Sign in to follow this  
phil66

Win32 Backdoor.cakl

Recommended Posts

Ad-Aware SE Build 1.06r1

Logfile Created on:Monday, May 21, 2007 9:08:20 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R171 21.05.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):9 total references

Win32.Backdoor.Cakl(TAC index:10):2 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Search for low-risk threats

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

5-21-2007 9:08:20 PM - Scan started. (Smart mode)

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 396

ThreadCreationTime : 5-22-2007 12:24:14 AM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 444

ThreadCreationTime : 5-22-2007 12:24:15 AM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 468

ThreadCreationTime : 5-22-2007 12:24:16 AM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 512

ThreadCreationTime : 5-22-2007 12:24:17 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 524

ThreadCreationTime : 5-22-2007 12:24:17 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 680

ThreadCreationTime : 5-22-2007 12:24:18 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 756

ThreadCreationTime : 5-22-2007 12:24:18 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 796

ThreadCreationTime : 5-22-2007 12:24:18 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 856

ThreadCreationTime : 5-22-2007 12:24:18 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 956

ThreadCreationTime : 5-22-2007 12:24:19 AM

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:11 [avgamsvr.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 1100

ThreadCreationTime : 5-22-2007 12:24:19 AM

BasePriority : Normal

FileVersion : 7.5.0.453

ProductVersion : 7.5.0.453

ProductName : AVG Anti-Virus system

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG Alert Manager

InternalName : avgamsvr

LegalCopyright : Copyright © 2007 GRISOFT, s.r.o.

OriginalFilename : avgamsvr.EXE

 

#:12 [avgupsvc.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 1112

ThreadCreationTime : 5-22-2007 12:24:19 AM

BasePriority : Normal

FileVersion : 7.5.0.420

ProductVersion : 7.5.0.420

ProductName : AVG 7.5 Anti-Virus System

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG Update Service

InternalName : avgupsvc

LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.

OriginalFilename : avgupdsvc.EXE

 

#:13 [avgemc.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 1128

ThreadCreationTime : 5-22-2007 12:24:19 AM

BasePriority : Normal

FileVersion : 7.5.0.460

ProductVersion : 7.5.0.460

ProductName : AVG Anti-Virus system

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG E-Mail Scanner

InternalName : avgemc

LegalCopyright : Copyright © 2007 GRISOFT, s.r.o.

OriginalFilename : avgemc.exe

 

#:14 [bocore.exe]

FilePath : C:\Program Files\Comodo\CBOClean\

ProcessID : 1284

ThreadCreationTime : 5-22-2007 12:24:19 AM

BasePriority : Normal

FileVersion : 4.23.001

ProductVersion : 4.23

ProductName : COMODO BOClean - Anti-Malware

CompanyName : COMODO

FileDescription : COMODO BOClean - Anti-Malware

InternalName : BOCore

LegalCopyright : Copyright © 2007 COMODO ®. All rights reserved

OriginalFilename : BOCore.exe

 

#:15 [cmdagent.exe]

FilePath : C:\Program Files\Comodo\Firewall\

ProcessID : 1308

ThreadCreationTime : 5-22-2007 12:24:19 AM

BasePriority : Normal

FileVersion : 2.4.0.20

ProductVersion : 2.4.0.1

ProductName : Comodo Firewall

CompanyName : COMODO

FileDescription : Comodo Agent Service

InternalName : cmdagent

LegalCopyright : Copyright © 2005-2007 COMODO ®. All rights reserved

LegalTrademarks : Copyright © 2005-2007 COMODO ®. All rights reserved

OriginalFilename : cmdagent.exe

 

#:16 [nvsvc32.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1400

ThreadCreationTime : 5-22-2007 12:24:19 AM

BasePriority : Normal

FileVersion : 6.14.10.8440

ProductVersion : 6.14.10.8440

ProductName : NVIDIA Driver Helper Service, Version 84.40

CompanyName : NVIDIA Corporation

FileDescription : NVIDIA Driver Helper Service, Version 84.40

InternalName : NVSVC

LegalCopyright : © NVIDIA Corporation. All rights reserved.

OriginalFilename : nvsvc32.exe

 

#:17 [wdfmgr.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1436

ThreadCreationTime : 5-22-2007 12:24:20 AM

BasePriority : Normal

FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)

ProductVersion : 5.2.3790.1230

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows User Mode Driver Manager

InternalName : WdfMgr

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : WdfMgr.exe

 

#:18 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1444

ThreadCreationTime : 5-22-2007 12:24:20 AM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:19 [alg.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 2008

ThreadCreationTime : 5-22-2007 12:24:21 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

 

#:20 [avgcc.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 372

ThreadCreationTime : 5-22-2007 12:24:22 AM

BasePriority : Normal

FileVersion : 7.5.0.460

ProductVersion : 7.5.0.460

ProductName : AVG Anti-Virus system

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG Control Center

InternalName : AvgCC

LegalCopyright : Copyright © 2007 GRISOFT, s.r.o.

OriginalFilename : AvgCC.EXE

 

#:21 [cpf.exe]

FilePath : C:\Program Files\Comodo\Firewall\

ProcessID : 324

ThreadCreationTime : 5-22-2007 12:24:22 AM

BasePriority : Normal

FileVersion : 2.4.0.58

ProductVersion : 2.4.0.0

ProductName : COMODO Firewall Pro

CompanyName : COMODO

FileDescription : COMODO Firewall Pro

InternalName : cpf.exe

LegalCopyright : Copyright © 2005-2006 COMODO ®. All rights reserved

OriginalFilename : cpf.exe

 

#:22 [winpatrol.exe]

FilePath : C:\Program Files\BillP Studios\WinPatrol\

ProcessID : 384

ThreadCreationTime : 5-22-2007 12:24:22 AM

BasePriority : Normal

FileVersion : 11, 3, 2007, 0

ProductVersion : 11.3.2007

ProductName : WinPatrol Monitor

CompanyName : BillP Studios

FileDescription : WinPatrol System Monitor

InternalName : WinPatrol Monitor

LegalCopyright : Copyright © 1997- 2007 BillP Studios

OriginalFilename : Scotty

Comments : Let Scotty the Windows Watchdog patrol your system.

 

#:23 [boc423.exe]

FilePath : C:\PROGRA~1\Comodo\CBOClean\

ProcessID : 416

ThreadCreationTime : 5-22-2007 12:24:22 AM

BasePriority : Normal

FileVersion : 4.23.001

ProductVersion : 4.23

ProductName : COMODO BOClean - Anti-Malware

CompanyName : COMODO

FileDescription : COMODO BOClean - Anti-Malware

InternalName : COMODO BOClean - Anti-Malware

LegalCopyright : Copyright © 2007 COMODO ®. All rights reserved

 

#:24 [ypops.exe]

FilePath : C:\Program Files\YPOPs\

ProcessID : 432

ThreadCreationTime : 5-22-2007 12:24:22 AM

BasePriority : Normal

FileVersion : 0.8.8

ProductVersion : 0.8.8

ProductName : YPOPs!

CompanyName : http://yahoopops.sourceforge.net

FileDescription : Free POP3/SMTP access to Yahoo! Mail

InternalName : YPOPs!

LegalCopyright : Copyright © 2002,2005, The YPOPs! Team

LegalTrademarks : This software is released under GPL (version 2 or later). Yahoo! Mail is a trademark of Yahoo!. This program is not a product of Yahoo!. Portions of YPOPs! is based on FetchYahoo

OriginalFilename : ypops.exe

Comments : YPOPs! is released under GPL v2

 

#:25 [firefox.exe]

FilePath : C:\Program Files\Mozilla Firefox\

ProcessID : 1664

ThreadCreationTime : 5-22-2007 1:24:19 AM

BasePriority : Normal

 

 

#:26 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 1052

ThreadCreationTime : 5-22-2007 2:06:38 AM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Win32.Backdoor.Cakl Object Recognized!

Type : Regkey

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{7621f6d4-b28a-422e-d153-1855c15d59db}\inprocserver32

 

Win32.Backdoor.Cakl Object Recognized!

Type : RegValue

Data :

TAC Rating : 10

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{7621f6d4-b28a-422e-d153-1855c15d59db}\inprocserver32

Value : ThreadingModel

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 2

Objects found so far: 2

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

 

New scan with update 171 Microsoft says these are needed key and value for os

 

Thanks

Ray

Share this post


Link to post
Share on other sites

Hi phil66 and thank you for your report. :D

 

We will look into this problem.

 

Regards

 

Albin

 

Lavasoft Research

Share this post


Link to post
Share on other sites

Hi again !

 

The problem is now fixed just download the latest definition file (SE1R172 22.05.2007 ; Internal Build:213 ) and run a scan.

 

Thank You!

 

Albin

 

Lavasoft Research

Share this post


Link to post
Share on other sites
Sign in to follow this