Solved: Trojans Detected

patmac · 06-Nov-2009, 04:58 PM #1

AVG Paid version's Resident Shield and Web Shield have alerted us on our son's machine with the following problems:
AVG Resident Shield
Trojan Agent_r.OT. C:\Windows\System32\tdlwsp.dll
Trojan DELF.NDS C:\Windows\wmqr7430.exe
Trojan SHEUR2.BNKH C:\Windows\9129837.exe
Trojan Downloader.Generic.9.CKV C:\Windows\msa.exe
Trojan Downloader.Generic.9.CLH C:\Users\Dixie\AppData\Local\Temp\b.exe
Trojan Generic15.MNX C:\ProgramData\57084529\57084529.exe
Trojan Generic14.CDAE C:\Windows\System32\cngaudit.dll

AVG Web Shield Alert:
211.20.210.87/Installus.exe
Generic15.AOXE
C:\Windows\System32\svchost.exe

It is a Windows Vista Home machine.
Any help would be appreciated.
Thank you for your time.

patmac · 08-Nov-2009, 09:57 AM #2

Bump, thanks. approx 48 hours.

patmac · 09-Nov-2009, 04:41 PM #3

Bump, it's been 3 days, and I know you guys are busy. Thanks

NeonFx · 09-Nov-2009, 05:22 PM #4

Hello there

My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Step 2

Please download Win32Diag from one of the links below and save it to your desktop.

Link 1
Link 2
Link 3

Double-click on Win32Diag.exe to run it. If you are using Windows Vista, please right-click and select Run As Administrator
A black command prompt window shall appear.
It will now begin to scan. This may take a while, please be paitent until the scan is complete.
Once it's done, in the black screen it will say "Finished! Press any key to exit.... Press any key to exit.
A log file called Win32KDiag.txt will be created on your desktop.
Please copy and paste the contents of that log file here in your next reply.

NeonFx · 09-Nov-2009, 08:04 PM #5

Please keep all of your questions here so that I can keep track of them.

You sent me the following:

Quote:

Hi, You are just starting to help me with a problem on my son's computer ( under patmac ). On my computer I just went to that thread and clicked on exehelper(to see where it is from) and my AVG resident shield said it detected a trojan/virus which I told it to move to the vault. Why would this be? Thanks

Antivirus programs will sometimes detect the programs we use to clean systems as malicious because of what they are capable of doing. In this case it's a false positive.

Please just ignore the warning and run the file anyway.

patmac · 10-Nov-2009, 10:14 PM #6

Tried running exeHelper.com, an error box stating the following comes up: exeHelper.com is not a valid Win32 application. I downloaded Win32Diag but did not run that because of the above error.

NeonFx · 10-Nov-2009, 10:20 PM #7

Alright. Please continue with step 2

patmac · 10-Nov-2009, 11:02 PM #8

Ran Win32Diag. It went through a lot of Mount point Destinations and Found Mount Points, but never said finished. It stopped at the following and said:Cannot Access:
C:\Windows\System32\Logfiles\WMI\RtBackup\EtwRTDiaglog.etl There was never any text file produced.

NeonFx · 10-Nov-2009, 11:08 PM #9

Ok, you can close that. It can seem to get stuck at times but it's usually still working; but that gives me enough information.

STEP 1

Please delete your version of Win32kDiag.exe (along with the old Win32kDiag.txt file that was created) and redownload it from HERE

Make sure win32kdiag.exe is on your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

STEP 2

Note: Disabling any security programs you have running will significantly increase the chances of the following working as it should. Please disable AntiViruses, AntiSpywares and Firewalls before continuing on with my instructions. For instructions, if needed, see HERE or HERE

Download Combofix from any of the links below but rename the file to TheHammer before saving it to your desktop.

To do so in Internet Explorer right click one of the links and select "Save Target As.." from the options. This will open a Save box where you should navigate to your Desktop and change the name in the textbox on the bottom.
To get the same box in Firefox right click one of these links and select "Save Link As.." from the menu.

Link 1
Link 2

==================================

Double click on the TheHammer.exe & follow the prompts.

When finished, it will produce a report for you.
If you are asked to allow ComboFix to download and install the Recovery Console or have it update, let it do so.
Please post the results that are saved at C:\ComboFix.txt in your next reply

patmac · 10-Nov-2009, 11:38 PM **#10**

Cut and paste was too large, too many lines. I'm trying to attach the file now. If that works do I go on to the Combofix step yet?

NeonFx · 11-Nov-2009, 02:28 AM **#11**

Yeah go ahead with the ComboFix step, sorry for the delay.

patmac · 11-Nov-2009, 10:37 AM **#12**

Trying to start TheHammer, it comes up with a box saying AVG Antivirus is enabled. I supposedly disable Resident Shield per one of the Help links at Bleeping, then save etc...hit OK in the Combofix box to continue and it says AVG is still enabled. Only now the Combofix box only has one option to continue at my own risk by hitting OK. I checked Resident Shield and AVG says it's disabled, but going into Resident Shield shows time ticking away on how long it's been protecting. Please advise.

NeonFx · 11-Nov-2009, 02:52 PM **#13**

You can disregard that warning as it can sometimes not tell if you've disabled AVG or not. If you know you've disabled AVG then press Ok anyway.

patmac · 11-Nov-2009, 04:03 PM **#14**

ComboFix 09-11-09.02 - Dixie 11/11/2009 14:27.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1022.497 [GMT -5:00]
Running from: c:\users\Dixie\Desktop\TheHammer.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3034978800-2221467198-3967934401-500
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\Search Settings
c:\program files\Search Settings\kb127\SearchSettings.dll
c:\program files\Search Settings\kb127\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\9129837.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\tdlwsp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.

2009-11-11 19:40 . 2009-11-11 19:47 -------- d-----w- c:\users\Dixie\AppData\Local\temp
2009-11-11 19:40 . 2009-11-11 19:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-11 19:40 . 2009-11-11 19:40 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-11-11 04:45 . 2009-08-14 14:01 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 04:45 . 2009-08-10 13:08 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-06 13:50 . 2009-10-21 17:31 2064152 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll
2009-11-04 00:55 . 2009-11-04 00:55 -------- d-----w- c:\program files\Air Mouse
2009-11-04 00:06 . 2009-11-04 00:14 -------- d-----w- c:\program files\TightVNC
2009-11-02 13:50 . 2009-10-21 17:31 2025752 ----a-w- c:\programdata\avg8\update\backup\avgtray.exe
2009-10-25 14:54 . 2009-10-25 15:12 -------- d-----w- C:\AVGTemp
2009-10-22 22:16 . 2009-10-24 05:00 -------- d-----w- c:\programdata\57084529
2009-10-22 21:34 . 2009-10-22 21:34 680 ----a-w- c:\users\Dixie\AppData\Local\d3d9caps.dat
2009-10-22 21:31 . 2009-10-22 21:31 0 ----a-w- c:\windows\win32k.sys
2009-10-22 21:25 . 2009-10-22 21:25 95744 ----a-w- c:\windows\wmqr74340.exe
2009-10-20 22:05 . 2007-05-21 03:45 1140312 ------w- c:\programdata\HP\Installer\Temp\hpzmsi01.exe
2009-10-20 22:05 . 2007-05-21 03:39 1099352 ------w- c:\programdata\HP\Installer\Temp\hpzscr01.exe
2009-10-19 22:48 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-19 22:48 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-19 22:48 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-19 22:48 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-19 22:47 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-19 22:47 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-19 22:47 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-19 22:47 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-19 22:47 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-14 01:12 . 2009-10-14 01:12 -------- d-----w- c:\users\Dixie\AppData\Local\AIM
2009-10-13 21:42 . 2009-09-04 12:38 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-13 21:40 . 2009-09-14 09:50 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-13 21:37 . 2009-04-02 11:50 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 01:38 . 2008-01-08 20:32 13238 ----a-w- c:\users\Dixie\AppData\Roaming\wklnhst.dat
2009-11-06 13:52 . 2008-09-29 00:44 4096 d-----w- c:\programdata\avg8
2009-11-03 01:42 . 2009-10-03 06:40 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-23 20:01 . 2008-10-19 14:24 -------- d-----w- c:\program files\LimeWire
2009-10-23 00:32 . 2008-07-02 13:28 8192 d-----w- c:\users\Dixie\AppData\Roaming\LimeWire
2009-10-20 21:53 . 2007-10-28 11:51 4096 d-----w- c:\program files\Google
2009-10-20 21:43 . 2008-01-06 01:22 -------- d-----w- c:\programdata\Viewpoint
2009-10-14 07:16 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-09-10 17:38 . 2009-10-13 21:43 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-31 15:21 . 2009-10-13 21:43 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 15:17 . 2009-10-13 21:43 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-08-31 15:16 . 2009-10-13 21:43 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-08-29 03:41 . 2009-09-03 00:12 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40 . 2009-09-03 00:12 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:31 . 2009-09-03 00:12 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 14:02 . 2009-10-13 21:43 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:57 . 2009-10-13 21:43 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57 . 2009-10-13 21:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56 . 2009-10-13 21:43 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24 . 2009-10-13 21:43 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51 . 2009-10-13 21:43 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-16 00:32 . 2009-09-09 10:07 214104 ----a-w- c:\windows\system32\drivers\netio.sys
2009-08-15 23:58 . 2009-09-09 10:07 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-08-15 23:54 . 2009-09-09 10:07 416768 ----a-w- c:\windows\system32\IKEEXT.DLL
2009-08-15 23:54 . 2009-09-09 10:07 543232 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2009-08-15 23:53 . 2009-09-09 10:07 317440 ----a-w- c:\windows\system32\BFE.DLL
2009-08-15 21:30 . 2009-09-09 10:07 816640 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-15 21:30 . 2009-09-09 10:07 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-08-15 21:29 . 2009-09-09 10:07 85504 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2009-08-14 16:40 . 2009-09-09 10:07 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:40 . 2009-09-09 10:07 15360 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:25 . 2009-09-09 10:07 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:25 . 2009-09-09 10:07 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:25 . 2009-09-09 10:07 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:25 . 2009-09-09 10:07 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:25 . 2009-09-09 10:07 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:25 . 2009-09-09 10:07 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:25 . 2009-09-09 10:07 10240 ----a-w- c:\windows\system32\finger.exe
2007-10-28 19:13 . 2007-10-28 19:04 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-10-28 1006264]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-24 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-24 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-24 81920]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-03-15 4390912]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Air Mouse.lnk - c:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2009-2-16 269824]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [9/28/2008 7:44 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [9/28/2008 7:44 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/23/2008 1:41 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/23/2009 7:48 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/23/2009 7:48 PM 297752]
R2 dlbc_device;dlbc_device;c:\windows\system32\dlbccoms.exe -service --> c:\windows\system32\dlbccoms.exe -service [?]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [2/19/2008 3:03 PM 45848]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe --> c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [?]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe --> c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.bearshare.com/
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\programdata\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
FF - ProfilePath - c:\users\Dixie\AppData\Roaming\Mozilla\Firefox\Profiles\27oct4gy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKfox000&fl=0&ptb=_HFuCcxKOdmy33yS03dxuA&st=kwd&o=kwd&url =http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&searchfor=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\Dixie\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
HKLM-Run-Blubster - c:\program files\Blubster\Blubster.exe
HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
HKU-Default-Run-ttool - c:\windows\9129837.exe
AddRemove-BearShare MediaBar - c:\program files\BearShare Applications\BearShare MediaBar\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-11 14:47
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll nvstor.sys >>UNKNOWN [0x8A9A5F61]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\AUDIODG.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlbccoms.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-11-11 14:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-11 19:54

Pre-Run: 161,629,523,968 bytes free
Post-Run: 161,930,530,816 bytes free

- - End Of File - - 4952BDDAFC05C7D01B1F8E536019EDBC

NeonFx · 11-Nov-2009, 04:24 PM **#15**

You have a couple serious infections. I'm going to need some more information before we proceed.

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)

Please copy and paste the following into the Custom Scans section on the bottom:

Code:

%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys  /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

To ensure that I get all the information this log will need to be attached. Please attach it to your next reply by clicking on either the blue Reply button or the Go Advanced button and then on the "Manage Attachments" button.

Tag Cloud
access acer asus batch bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory monitor motherboard mouse network operating system printer problem ram registry router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!