'Boot.exe' Trojan?

Discussion in 'Malware Help (A Specialist Will Reply)' started by Algraze, Aug 8, 2007.

  1. Algraze

    Algraze Private First Class

    Hey guys!

    When I double clicked on the removable storage drive [C:\] in my computer (Kingston Data Traveler 2.0 USB Device) I got the following error message:
    To open said USB drive I had to right click & explore it. Every other drive, including the Hard Disk [F:\], opened promptly after double clicking it.

    I solved this issue by formatting the USB drive; however... I erred on the side of safety [i.e. paranoia] I decided to go through the READ & RUN ME FIRST Malware Removal Guide Thread just to make sure I wasn’t infected with the boot.exe Trojan (Troj/Puppet-A).


    _______________________________________________________________________________________________________

    Specs:

    * Windows XP Pro SP 2
    * AMD Athlon 64 3800+
    * nVIDIA GeForce 7300 LE [512MB]
    * RAM [1GB]

    .
     

    Attached Files:

    Algraze, Aug 8, 2007
    #1
  2. Algraze

    Algraze Private First Class

    My antivirus [AVG 7.5] or antispyware programs [Spybot S&D / Ad-Aware] have NOT detected, quarantined or removed anything named boot.exe or anything suspicious recently.

    Thanks for taking the time to look through these.

    :cool



    Here are the rest of the scans:
     

    Attached Files:

    Algraze, Aug 8, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are basically clean other than some garbage due to Logitech Desktop Messenger and a couple other things. I will give a fix for this later.


    We may need to delete some AUTORUN.INF files:
    1. Right-click Start then click Search
    2. In the Named input box, type:
      AUTORUN.INF
    3. In the Look In drop-down list, select My Computer
    4. Once located, select the file then open with Notepad. Check if it contains the following strings:
      shellexecute=Boot.exe
    5. If the said strings are found, close Notepad, select the file then press Delete.
    Let me know what you find.

    Now uninstall the CounterSpy trial before continuing.


    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKCU\..\Run: [LDM] F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O18 - Protocol: bw+0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw+0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw-0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw00s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw10s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw20s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw30s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw40s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw50s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw60s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw70s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw80s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bw90s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwa0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwb0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwc0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwd0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwe0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwf0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: bwg0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwg0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwh0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwi0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwj0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwk0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwl0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwm0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwn0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwo0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwp0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwq0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwr0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bws0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwt0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwu0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwv0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bww0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwx0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwy0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: bwz0s - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
    O18 - Protocol: offline-8876480 - {262080A3-DCA0-4569-9476-463626845FD9} - F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

    After clicking Fix, exit HJT.
     
    chaslang, Aug 8, 2007
    #3
  4. Algraze

    Algraze Private First Class

    Thx for the help chaslang, greatly appreciated!

    • Ran AUTORUN.INF scan: 1 file found in Program Files [Nero 7\Core\SecurDisc] no shellexecute=Boot.exe strings found.
    • Uninstalled CounterSpy trial
    • Ran HiJackThis and fixed the entries


    What to do with the following (scans found these):
    1. CounterSpy - Frostic Lite RAT [F:\WINDOWS\server1.exe]
    2. Panda - Process.exe [F:\WINDOWS\system_backup\Process.exe & F:\WINDOWS\icon_TMP\Process.exe]
     

    Attached Files:

    Algraze, Aug 8, 2007
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    1. The first was already fixed by CounterSpy.
    The other two are not problems. They are just from tools you have downloaded and run. But you probably don't need them. Who created system_backup and icon_TMP folders? These look to be things you created. Probably from Vista Icons Pack v2.1
     
    chaslang, Aug 8, 2007
    #5
  6. Algraze

    Algraze Private First Class

    You're right m8, they're just an unnecessary tool & backup folder created by the icon patch. If the HiJackThis log was clean, guess there's not much more I need to do.

    I'll toggle the System Restore and be on my way.

    Thanks again for all your help chaslang!

    .
     
    Algraze, Aug 8, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You don't really need to since we did not fix any malware problems. But it will not hurt you to do so (other than loosing previous restore points).
     
    chaslang, Aug 8, 2007
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds