Sign in to follow this  
Flash65

TrojanBackdoor.Serv-U?

Recommended Posts

I use the RhinoSoft Serv-U program on my computer as a server. When I run the Ad-Aware scan, it finds the "TrojanBackdoor.Serv-U", 8 objects, with TAC rating of 8, but I cannot remove it. If I try to delete, it wipes out all my Serv-U settings and shuts it down. So, I have to go back, do a system restore to get my Serv-U settings back, and keep working with this "virus" or whatever it is. How do I get rid of it?

 

I am using the Ad-Aware SE Personal.

 

Thanks for any help.

 

Here is my HijackThis file:

 

Logfile of HijackThis v1.99.1

Scan saved at 7:57:02 AM, on 10/31/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Norton Personal Firewall\ISSVC.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\wwSecure.exe

C:\WINDOWS\system32\ps2.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Serv-U\ServUTray.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Serv-U\SERVUD~1.EXE

C:\Program Files\FaxTools\faxtool.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\4ZFGWCVK\hijackthis[1]\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [servUTrayIcon] C:\Program Files\Serv-U\ServUTray.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...302/Coupons.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\PROGRA~1\Serv-U\SERVUD~1.EXE

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

Share this post


Link to post
Share on other sites

Could you please post your log from the Adaware scan where it found Serv-U?

 

Serv-U can often be a legitimate server program that is installed by backdoor remote access trojans. The program itself is not malicious but in the wrong hands it can be.

 

As Logs are stored in :

C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.

An easy way to get there is to

click Start,

click Run

And type in and press ENTER: %appdata%

then click Lavasoft

then Ad-Aware

and then Logs.

scroll down to find the latest one that you have that detected it

(by date & time)

and open it right Click select all

copy and then paste the contents of it here.

Share this post


Link to post
Share on other sites

Ad-Aware SE Build 1.06r1

Logfile Created on:Tuesday, November 14, 2006 9:03:23 AM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R130 02.11.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):18 total references.

TrojanBackdoor.Serv-U(TAC index:8):8 total references.

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : Prior to deletion, allow unloading Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic settings in log file

Set : Include additional settings in log file

Set : Include reference summary in log file

Set : Include Alternate Datastream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

11-14-2006 9:03:23 AM - Scan started. (Full System Scan)

 

MRU List Object Recognized:

Location: : C:\Documents and Settings\HP_Owner\Application Data\microsoft\office\recent

Description : list of recently opened documents using microsoft office

 

 

MRU List Object Recognized:

Location: : C:\Documents and Settings\HP_Owner\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized:

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\microsoft\internet explorer\typedurls

Description : list of recently entered addresses in microsoft internet explorer

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\microsoft\mediaplayer\preferences

Description : last playlist index loaded in microsoft windows media player

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\microsoft\mediaplayer\preferences

Description : last playlist loaded in microsoft windows media player

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\microsoft\office\11.0\common\open find\microsoft office word\settings\open\file name mru

Description : list of recent documents opened by microsoft word

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru

Description : list of recent documents saved by microsoft word

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\microsoft\office\11.0\word\recent templates

Description : list of recent templates used by microsoft word

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\realnetworks\realplayer\6.0\preferences

Description : list of recent skins in realplayer

 

 

MRU List Object Recognized:

Location: : S-1-5-21-2897343267-2259576150-4242023754-1009\software\realnetworks\realplayer\6.0\preferences

Description : list of recent clips in realplayer

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 500

ThreadCreationTime : 11-14-2006 11:59:45 AM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 556

ThreadCreationTime : 11-14-2006 11:59:47 AM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 580

ThreadCreationTime : 11-14-2006 11:59:48 AM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 624

ThreadCreationTime : 11-14-2006 11:59:48 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 636

ThreadCreationTime : 11-14-2006 11:59:48 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 784

ThreadCreationTime : 11-14-2006 11:59:49 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 828

ThreadCreationTime : 11-14-2006 11:59:49 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 892

ThreadCreationTime : 11-14-2006 11:59:49 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 940

ThreadCreationTime : 11-14-2006 11:59:49 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1004

ThreadCreationTime : 11-14-2006 11:59:50 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [ccproxy.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1184

ThreadCreationTime : 11-14-2006 11:59:52 AM

BasePriority : Normal

FileVersion : 103.0.8.2

ProductVersion : 103.0.8.2

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec Network Proxy Service

InternalName : ccProxy

LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.

OriginalFilename : ccProxy.exe

 

#:12 [ccsetmgr.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1200

ThreadCreationTime : 11-14-2006 11:59:52 AM

BasePriority : Normal

FileVersion : 103.0.7.2

ProductVersion : 103.0.7.2

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec Settings Manager Service

InternalName : ccSetMgr

LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.

OriginalFilename : ccSetMgr.exe

 

#:13 [issvc.exe]

FilePath : C:\Program Files\Norton Personal Firewall\

ProcessID : 1212

ThreadCreationTime : 11-14-2006 11:59:52 AM

BasePriority : Normal

FileVersion : 8.0.5.14

ProductVersion : 8.0

ProductName : Norton Internet Security

CompanyName : Symantec Corporation

FileDescription : IS Service

InternalName : ISSVC.exe

LegalCopyright : Copyright © 2004 Symantec Corporation

OriginalFilename : ISSVC.exe

 

#:14 [sndsrvc.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1224

ThreadCreationTime : 11-14-2006 11:59:52 AM

BasePriority : Normal

FileVersion : 5.5.1.6

ProductVersion : 5.5

ProductName : Symantec Security Drivers

CompanyName : Symantec Corporation

FileDescription : Network Driver Service

InternalName : SndSrvc

LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation

OriginalFilename : SndSrvc.exe

 

#:15 [spbbcsvc.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\

ProcessID : 1240

ThreadCreationTime : 11-14-2006 11:59:52 AM

BasePriority : Normal

FileVersion : 1,0,1,47

ProductVersion : 1,0,1,47

ProductName : SPBBC

CompanyName : Symantec Corporation

FileDescription : SPBBC Service

InternalName : SPBBCSvc

LegalCopyright : Copyright © 2004 Symantec Corporation. All rights reserved.

OriginalFilename : SPBBCSvc.exe

 

#:16 [ccevtmgr.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1496

ThreadCreationTime : 11-14-2006 11:59:53 AM

BasePriority : Normal

FileVersion : 103.0.7.2

ProductVersion : 103.0.7.2

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec Event Manager Service

InternalName : ccEvtMgr

LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.

OriginalFilename : ccEvtMgr.exe

 

#:17 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1836

ThreadCreationTime : 11-14-2006 11:59:54 AM

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:18 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 160

ThreadCreationTime : 11-14-2006 11:59:57 AM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:19 [ps2.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 268

ThreadCreationTime : 11-14-2006 11:59:58 AM

BasePriority : Normal

 

 

#:20 [ccapp.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 108

ThreadCreationTime : 11-14-2006 11:59:58 AM

BasePriority : Normal

FileVersion : 103.0.7.2

ProductVersion : 103.0.7.2

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec User Session

InternalName : ccApp

LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.

OriginalFilename : ccApp.exe

 

#:21 [type32.exe]

FilePath : C:\Program Files\Microsoft Hardware\Keyboard\

ProcessID : 400

ThreadCreationTime : 11-14-2006 11:59:58 AM

BasePriority : Normal

 

 

#:22 [realsched.exe]

FilePath : C:\Program Files\Common Files\Real\Update_OB\

ProcessID : 424

ThreadCreationTime : 11-14-2006 11:59:58 AM

BasePriority : Normal

FileVersion : 0.1.0.3292

ProductVersion : 0.1.0.3292

ProductName : RealPlayer (32-bit)

CompanyName : RealNetworks, Inc.

FileDescription : RealNetworks Scheduler

InternalName : schedapp

LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004

LegalTrademarks : RealAudio is a trademark of RealNetworks, Inc.

OriginalFilename : realsched.exe

 

#:23 [servutray.exe]

FilePath : C:\Program Files\Serv-U\

ProcessID : 432

ThreadCreationTime : 11-14-2006 11:59:58 AM

BasePriority : Normal

 

 

#:24 [aolacsd.exe]

FilePath : C:\PROGRA~1\COMMON~1\AOL\ACS\

ProcessID : 544

ThreadCreationTime : 11-14-2006 12:00:01 PM

BasePriority : Normal

 

 

#:25 [aluschedulersvc.exe]

FilePath : C:\Program Files\Symantec\LiveUpdate\

ProcessID : 560

ThreadCreationTime : 11-14-2006 12:00:01 PM

BasePriority : Normal

FileVersion : 3.0.0.160

ProductVersion : 3.0.0.160

ProductName : LiveUpdate

CompanyName : Symantec Corporation

FileDescription : Automatic LiveUpdate Scheduler Service

InternalName : Automatic LiveUpdate Scheduler Service

LegalCopyright : Copyright © 1996-2005 Symantec Corporation

OriginalFilename : ALUSchedulerSvc.exe

 

#:26 [lssrvc.exe]

FilePath : c:\Program Files\Common Files\LightScribe\

ProcessID : 952

ThreadCreationTime : 11-14-2006 12:00:01 PM

BasePriority : Normal

FileVersion : 1.0.13.1

ProductName : LightScribe

LegalCopyright : © Copyright 2003-2004 Hewlett-Packard Development Company, LP

OriginalFilename : LSSrvc.exe

 

#:27 [mdm.exe]

FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\

ProcessID : 984

ThreadCreationTime : 11-14-2006 12:00:01 PM

BasePriority : Normal

FileVersion : 7.00.9466

ProductVersion : 7.00.9466

ProductName : Microsoft® Visual Studio .NET

CompanyName : Microsoft Corporation

FileDescription : Machine Debug Manager

InternalName : mdm.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : mdm.exe

 

#:28 [navapsvc.exe]

FilePath : C:\Program Files\Norton AntiVirus\

ProcessID : 1124

ThreadCreationTime : 11-14-2006 12:00:04 PM

BasePriority : Normal

FileVersion : 11.0.16.2

ProductVersion : 11.0.16

ProductName : Norton AntiVirus

CompanyName : Symantec Corporation

FileDescription : Norton AntiVirus Auto-Protect Service

InternalName : NAVAPSVC

LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.

OriginalFilename : NAVAPSVC.EXE

 

#:29 [npfmntor.exe]

FilePath : C:\Program Files\Norton AntiVirus\IWP\

ProcessID : 1176

ThreadCreationTime : 11-14-2006 12:00:04 PM

BasePriority : Normal

FileVersion : 11.0.16.2

ProductVersion : 11.0.16

ProductName : Norton AntiVirus

CompanyName : Symantec Corporation

FileDescription : Norton AntiVirus Firewall Install Monitor

InternalName : NPFMonitor

LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.

OriginalFilename : NPFMonitor.EXE

 

#:30 [hpzipm12.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1308

ThreadCreationTime : 11-14-2006 12:00:04 PM

BasePriority : Normal

FileVersion : 9, 0, 0, 0

ProductVersion : 9, 0, 0, 0

ProductName : HP PML

CompanyName : HP

FileDescription : PML Driver

InternalName : PmlDrv

LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company

OriginalFilename : PmlDrv.exe

 

#:31 [servud~1.exe]

FilePath : C:\PROGRA~1\Serv-U\

ProcessID : 1412

ThreadCreationTime : 11-14-2006 12:00:04 PM

BasePriority : Normal

 

 

TrojanBackdoor.Serv-U Object Recognized:

Type : Process

Data : SERVUD~1.EXE

TAC Index : 8

Category : Malware

Comment : svhost.exe.dmp

Object : C:\PROGRA~1\Serv-U\

 

 

Warning! TrojanBackdoor.Serv-U Object found in memory(C:\PROGRA~1\Serv-U\SERVUD~1.EXE)

 

"C:\PROGRA~1\Serv-U\SERVUD~1.EXE"Process terminated successfully

"C:\PROGRA~1\Serv-U\SERVUD~1.EXE"Process terminated successfully

 

#:32 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1508

ThreadCreationTime : 11-14-2006 12:00:04 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:33 [symlcsvc.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\

ProcessID : 1552

ThreadCreationTime : 11-14-2006 12:00:05 PM

BasePriority : Normal

FileVersion : 1.8.54.841

ProductVersion : 1.8.54.841

ProductName : Symantec Core Component

CompanyName : Symantec Corporation

FileDescription : Symantec Core Component

InternalName : symlcsvc

LegalCopyright : Copyright © 2003

OriginalFilename : symlcsvc.exe

 

#:34 [wdfmgr.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1624

ThreadCreationTime : 11-14-2006 12:00:05 PM

BasePriority : Normal

FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)

ProductVersion : 5.2.3790.1230

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows User Mode Driver Manager

InternalName : WdfMgr

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : WdfMgr.exe

 

#:35 [wwsecure.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1912

ThreadCreationTime : 11-14-2006 12:00:05 PM

BasePriority : Normal

FileVersion : 6.0.1.10

ProductVersion : 6.0

CompanyName : Webroot Software, Inc.

FileDescription : Washer Security Service

InternalName : wwSecure.exe

LegalCopyright : © 1997, 2005 All Rights Reserved

 

#:36 [alg.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 3032

ThreadCreationTime : 11-14-2006 12:00:11 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

 

#:37 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 3984

ThreadCreationTime : 11-14-2006 12:00:27 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:38 [ccemflsv.exe]

FilePath : C:\Program Files\Norton Personal Firewall\

ProcessID : 1108

ThreadCreationTime : 11-14-2006 1:58:38 PM

BasePriority : Normal

FileVersion : 103.0.2.10

ProductVersion : 103.0.2.10

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec Email Confidential Info

InternalName : ccEmFlSv

LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.

OriginalFilename : ccEmFlSv.exe

 

#:39 [wuauclt.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 2984

ThreadCreationTime : 11-14-2006 2:01:25 PM

BasePriority : Normal

FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)

ProductVersion : 5.8.0.2469

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Automatic Updates

InternalName : wuauclt.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : wuauclt.exe

 

#:40 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 2980

ThreadCreationTime : 11-14-2006 2:03:16 PM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New Critical Objects: 1

Objects found so far: 19

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New Critical Objects: 0

Objects found so far: 19

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New Critical Objects: 0

Objects found so far: 19

 

 

Started tracking cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New Critical Objects: 0

Objects found so far: 19

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk scan result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New Critical Objects: 0

Objects found so far: 19

 

 

Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk scan result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New Critical Objects: 0

Objects found so far: 19

 

 

Scanning Hosts file...

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

14 entries scanned.

New Critical Objects:0

Objects found so far: 19

 

 

 

 

Performing conditional scans..

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

TrojanBackdoor.Serv-U Object Recognized:

Type : RegKey

Data :

TAC Index : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : system\currentcontrolset\services\serv-u

 

TrojanBackdoor.Serv-U Object Recognized:

Type : RegValue

Data :

TAC Index : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : system\currentcontrolset\services\serv-u

Value : Start

 

TrojanBackdoor.Serv-U Object Recognized:

Type : RegValue

Data :

TAC Index : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : system\currentcontrolset\services\serv-u

Value : ErrorControl

 

TrojanBackdoor.Serv-U Object Recognized:

Type : RegValue

Data :

TAC Index : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : system\currentcontrolset\services\serv-u

Value : ImagePath

 

TrojanBackdoor.Serv-U Object Recognized:

Type : RegValue

Data :

TAC Index : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : system\currentcontrolset\services\serv-u

Value : DisplayName

 

TrojanBackdoor.Serv-U Object Recognized:

Type : RegValue

Data :

TAC Index : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : system\currentcontrolset\services\serv-u

Value : ObjectName

 

TrojanBackdoor.Serv-U Object Recognized:

Type : RegValue

Data :

TAC Index : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : system\currentcontrolset\services\serv-u

Value : Description

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New Critical Objects: 7

Objects found so far: 26

 

9:24:04 AM Scan Complete

 

Summary of this scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:20:40.375

Objects scanned:249293

Objects identified:8

Objects ignored:0

New Critical Objects:8

 

 

 

 

And here's new Hijack This file if needed:

Logfile of HijackThis v1.99.1

Scan saved at 9:37:54 AM, on 11/14/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Norton Personal Firewall\ISSVC.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ps2.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Serv-U\ServUTray.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\wwSecure.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Serv-U\SERVUD~1.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\Y8RSKC4E\hijackthis[1]\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [servUTrayIcon] C:\Program Files\Serv-U\ServUTray.exe

O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp...302/Coupons.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LWWLicenseService - WoltersKluwerLWW - C:\Program Files\Common Files\WoltersKluwerLWW Shared\Service\LWWLicenseService.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\PROGRA~1\Serv-U\SERVUD~1.EXE

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

 

 

 

Thanks for your help. BTW, I have been using Serv-U for years, and running scans, and it only recently started showing a "Trojan" in the scan results.

Share this post


Link to post
Share on other sites

Thanks for the log

 

It looks like these are the detections:

 

#:31 [servud~1.exe]

FilePath : C:\PROGRA~1\Serv-U\

ProcessID : 1412

ThreadCreationTime : 11-14-2006 12:00:04 PM

BasePriority : Normal

 

 

TrojanBackdoor.Serv-U Object Recognized:

Type : Process

Data : SERVUD~1.EXE

TAC Index : 8

Category : Malware

Comment : svhost.exe.dmp

Object : C:\PROGRA~1\Serv-U\

 

 

Warning! TrojanBackdoor.Serv-U Object found in memory(C:\PROGRA~1\Serv-U\SERVUD~1.EXE)

 

"C:\PROGRA~1\Serv-U\SERVUD~1.EXE"Process terminated successfully

"C:\PROGRA~1\Serv-U\SERVUD~1.EXE"Process terminated successfully

......................

 

TrojanBackdoor.Serv-U Object Recognized:

Type : RegKey

Data :

TAC Index : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : system\currentcontrolset\services\serv-u

 

TrojanBackdoor.Serv-U Object Recognized:

Type : RegValue

Data :

TAC Index : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : system\currentcontrolset\services\serv-u

Value : Start

 

TrojanBackdoor.Serv-U Object Recognized:

Type : RegValue

Data :

TAC Index : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : system\currentcontrolset\services\serv-u

Value : ErrorControl

 

TrojanBackdoor.Serv-U Object Recognized:

Type : RegValue

Data :

TAC Index : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : system\currentcontrolset\services\serv-u

Value : ImagePath

 

TrojanBackdoor.Serv-U Object Recognized:

Type : RegValue

Data :

TAC Index : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : system\currentcontrolset\services\serv-u

Value : DisplayName

 

TrojanBackdoor.Serv-U Object Recognized:

Type : RegValue

Data :

TAC Index : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : system\currentcontrolset\services\serv-u

Value : ObjectName

 

TrojanBackdoor.Serv-U Object Recognized:

Type : RegValue

Data :

TAC Index : 8

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : system\currentcontrolset\services\serv-u

Value : Description

 

..........................................

For now, let's put those items on ignore because we know that isn't installed by a trojan.

 

When you finish scanning with Ad-Aware place a checkmark next to those detections and then right click on the item to pull up this menu shown in my screen shot below. Then select *Ignore* so that Ad-Aware won't ask you or try to delete them on any subsequent scans.

 

post-65-1163525359_thumb.jpg

 

I'm going to have to ask Research to look at this because I don't know how to deal with telling the difference between Serv-U as a legitimate program but that can also be sometimes installed by a trojan for malicious purposes.

Share this post


Link to post
Share on other sites

Thank you so much. I was wondering if it was in fact harmless, but can't be too careful. I will check back periodically to see if you find anything out. Thanks again! :D

Share this post


Link to post
Share on other sites

Yes, it is a legitimate program. What happens is that sometimes legitimate programs/tools, etc. are downloaded to a victim's machine by an attacker to use in ways to compromise the machine. So it is difficult for an automated malware scanner to tell the difference whether the program was downloaded by a user on purpose or whether it may have been added to a victim's infected machine by an attacker.

 

I don't think there is a way to do that, however, there may be a way to adjust the wording in the warning perhaps that can explain that if you know you downloaded and use this software it is not problem. In your case you certainly did so it is something you can simply add to your ignore list because you know that you have it on purpose.

Share this post


Link to post
Share on other sites
Sign in to follow this