9 replies to this topic

[mitkase]

(i apologize if this is the incorrect place to post this; http://www.lavasoftr....com/submit.php seems to be down...)


unprompted, my firewall wanted to confirm this dll while i was using the internet. i had opera open, it had been working, suddenly there was a confirm dialog for a new system component. this happened for any component attempting to access the internet; if i denied it, i could not access the internet with that program.

it is not signed by any company and i can't find anything on the internet that would identify the dll, so i'm worried what it may be. i seem to be unable to post the file...

i'm running

winxp sp2
avast 4.7 home, outpost firewall 3.5, and ad-aware, all with latest updates
a core duo laptop, 1gb ram; broadband connection

much thanks,

mk



hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 4:55:45 PM, on 9/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Security\Avast4\aswUpdSv.exe
C:\Program Files\Security\Avast4\ashServ.exe
C:\Program Files\Communications\Gizmo Project\mDNSResponder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\utilities\Mozy\mozybackup.exe
C:\Program Files\Security\Outpost Firewall\outpost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Cyberlink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\Program Files\Apoint\Apvfb.exe
C:\PROGRA~1\Security\Avast4\ashDisp.exe
C:\Program Files\utilities\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\hardware\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Productivity\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Utilities\Mozy\mozystat.exe
C:\hardware\MICROS~1\rapimgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Security\Avast4\ashMaiSv.exe
C:\Program Files\Security\Avast4\ashWebSv.exe
C:\Program Files\Productivity\Microsoft Office\Office12\ONENOTE.EXE
C:\Program Files\Productivity\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Communications\Opera\Opera.exe
C:\Program Files\Communications\uTorrent\utorrent.exe
C:\Hardware\AnyDVD\AnyDVD.exe
C:\hardware\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Utilities\xplorer2\xplorer2_UC.exe
C:\WINDOWS\system32\netsecurity.exe
C:\Program Files\Communications\Mozilla Firefox 2\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Security\Hijack This\HijackThis.exe
C:\WINDOWS\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [VAIOCameraUtility] "C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe"
O4 - HKLM\..\Run: [PartSeal] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\multimedia\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\utilities\System Mechanic Professional 6\delay.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Security\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Security\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Security\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\utilities\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\hardware\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Microsoft Office OneNote 2007 (Beta) Quick Launch.lnk = C:\Program Files\Productivity\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Mozy Status.lnk = C:\Program Files\Utilities\Mozy\mozystat.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\PRODUC~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 Plus - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\PRODUC~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\PRODUC~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\hardware\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\hardware\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\hardware\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Security\OUTPOS~1\wl_hook.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: VESWinlogon - C:\WINDOWS\SYSTEM32\VESWinlogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: .NETSecurity - Unknown owner - C:\WINDOWS\system32\netsecurity.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Security\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Security\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Security\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Security\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Communications\Gizmo Project\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: MozyBackup - Unknown owner - C:\Program Files\utilities\Mozy\mozybackup.exe
O23 - Service: NBService - Nero AG - C:\Hardware\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Security\Outpost Firewall\outpost.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\utilities\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

[LS CalamityJane]

Hi mitkase

You can submit the file using the instructions below and I'll be happy to look at it for you.

There is another one I'm wondering about. Do you know what this is?
O23 - Service: .NETSecurity - Unknown owner - C:\WINDOWS\system32\netsecurity.exe

If you don't recognize it - upload that one as well

Here's how:

Go here to upload the files as attachments
http://www.thespykil...x.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from mitkase at LS ),
fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

Files to attach for upload:

C:\WINDOWS\system32\authnet.dll

C:\WINDOWS\system32\netsecurity.exe


(Do not post HJT logs there as they will not get dealt with)

You DO NOT need to register to start a topic or upload, anybody can upload the files

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect the file from there and will reply back here to you in this topic, once I determine what it is.

[LS CalamityJane]

Good morning

I got your files and both scanned clean with numerous security products:

Service load:
0% 100%
File: authnet.dll
Status:
OK
MD5 cd2fdbb803df442103f5158406523314
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Results were the same for netsecurity.exe.
File: netsecurity.exe
Status:
OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 229475852fcb725267a177fbb67d3cf9

The two files are related as one of the text strings in netsecurity.exe refers to authnet.dll

It is possible these files belong to .NET framework and may be needed for a particular program to work.
Did you download or install any new programs lately?

Also, what IP was it trying to connect to?

[mitkase]

Thanks for the response. I did, a day or two before, upgrade MS ActiveSync to the latest version. however, I'd already gone through another set of permissions immediately following the upgrade. Further, I'd been on the internet with no problems numerous times since. This appearance was random. Outpost said that authnet.dll was trying to access the internet, but not to what. It seemed to channel all data through it. As I said, I've since renamed the files and everything seems to work fine, including ActiveSync. Things connect to the internet as before And I would think that if it was Microsoft's, it would be signed by them.

Good morning

I got your files and both scanned clean with numerous security products:

[...]

The two files are related as one of the text strings in netsecurity.exe refers to authnet.dll

It is possible these files belong to .NET framework and may be needed for a particular program to work.
Did you download or install any new programs lately?

Also, what IP was it trying to connect to?

[LS CalamityJane]

I can't see anything else really on your log.

Try using this free online scanner to produce a log. Dont' worry if it doesn't "fix" anything - I just really want to see a log from it to see if it finds anything at all.

Try the Kaspersky free online scanner.
http://www.kaspersky.com/virusscanner

[talktome]

Oh dear! I encountered a similar problem!

My computer was installed with Windows XP, guarded with KAV 5 and Outpost Firewall.
During a routine automatic scan last night, the files:

authnet.dll
netsecurity.exe

were said to be infected with trojan.

I tried to clean it under safe mode, but still failed!

I tried to search the web for relevant information, but it was futile. I begin to suspected whether it is a brand new trojan, or it is just an internal error for KAV?????

Now, I don't dare to use the computer anymore (I am using my friend's computer now). I am worried, frustrated and helpless. Please kindly help me. Please........

[LS CalamityJane]

talktome,

Could you do the following to send the files in question to me. I can compare them to the others sent by mitkase

Go here to upload the files as attachments
http://www.thespykil...x.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from talktome at LS ),
fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

You DO NOT need to register to start a topic or upload, anybody can upload the files

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect them from there and analyze them.

[mitkase]

Sorry, school's been keeping me far too busy. I finally got back to this and ran the Kaspersky, which showed:

netsecurity.exe.bak was identified as a Tojan-Clicker.Win32.Agent.ie

http://www.viruslist...?virusid=138048


authnet.dll.bak, however, scans clean. not sure if renaming to .bak affects this or not for a dll file. (incidentally, both files have been renamed since my original post with no problems i've been able to discover.)

[LS CalamityJane]

I'm sure you can delete netsecurity.exe and it's probably safe to delete the authnet.dll as well.

Searches on Google see the two together and I found one in a french forum where the authnet.dll was detected by Kaspersky as also the Trojan-Clicker.Win32.Agent.ie

[hemispasm]

I'm sure you can delete netsecurity.exe and it's probably safe to delete the authnet.dll as well.

Searches on Google see the two together and I found one in a french forum where the authnet.dll was detected by Kaspersky as also the Trojan-Clicker.Win32.Agent.ie

I also have found these files on my PC, after finding out i have an anwanted intruder in my network connections

pic1
pic2
pic3

The whole thing seems to be related to the installation of this file "transparent windows"

http://transparent-w...s.qarchive.org/

which at first glance seems to be legit but the installer is not signed. Continued out of just being careless and stopped the installeation after a few seconds but still th damage was probably done.

No other suspicious processes running in the background other than fxssvc.exe kαι gearsec.exe which according to this page are safe but i have never heard of the program gearsec before and dont have it installed.

http://www.liutiliti...ibrary/gearsec/

I have deleted the netsecurity.exe and netauth.dll files in safemode but i have not gotten rid off the network process. Ad-ware free version has found no suspicious process with the latest definition files. Any ideas?

Thank you in advance.