sorry, , I will get off my "soapbox" now, I have just dealt with so many folks and their computers unnecessarily damaged in this way by file sharing that I want folks to stop and think.
Back to your problems.

Interesting that you say Clickbar was downloaded. I was not aware of this.

A good many things can download without your knowledge, especially without a firewall.

You state that Windows Defender found and removed 1 item

Adware:Win32/TwainTech in C:\WINDOWS\smdat32.sys

The REAL Twaintech or, "Twain" is a method for drivers to acquire images either from scanners or cameras. It's commonly used in Photoshop to get the raw image data. But THIS particular file is a form of adware from 180 Solutions that is masquerading as Twain drivers and it is installed either through P2P or some other trojan. I would bet that this came from your "aquired" Photoshop program.

To be absolutely certain that it is totally gone you need to do the following;

You need to download and run Killbox
Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:


C:\WINDOWS\smdat32.sys

Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

You should empty those quarantine files in AVG and I need to know the names and locations of the items that AVG couldn't clean or quarantine.

Next download and run the following tool;

AnalyzerXP 3.7

Uses a special scan method to spot the suspicious looking files located at the most common, system and/or user critical locations on a system running Windows XP. This version filters out the known, typical files and folders so the log is much leaner than the previous versions. This utility does not modify or delete any files!

Save the log and post it here.

[jholland1964]

Now that I am looking seriously again at your attachment I see that many, if not most, of these Trojans likely are also the result of "aquired" programs
Two loggers were found in eBay.Source.Codes.zip....I must assume that this also was an "Acquired" program. The ebay developer's program is free to join, you cannot get the souce code unless you join a tiered commercial level though (starting at $500 dollars) Did you pay the $500?
One of these is located on your "D" drive and the other is located in your removable "K" drive, where you have used "white out" to erase "something" showing on the AVG scan...now it may be your name or address or phone# and that would be understandable to white that out BUT I also see that another Trojan cleaned by AVG is Trojan.Agent.afl which evidently was also "Aquired" from a website that you have also chosen to "white out" of your attachment also.

Because the bulk of these infections, I believe at least, are the result of some possibly shady file sharing I will cease to assist you in this clean up.
Please note this from General Guidelines of this Forum;

Discussion of illegal activities such as software and music piracy and other intellectual property violations are not allowed.

Also while these rules cover most common situations, they cannot anticipate everything. Consequently we reserve the right to take any actions we deem appropriate to ensure these forums are not disrupted or abused in any way.

Judy

[chambreneuf]

One of these is located on your "D" drive and the other is located in your removable "K" drive, where you have used "white out" to erase "something" showing on the AVG scan...now it may be your name or address or phone# and that would be understandable to white that out BUT I also see that another Trojan cleaned by AVG is Trojan.Agent.afl which evidently was also "Aquired" from a website that you have also chosen to "white out" of your attachment also.

Yes, the white-outs were my name in both instances - you'll notice they are similar in length. You have jumped to a few conclusions, but I appreciate the help you gave to date.

[Gizmokid2005]

Forgive us for jumping to conclusions. With the information that you have provided us and the suspicious blanking of information on that screenshot of your log, it would seem as though you are hiding something. I would also like to point out the fact that the uploaded file seems to have changed in appearance since it was originally uploaded, furthering our suspicions of illegal activity.

The fact that you are using P2P software to "acquire" your software is your personal choice, but as jholland stated, that is against forum rules to have any discussion regarding any of that information on here. If you would be willing to prove that the information that you have blanked out, and/or prove that the file sharing wasn't illegal, we would be more than willing to further assist you in any way that we can.

If you cannot prove that, we are sorry, but we will be unable to provide any further assistance in this matter.

Thank you for your understanding.

[chambreneuf]

PM sent

[jholland1964]

It would have been polite if you would given information as to how this was fixed. We will consider this issue resolved.

According to PM from chambreneuf

winantivirus spyware was causing the problem according to the guy I paid to remove it.

For others interested; Winantivirus usually can be removed by applying one of several FREE fix programs.