Full Version: Trojan.hexdoor
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Ad-Aware SE Resolved/Inactive Issues
I had several pop up messages that I had malware. I ran adaware and it said I had 78 things to clean up. I cleaned them, ran again, again, again until I was at 1 item, Trojan.Hexdoor. I selected to git rid of it, but adaware said it was in use and could not be cleaned. I selected to delete it upon next boot. This pattern continues. The file that is identified is windows\system32\yvpp01.dll. I can find the file and delete it, but it reappears. There is also a windows\system32\yvpp02.dll. This can never be deleted. Windows\system32\yvpp02.dll is present if I do a regedit. If I delete it, it comes back there. I did a hijack this log and it showed up there. I selected to repair it. It goes away, but comes back the next time I boot. I tried spy sweep, Ewido, a computer associates cleaner, no luck. Any suggestions? Thanks
QUOTE(vman @ Jun 19 2006, 08:12 PM) 
I had several pop up messages that I had malware. I ran adaware and it said I had 78 things to clean up. I cleaned them, ran again, again, again until I was at 1 item, Trojan.Hexdoor. I selected to git rid of it, but adaware said it was in use and could not be cleaned. I selected to delete it upon next boot. This pattern continues. The file that is identified is windows\system32\yvpp01.dll. I can find the file and delete it, but it reappears. There is also a windows\system32\yvpp02.dll. This can never be deleted. Windows\system32\yvpp02.dll is present if I do a regedit. If I delete it, it comes back there. I did a hijack this log and it showed up there. I selected to repair it. It goes away, but comes back the next time I boot. I tried spy sweep, Ewido, a computer associates cleaner, no luck. Any suggestions? Thanks
I added HIjack this log below
Logfile of HijackThis v1.99.1
Scan saved at 9:28:56 AM, on 6/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Altiris\eXpress\Client Recovery Agent\AeXRSAgt.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\WholeSecurity\Enterprise Edition\WSService2K.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\ora9i\bin\omtsreco.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Timbuktu Pro\tb2pro.exe
C:\Program Files\Timbuktu Pro\TNOTIFY.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\Timbuktu Pro\Tb2Logon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRAM FILES\Internet Explorer\IExplore.exe
C:\Program Files\WholeSecurity\Enterprise Edition\EnterpriseRA.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Litronic\NetSign\CrdStart.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://eportal.dfas.mil/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://eportal.dfas.mil
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy:9119
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dfas.mil
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\Tb2Logon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [InternetExplorer] C:\PROGRAM FILES\Internet Explorer\IExplore.exe
O4 - HKLM\..\Run: [mufix] "C:\Program Files\Attachmate\INFOCN2K\Accmgr32\mufix.exe"
O4 - HKLM\..\Run: [RA_XP] C:\Program Files\WholeSecurity\Enterprise Edition\EnterpriseRA.exe
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [AEXRSAgtEXE] C:\Program Files\Altiris\eXpress\Client Recovery Agent\AeXRSAgt.exe -Logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: CardStart.lnk = C:\Program Files\Litronic\NetSign\CrdStart.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://eportal.dfas.mil
O16 - DPF: {36F17E17-AC00-42BC-A6D9-294AD4E7DCD6} (Altiris ClientBootstraper Class) - http://cin-fs-w-d2.dfasdmi.ds.dfas.mil/Alt...ntBootstrap.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) -
O16 - DPF: {CAFECAFE-0013-0001-0022-ABCDEFABCDEF} (JInitiator 1.3.1.22) -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...784/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = DS.DFAS.MIL
O17 - HKLM\Software\..\Telephony: DomainName = DS.DFAS.MIL
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FF48B05-0A66-41BF-AF99-E3D8A9670251}: Domain = DS.DFAS.MIL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = DS.DFAS.MIL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ds.dfas.mil,dfas.mil,dfas.dmi.ds.dfas.mil
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = DS.DFAS.MIL
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ds.dfas.mil,dfas.mil,dfas.dmi.ds.dfas.mil
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ds.dfas.mil,dfas.mil,dfas.dmi.ds.dfas.mil
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Timbuktu Pro - C:\Program Files\Timbuktu Pro\Hook32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O20 - Winlogon Notify: yvpp01 - C:\WINDOWS\SYSTEM32\yvpp01.dll
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Altiris Recovery Solution Agent - Altiris, Inc. - C:\Program Files\Altiris\eXpress\Client Recovery Agent\AeXRSAgt.exe
O23 - Service: Altiris Recovery Solution FAL Stopper - Unknown owner - C:\Program Files\Altiris\eXpress\Client Recovery Agent\AeXFALS.exe" -L" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Confidence Onlineā¢ for Corporate PCs (ConfidenceOnlineEE) - WholeSecurity,Inc. - C:\Program Files\WholeSecurity\Enterprise Edition\WSService2K.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NetSign AutoUpdate Service (NsAUSvc) - Litronic, Inc. - c:\Program Files\Litronic\NetSign\NsAUSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\ora9i\bin\omtsreco.exe
O23 - Service: OracleOra9iClientCache - Unknown owner - C:\ora9i\BIN\ONRSD.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
This is a computer at work/office? If so, you need to contact your IT administrator immediately and get this computer offline and off the network as it has been severely compromised by a backdoor/remote access trojan with a rootkit. It steals information from the computer and sends it to a remote attacker.
http://securityresponse.symantec.com/avcen....haxdoor.i.html
Payload: Opens a back door.
* Degrades performance: Injects a file into explorer.exe to hide its processes and execute a remote thread.
* Releases confidential info: Sends gathered password and confidential information to a predetermined email address.
8. Uses the file yvpp01.dll to open a back door on a random TCP port. The remote attacter can then perform the following actions on the compromised computer:
* Download files
* Execute programs
* Control the device driver of the rootkit
* Steal passwords stored in Protected Storage
* Steal cached passwords by calling WNetEnumCachedPasswords API
* Steal the Miranda IM password
* Gather dialup connection information
* Check if webmoney application is installed on the compromised computer
* Steal ICQ passwords
* Log keystrokes
9. May retrieve detailed account information by accessing the following URL with some locally stolen information added as parameters:
www.e-gold.com/ac[REMOVED]
10. Sends an email containing the stolen information to a predetermined email address. It also is a password stealer
Attempting to clean this computer is usually not advised in a case like this and you need to contact whomever is responsible for your computer network needs to know and do some forensics if this is a company computer.
Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx
Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx
What is a rootkit? In the simpliest of terms, it is technology to hide an attackers tools. Rootkits can prevent detection and removal and in some cases, attempting to remove a rootkit can destroy a system. You can't know what else a rootkit has done.
Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits.
And the rootkit is hiding this very dangerous backdoor trojan I linked to the description above
What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx
http://securityresponse.symantec.com/avcen....haxdoor.i.html
Payload: Opens a back door.
* Degrades performance: Injects a file into explorer.exe to hide its processes and execute a remote thread.
* Releases confidential info: Sends gathered password and confidential information to a predetermined email address.
8. Uses the file yvpp01.dll to open a back door on a random TCP port. The remote attacter can then perform the following actions on the compromised computer:
* Download files
* Execute programs
* Control the device driver of the rootkit
* Steal passwords stored in Protected Storage
* Steal cached passwords by calling WNetEnumCachedPasswords API
* Steal the Miranda IM password
* Gather dialup connection information
* Check if webmoney application is installed on the compromised computer
* Steal ICQ passwords
* Log keystrokes
9. May retrieve detailed account information by accessing the following URL with some locally stolen information added as parameters:
www.e-gold.com/ac[REMOVED]
10. Sends an email containing the stolen information to a predetermined email address. It also is a password stealer
Attempting to clean this computer is usually not advised in a case like this and you need to contact whomever is responsible for your computer network needs to know and do some forensics if this is a company computer.
Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx
Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx
What is a rootkit? In the simpliest of terms, it is technology to hide an attackers tools. Rootkits can prevent detection and removal and in some cases, attempting to remove a rootkit can destroy a system. You can't know what else a rootkit has done.
Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits.
And the rootkit is hiding this very dangerous backdoor trojan I linked to the description above
What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx
QUOTE
with a rootkit on the system that makes the system no longer trustworthy. Windows Explorer and the command line will no longer show you the files that are actually on the system. The registry editor is now lying. Account manager tools will not show you all the users. At this stage of an intrusion, you can no longer trust the system to tell you about itself. The system is now completely compromised.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.