Is this .exe file really a trojan?

Sadiyah · October 6, 2005, 8:17pm

When I booted my PC a little while ago, following was the NAV Alert that I received:

ImageShack - Best place for all of your image hosting and image sharing needs

Is this a false warning or this file really a trojan? I tried removing it, but it wouldn’t (same old access denied message), so I logged into Safe Mode and removed it from there.

Asif2000 · October 6, 2005, 8:33pm

Re: Is this .exe file really a trojan?

iun6002.exe (desktop surveillance personal spyware) - Details

Finding a program by the name of iun6002.exe running on your computer is usually a sign that you may have a spyware program known as ‘desktop surveillance personal’ installed on your computer. This process was potentially installed manually by a user using an installation package (possibly with another application). The ‘desktop surveillance personal’ process may perform actions such as recording your key-strokes and taking screen-shots

Link

PakistaniAbroad · October 6, 2005, 8:33pm

Re: Is this .exe file really a trojan?

my Symantic did the same this morning but deleted it automatically..

Since i have to report all such instances, the powers that be said all is fine and not to worry no more..

Sadiyah · October 6, 2005, 8:44pm

Re: Is this .exe file really a trojan?

Thank you guys. I'll be sure to remove the program from the Trash Can in Sade Mode.

Is there any need for me to reset my passwords?

Gizzy · October 6, 2005, 8:47pm

Re: Is this .exe file really a trojan?

More here:

http://securityresponse.symantec.com/avcenter/venc/data/spyware.wiretap.html

http://www.auditmypc.com/process/iun6002.asp

NAV detected it as a trojan, and not being able to delete it means it was in use. Another way of quickly removing such file is to ending the process “Explorer.exe” from task manager. Then from task manager run a new task – Look for the file and delete it, then freom the same task manager run a new task again and select Explorer from the windows folder to get back your Desktop.

Sadiyah · October 6, 2005, 9:02pm

Re: Is this .exe file really a trojan?

I have it removed from the Admin login using Safe Mode.

Other than that, I quickly skimmed through the NAV page and at the bottom, here’s what it says:

Click Start > Run.

2. Type regedit

   Then click OK.

   Note: If the registry editor fails to open the risk may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

3. Delete the following subkeys:

   HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\scvhost.exe
   HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{935FA400-243D-11D3-B06E-857B2AE2BE64}
   HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ShellExecuteHook.TShellExecuteHook
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wtp_is1
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{935FA400-243D-11D3-B06E-857B2AE2BE64}

4. Navigate to the subkey:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

5. In the right pane, delete the value:

   "scvhost" = "%ProgramFiles%\Wiretap Professional\scvhost.exe"

6. Exit the Registry Editor

My question is, do I still need to manually apply this process, especially when I have deleted the .exe file? Besides, I see this “scvhost.exe” file a lot in the Windows Task Manager. Although, I’m quite sure it’s an okay file, but I’ll post the items that I see in the Windows Task Manager, so that perhaps someone could verify if the stuff that I have running is okay or whether there is anything suspicious.

ImageShack - Best place for all of your image hosting and image sharing needs

Also, is there any need for me to change my passwords?

Gizzy · October 6, 2005, 9:31pm

Re: Is this .exe file really a trojan?

^-- Sadiyah, some processes seem suspicious to me, its better you run Hijackthis. Post a log here, then it will be more clear.

[quote]

so that the risk runs every time Windows starts.

Monitors keystrokes, passwords, documents viewed, Web sites visited, and Instant Messenger conversations.
[/quote]

its always good to change your passwords. But after this it is very much advised.

Sadiyah · October 6, 2005, 11:52pm

Re: Is this .exe file really a trojan?

Here’s the log:

Logfile of HijackThis v1.99.1
Scan saved at 7:50:03 PM, on 06/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus
avapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\PROGRA~1\NORTON~1
avapw32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Athan\Athan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\palmOne\Hotsync.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Sads\LOCALS~1\Temp\Rar$EX00.542\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {58F07DD3-924D-4141-BC74-299F523A95F1} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM..\Run: [TFNF5] TFNF5.exe
O4 - HKLM..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM..\Run: [TosHKCW.exe] “C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe”
O4 - HKLM..\Run: [NDSTray.exe] “C:\Program Files\Toshiba\ConfigFree\NDSTray.exe”
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1
avapw32.exe
O4 - HKLM..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM..\Run: [MessengerPlus3] “C:\Program Files\MessengerPlus! 3\MsgPlus.exe”
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU..\Run: [Spyware Cleaner] “C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe” /boot
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin
pjpi150_04.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - Your request has been blocked. This could be due to several reasons.
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/45/install/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus
avapsvc.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SpywareCleanerService - Secure Computer, LLC - C:\Program Files\Spyware Cleaner\SCService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

_Sh3rY · October 6, 2005, 11:55pm

Re: Is this .exe file really a trojan?

Don't use msg plus 3!

Gizzy · October 7, 2005, 5:21am

Re: Is this .exe file really a trojan?

whats wrong with msg plus? use it myself.

Sadiya, it looks ok. :k:

Sadiyah · October 7, 2005, 10:06am

Re: Is this .exe file really a trojan?

I uninstalled MSN Plus after reading Sh3ry’s post. In the past, I’ve also heard from a few people that it’s a spyware, so it’s gone for good.

Anyway, while trying to download Hijacthis, I accidentally ended up installing Spyware Cleaner, which showed the following problems:

ImageShack - Best place for all of your image hosting and image sharing needs

However, I couldn’t have’em removed automatically, so I had to manually delete the registries indicated as being malacious.

After running the test again, I don’t see any more problem alerts.