TechSpot

[Active] Trojans somewhere!

By aindia
Aug 6, 2010
  1. Hi,

    I got infected by a trojan or two recently -- thought I had it cleaned but apparently not. I'm getting a lot of pop ups by my AV saying that svchost.exe is trying to connect to a malicious website -- also get occasional websites popping up in a new tab when I am browsing.

    I of course tried to fix this before I found your website and your 6 steps so I probably messed up something 0.o. Malwarebytes (or any of my AV's) aren't showing any infections but there is something there!

    I am currently running the 6 steps -- tho had a problem with gmer which I had a question on that -- when I run it is it supposed to take like 12+hrs? lol I didn't get a warning or anything about scanning my whole system but it still took over 12hrs and then it locked up and didn't finish. Whole computer froze up :(

    And if its any clue -- TFC cleaned out over 6billion bytes from temp folder on my administrator account...whew.. so something is there, I just can't find the darn thing.

    Redoing malwarebytes quick scan now so I will post that shortly, but it's going to show no infections I'm sure. I can post the old log with the infections if you want as well, just let me know.

    Thanks in advance for any assistance!
     
  2. aindia

    aindia TS Rookie Topic Starter Posts: 18

    Malwarebytes log --


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4395

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    8/6/2010 9:08:50 AM
    mbam-log-2010-08-06 (09-08-50).txt

    Scan type: Quick scan
    Objects scanned: 146546
    Time elapsed: 7 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  3. crunchie

    crunchie Malware Helper Posts: 728

  4. aindia

    aindia TS Rookie Topic Starter Posts: 18

    Will happily do so.. I tried running gmer and it took over 12hrs and then froze and locked up my computer and never finished. Is that a normal scan time? If so I'll start it again lol..but if not I want to know what I did wrong 0.o.
     
  5. crunchie

    crunchie Malware Helper Posts: 728

    If you have problems with it again, try it in safe mode please.
     
  6. aindia

    aindia TS Rookie Topic Starter Posts: 18

    Gmer log -- it crashed again so ran it in safe mode with no problems.
     

    Attached Files:

  7. aindia

    aindia TS Rookie Topic Starter Posts: 18

    next 2 logs..
     

    Attached Files:

  8. crunchie

    crunchie Malware Helper Posts: 728

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
     
  9. aindia

    aindia TS Rookie Topic Starter Posts: 18

    Ok had problems with combofix -- ran it first time it sat there for an hour without doing anything. Rebooted -- ran it again this time no problem. So that is why it took so long, sorry :(

    Posting the log
     

    Attached Files:

  10. crunchie

    crunchie Malware Helper Posts: 728

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    Code:
    
    DDS::
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    TB: WeatherBug Browser Bar - powered by MyWebSearch: {8eab99c9-f9ec-4b64-a4ba-d9bcae8779c2} - c:\program files\mywebsearchwb\bar\1.bin\W6BAR.DLL
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Save the above as CFScript.txt

    4. Physically disconnect from the internet.

    5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
    • Combofix.txt
    Please take note:

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    ==============

    Let me know how the pc is now.
     
  11. aindia

    aindia TS Rookie Topic Starter Posts: 18

    Second Combofix log:

    ComboFix 10-08-06.03 - HP_Administrator 08/07/2010 10:19:37.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1254 [GMT -4:00]
    Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
    c:\documents and settings\HP_Administrator\Local Settings\Temp\IadHide5.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
    .

    2010-08-05 18:37 . 2010-08-05 18:37 -------- d-----w- c:\windows\Cache
    2010-08-05 18:37 . 2010-08-05 18:37 -------- d-----w- c:\program files\Coupons
    2010-08-04 17:15 . 2010-08-04 17:15 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-08-04 17:14 . 2010-08-05 21:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-03 15:50 . 2010-08-04 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)
    2010-07-30 05:41 . 2010-08-04 17:08 -------- d-----w- c:\program files\Turbo Subs
    2010-07-29 18:11 . 2010-07-29 18:11 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
    2010-07-29 18:11 . 2010-07-29 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-29 18:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-29 18:10 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-28 22:53 . 2010-08-04 17:08 -------- d-----w- c:\program files\Shopmania
    2010-07-25 01:51 . 2010-07-25 01:51 -------- d-----w- c:\program files\Wedding Dash - Ready, Aim, Love
    2010-07-25 01:12 . 2010-07-25 01:12 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Sunbelt Software
    2010-07-25 01:10 . 2010-07-25 01:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
    2010-07-24 18:41 . 2010-07-24 18:41 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
    2010-07-23 17:37 . 2010-08-06 19:45 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-16 22:33 . 2010-07-16 22:33 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Yahoo
    2010-07-16 22:33 . 2010-07-16 22:33 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Yahoo!
    2010-07-16 13:08 . 2010-07-16 13:08 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-15 23:50 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-15 23:40 . 2010-07-15 23:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-05 21:32 . 2006-09-13 02:24 -------- d-----w- c:\program files\Common Files\Java
    2010-08-05 21:31 . 2006-09-13 02:24 -------- d-----w- c:\program files\Java
    2010-08-05 18:39 . 2007-02-22 21:36 -------- d-----w- c:\program files\Lx_cats
    2010-08-03 16:03 . 2007-01-15 14:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-08-03 16:02 . 2009-07-21 13:17 -------- d-----w- c:\program files\Megaplex Madness - Summer Blockbuster
    2010-08-02 19:28 . 2009-07-21 13:28 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\MegaplexMadnessSummerBlockbuster
    2010-07-30 00:59 . 2009-08-19 16:27 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HpUpdate
    2010-07-26 13:22 . 2006-09-13 02:59 -------- d-----w- c:\program files\DivX
    2010-07-26 13:21 . 2008-04-09 05:25 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Move Networks
    2010-07-26 13:17 . 2007-01-11 02:53 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\IGN_DLM
    2010-07-26 13:17 . 2007-01-11 02:52 -------- d-----w- c:\program files\IGN
    2010-07-26 13:16 . 2006-09-13 02:58 -------- d-----w- c:\program files\muvee Technologies
    2010-07-26 13:16 . 2006-09-13 02:55 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-07-26 13:12 . 2008-02-29 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
    2010-07-26 13:08 . 2009-05-09 00:45 -------- d-----w- c:\program files\PopCap Games
    2010-07-26 13:06 . 2006-09-13 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2010-07-26 13:05 . 2009-08-29 20:24 -------- d-----w- c:\program files\Graboid
    2010-07-26 13:03 . 2009-09-12 01:21 -------- d-----w- c:\program files\Turbine
    2010-07-26 13:02 . 2009-07-29 22:36 -------- d-----w- c:\program files\City of Heroes
    2010-07-26 13:02 . 2009-08-24 18:36 -------- d-----w- c:\program files\Cryptic Studios
    2010-07-26 13:01 . 2010-03-02 15:46 -------- d-----w- c:\program files\Armadillo Run Demo
    2010-07-25 01:12 . 2007-02-25 13:25 -------- d-----w- c:\program files\Google
    2010-07-17 09:00 . 2010-04-30 13:30 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-16 14:58 . 2007-03-29 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2010-07-16 13:08 . 2009-09-09 13:28 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-16 13:07 . 2009-09-09 13:28 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-07-16 07:01 . 2009-09-19 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-07-12 08:55 . 2010-03-14 14:12 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-07-12 08:55 . 2010-03-14 15:07 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-06-21 22:25 . 2010-06-21 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\MythPeople
    2010-06-21 22:24 . 2010-06-21 22:24 -------- d-----w- c:\program files\Miriel's Enchanted Mystery
    2010-06-21 19:35 . 2010-06-21 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
    2010-06-16 12:44 . 2008-05-13 14:47 -------- d-----w- c:\program files\Airport Mania - First Flight
    2010-06-11 23:36 . 2010-06-11 23:36 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Hotdog Hotshot
    2010-06-09 10:34 . 2008-10-21 00:50 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Skype
    2010-06-09 04:00 . 2008-10-21 00:57 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\skypePM
    2010-06-03 13:44 . 2009-09-09 13:28 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2008-02-28 16:24 . 2008-02-28 16:24 0 ----a-w- c:\program files\temp01
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 68856]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2009-10-20 1693184]
    "Aim"="c:\program files\AIM\aim.exe" [2010-04-19 3972440]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "ftutil2"="ftutil2.dll" [2004-06-07 106496]
    "RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
    "DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-09-13 180269]
    "lxccmon.exe"="c:\program files\Lexmark 3300 Series\lxccmon.exe" [2005-02-21 192512]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
    "nwiz"="nwiz.exe" [2009-02-18 1657376]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
    "LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-8-23 813584]
    Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-9-12 36903]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-9-12 27136]
    PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-12 27136]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-07-16 13:08 12536 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Lexmark 3300 Series\\LXCClpx.exe"=
    "c:\\WINDOWS\\ehome\\ehshell.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "c:\\Program Files\\Lexmark 3300 Series\\lxccaiox.exe"=
    "c:\\Program Files\\Lexmark 3300 Series\\pheditor.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/14/2010 10:12 AM 64288]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/9/2009 9:28 AM 216400]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/9/2009 9:28 AM 243024]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 9:08 AM 308136]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 4:55 AM 1352832]
    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [8/23/2009 6:19 PM 10384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/23/2010 10:46 AM 135664]
    S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [9/12/2006 10:40 PM 82048]
    S3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\drivers\lne100v5.sys [7/18/2009 7:22 PM 36224]
    S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 08:55]

    2010-07-31 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

    2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 14:46]

    2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-23 14:46]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = <local>;*.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0vc4w2xp.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-07 10:34
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(536)
    c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    c:\program files\common files\logishrd\bluetooth\LBTServ.dll

    - - - - - - - > 'explorer.exe'(4592)
    c:\windows\system32\WININET.dll
    c:\windows\TEMP\logishrd\LVPrcInj01.dll
    c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\system32\ieframe.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\arservice.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\ARPWRMSG.EXE
    c:\windows\eHome\ehmsas.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\system32\lxcccoms.exe
    c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    c:\hp\KBD\KBD.EXE
    c:\windows\system\hpsysdrv.exe
    c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-07 10:49:16 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-07 14:48
    ComboFix2.txt 2010-08-07 13:53

    Pre-Run: 152,833,208,320 bytes free
    Post-Run: 152,822,906,880 bytes free

    - - End Of File - - 0381D21BC6515439A627A245DCE4DC19
     
  12. aindia

    aindia TS Rookie Topic Starter Posts: 18

    and what internet use I've had since combofix was run, it seems to be better. I've not noticed an redirects or had my ad-aware pop up with Svchost.exe problems. But it's only been a couple hours so far :D

    Thank you for your help! I know we aren't done yet..but still want to say thanks! :D
     
  13. crunchie

    crunchie Malware Helper Posts: 728

    Thats good news :).
    Let's do an on-line scan to see if anything else turns up before we do a final clean-up.

    Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on the Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  14. aindia

    aindia TS Rookie Topic Starter Posts: 18

    erm.. do I have to turn my AVG completely off? And if so, I honestly have no clue how to do that other than just closing the files in task manager.
     
  15. crunchie

    crunchie Malware Helper Posts: 728

    You should be able to do it by right clicking on it's icon in the task bar and disabling it.
     
  16. aindia

    aindia TS Rookie Topic Starter Posts: 18

    I can with the Ad-Aware, but not with AVG -- my choices are to open the interface (of which the only item I can turn off is the resident shield), scan, update or help. There is no disable thing that I can find :(

    Ok well disabling the resident shield and gonna try that.. if it causes problems I'll just shut it down and try again heh
     
  17. aindia

    aindia TS Rookie Topic Starter Posts: 18

    Ok.. Kaspersky report ---

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Sunday, August 8, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Saturday, August 07, 2010 20:45:05
    Records in database: 4131200
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\

    Scan statistics:
    Objects scanned: 262277
    Threats found: 8
    Infected objects found: 10
    Suspicious objects found: 0
    Scan duration: 06:01:58


    File name / Threat / Threats count
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
    C:\Program Files\My Kingdom for the Princess\peacecraft.exe Infected: Trojan-Dropper.Win32.Agent.cgwk 1
    C:\Program Files\MyWebSearchWB\bar\1.bin\NPMYSRWB.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
    C:\Program Files\MyWebSearchWB\bar\1.bin\W6PLUGIN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.l 1
    C:\Program Files\MyWebSearchWB\bar\1.bin\W6WBTEMP.DLL Infected: not-a-virus:AdWare.Win32.WeatherBug.f 1
    C:\Qoobox\32788R22FWJFW\kbdclass.sys Infected: Rootkit.Win32.TDSS.ap 1
    C:\Qoobox\Quarantine\C\WINDOWS\system32\sargdops.ini.vir Infected: Trojan.Win32.Small.ackh 1
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1208\A0129884.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP1240\A0146633.ini Infected: Trojan.Win32.Small.ackh 1
    C:\Trickster Online\GameGuard\GameMon.des Infected: Trojan.Win32.Refroso.bajm 1

    Selected area has been scanned.
     
  18. crunchie

    crunchie Malware Helper Posts: 728

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    Code:
    KillAll::
    
    Folder::
    C:\Program Files\MyWebSearchWB
    File::
    C:\Program Files\mIRC\mirc.exe
    C:\Program Files\My Kingdom for the Princess\peacecraft.exe
    C:\Trickster Online\GameGuard\GameMon.des
    
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Save the above as CFScript.txt

    4. Physically disconnect from the internet.

    5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
    • Combofix.txt
    Please take note:

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    ==================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  19. aindia

    aindia TS Rookie Topic Starter Posts: 18

    Combofix report === running OTL in a sec.
     

    Attached Files:

  20. aindia

    aindia TS Rookie Topic Starter Posts: 18

    OTL and EXTRA logs
     

    Attached Files:

  21. crunchie

    crunchie Malware Helper Posts: 728

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :Files
      C:\Documents and Settings\All Users\Application Data\TEMP
      
      :Commands
      [emptyflash]
      [emptytemp]
      [resethosts]
      [CLEARALLRESTOREPOINTS]
      [CREATERESTOREPOINT]
      [Reboot]
    • Then click the Run Fix button at the top.
    • Let the program run unhindered, reboot the PC when it is done.
    • Post log from this run.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
     
  22. aindia

    aindia TS Rookie Topic Starter Posts: 18

    new OTL report -- Ermm looking back at this.. you asked for the OTL from the fix run too and I didn't post that one and not sure where to find it if it's still there :( This is the one from the quick scan after it rebooted.
     

    Attached Files:

    • OTL.Txt
      File size:
      98.4 KB
      Views:
      2
  23. crunchie

    crunchie Malware Helper Posts: 728

    No worries. How does the pc seem now?
     
  24. aindia

    aindia TS Rookie Topic Starter Posts: 18

    Seems to be running fine. No alerts about svchost and no redirects, also not getting the huge svchost.exe file in task manager either.. yay! :D

    Thank you for your help so far! :D
     
  25. crunchie

    crunchie Malware Helper Posts: 728

    No worries :).

    Launch OTL and click on the Cleanup button. Follow the prompts.

    That should do you.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...