Strange Install Behavior & Trojans

[chambreneuf]

Hi, thanks for coming back to me.

Just back in normal mode so can update you on progress and supply remaining info.

Photo software is Photoshop. I had an old version but was installing an aquired copy of Photoshop CS3 (P2P) on a different drive to test the new features.

"D" drive is an additional hard drive. I have over 1.5m files on the PC so I'm not surprised re. the time it takes to complete each scan. "K" is a removeable hard drive which I was starting to back up my system onto but only got so far, hence contains copies of some of the files on the main system.

I mentioned Norton in connection with the trojans because their products have identified and secured me against trojans in the past. Perhaps I was expecting too much, just my understanding.

Regarding the "you must be an administrator" - it's unusual for me. I've never seen it before. I agree it's in connection with the install of CS3 as everything was fine up to that point.

Majority of the time while Kaspersky was running I was on the couch trying to stay away from the computer. But thanks for the advice - I will remember in future.

PC info:

OS: Windows XP Home Edition SP2 (WinNT 5.01.2600) - all updates installed immediately
Hard drive size: 250GB
Ram: 1 GB
CPU: 3.40GHz
Browsers: Firefox latest vesion (used every day) - IE6 (only use when forced to)

Thanks for the info on ClickBank - they are actually an digital product affiliate marketing group, I only go there to log into my account and get urls for the purpose of promoting other peoples digital products. I don't download/buy products. Interesting that you say Clickbar was downloaded. I was not aware of this. Thanks.

Thanks for the info on the infections found so far.


Here is an update on my progress since.

-------------------
AVG IN SAFE MODE
-------------------

Ran AVG in safe mode and it found pretty much the same files as the previous scan. I followed your directives to the letter but it didn't save a scan report, and the scan took 9 hours so I'm a little adverse to doing it again.

Attached is an image the quarantined files from the AVG scan:

avg-quarantined-safemode.jpg

There were some failures in quarantining the baddies after the scan so I'm going to have to go back in and re-scan I guess after I remove the "resources" folder.

----------------------------------
WINDOWS DEFENDER IN SAFE MODE
----------------------------------

Found 1 item:

Adware:Win32/TwainTech in C:\WINDOWS\smdat32.sys

Removed successfully by program.

-----------
HJT Report
-----------

hjt-220807.txt


Thanks inadvance for your help. This computer is my livelyhood and being in my 5th day without being able to work is not going down well with my clients - as you can imagine!

[jholland1964]

A quick look through your HJT log doesn't show infection, BUT it also does NOT show a firewall. This is an absolute necessity, especialy with file sharing. It also doesn't mean there aren't infections there, we know there are some there. HJT is just one of the tools we need to use to help in discovery and removal.

Several things here;
You say that you will "re-scan I guess after I remove the "resources" folder." Most definitely that folder needs to be removed. TOTALLY. If there are items in there, url's etc., that you need to keep then I would NOT back them up to another drive or cdr but I would print out what you need to save from there anything else on there that cannot be safely backed up, on paper, then I am sorry to say you will have to lose it. I say this because we know there is infection there, even if it is cleaned out first, moving to another drive or cdr runs the risk that you carry these nasty items and/or some corrupted files along to the new location.

Photo software is Photoshop. I had an old version but was installing an aquired copy of Photoshop CS3 (P2P) on a different drive to test the new features.

"Aquired" is certainly a polite term for something else, especially for a program which was just released in April, 2007. Makes me wonder where the person you aquired if from "aquired" it. Anyone can download a free trial copy of this new program to test the new features from Adobe.com.

This shows you one of the dangers of file sharing. This version of Photoshop (NEW) lists for anywhere from an upgrade cost of $195.99 to $650+ for the full brand new program. I am not saying that this brought in all the infections, some we know were all ready there, but "something" about this did trigger your Norton program to react, see below. Probably a file on this newly "shared" program which caused an old "shared" file to "kick in" or vice/versa so to speak. There lies the danger. One must weigh the actual savings of P2P...yes, you "saved" $650 on this program but "something" in there and/or one of the other shared files from long ago has cost you, as you said, 5 work days thus far. I have no idea your income, but if you only make minimum wages then for a forty hour week that would be nearly $250 lost and $50 more than just purchasing the program upgrade. This doesn't count the possible corruption of other files or programs on the computer itself. Sorry, , I will get off my "soapbox" now, I have just dealt with so many folks and their computers unnecessarily damaged in this way by file sharing that I want folks to stop and think.
Back to your problems.

Interesting that you say Clickbar was downloaded. I was not aware of this.

A good many things can download without your knowledge, especially without a firewall.

You state that Windows Defender found and removed 1 item

Adware:Win32/TwainTech in C:\WINDOWS\smdat32.sys

The REAL Twaintech or, "Twain" is a method for drivers to acquire images either from scanners or cameras. It's commonly used in Photoshop to get the raw image data. But THIS particular file is a form of adware from 180 Solutions that is masquerading as Twain drivers and it is installed either through P2P or some other trojan. I would bet that this came from your "aquired" Photoshop program.

To be absolutely certain that it is totally gone you need to do the following;

You need to download and run Killbox
Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:


C:\WINDOWS\smdat32.sys

Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

You should empty those quarantine files in AVG and I need to know the names and locations of the items that AVG couldn't clean or quarantine.

Next download and run the following tool;

AnalyzerXP 3.7

Uses a special scan method to spot the suspicious looking files located at the most common, system and/or user critical locations on a system running Windows XP. This version filters out the known, typical files and folders so the log is much leaner than the previous versions. This utility does not modify or delete any files!

Save the log and post it here.

[jholland1964]

Now that I am looking seriously again at your attachment I see that many, if not most, of these Trojans likely are also the result of "aquired" programs
Two loggers were found in eBay.Source.Codes.zip....I must assume that this also was an "Acquired" program. The ebay developer's program is free to join, you cannot get the souce code unless you join a tiered commercial level though (starting at $500 dollars) Did you pay the $500?
One of these is located on your "D" drive and the other is located in your removable "K" drive, where you have used "white out" to erase "something" showing on the AVG scan...now it may be your name or address or phone# and that would be understandable to white that out BUT I also see that another Trojan cleaned by AVG is Trojan.Agent.afl which evidently was also "Aquired" from a website that you have also chosen to "white out" of your attachment also.

Because the bulk of these infections, I believe at least, are the result of some possibly shady file sharing I will cease to assist you in this clean up.
Please note this from General Guidelines of this Forum;

Discussion of illegal activities such as software and music piracy and other intellectual property violations are not allowed.

Also while these rules cover most common situations, they cannot anticipate everything. Consequently we reserve the right to take any actions we deem appropriate to ensure these forums are not disrupted or abused in any way.

Judy

[chambreneuf]

One of these is located on your "D" drive and the other is located in your removable "K" drive, where you have used "white out" to erase "something" showing on the AVG scan...now it may be your name or address or phone# and that would be understandable to white that out BUT I also see that another Trojan cleaned by AVG is Trojan.Agent.afl which evidently was also "Aquired" from a website that you have also chosen to "white out" of your attachment also.

Yes, the white-outs were my name in both instances - you'll notice they are similar in length. You have jumped to a few conclusions, but I appreciate the help you gave to date.