Backdoor.Nuclear.by, need logs read

[NorGitram]

I went through the 15 steps and there were no rootkits found with Panda. I can't seem to get rid of this. Any help would be greatly appreciated. My AVG log file is over 100kb so I couldn't attach it.

 

[NorGitram]

OK, I managed to get the AVG A-S log under 100kb by deleting some old Firefox backups that AVG was listing in the log.

 

[tomrca]

it seems that you have a backdoor trojan. you have already possibly been hacked. s

C:\WINDOWS\system32\cab\winmgnt.exe

O4 - HKLM\..\Run: [Service] C:\WINDOWS\system32\cab\winmgnt.exe

stop this service
O23 - Service: spoolsv.exe - Unknown owner - c:\windows\system32\drivers\etc\Services.exe in bold..these should only run from systems 32 folder
run avg antirootkit here
there is no sign of a firewall in your log you can get a free one from zone alarm or comodo
post another hjt log after stopping service and running avg antirootkit

 

[NorGitram]

Thanks for your help. AVG antirootkit found this C:\WINDOWS\System32\Drivers\a6lry0rl.SYS,Hidden driver file. Should I remove it? I have a router and didn't think I still needed a software firewall ?

 

[tomrca]

Thanks for your help. AVG antirootkit found this C:\WINDOWS\System32\Drivers\a6lry0rl.SYS,Hidden driver file. Should I remove it? I have a router and didn't think I still needed a software firewall ?

as there is no information on it i would say yes. first try changing its name to interrupt it then if all is working ok then delete it
run hijack this and place a tick next to
O4 - HKLM\..\Run: [Service] C:\WINDOWS\system32\cab\winmgnt.exe
C:\WINDOWS\system32\cab\winmgnt.exe go to their respective folders and delete the files marked in bold only if there

then do a regedit if you feel confident
1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit
Then click OK. (The Registry Editor opens.)

3. Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete any value which refers to the backdoor files, for instance:

"NTDLM"="c:\winnt\system32\qossrv\csrss.exe"

5. Navigate to the key:

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\pAdmin\Settings

6. In the right pane, delete the value:

"port"="6351"

7. Exit the Registry Editor.

go here and run the scanner

free firewall HERE

 

[NorGitram]

I was able to complete everything but #6. There was no pAdmin under HKEY_CURRENT_USER\Software\VB and VBA Program Settings\.

I ran ESET online scanner and it found 3 threats and deleted them.

Attached is a new hijackthis.log

 

[tomrca]

with the exceptions of the following your log is clean. these are not necessarily intrusive entries, nevertheless if you do not know what they are you should consider removal. example: one is for a HP printer, so if you no longer have that printer remove it.

C:\Program Files\Common Files\efax\HotTray.exe

C:\Program Files\Common Files\efax\Dllcmd32.exe (hp printer)

O4 - HKLM\..\Run: [BVRPLiveUpdate] C:\Program Files\Avanquest update\Engine\Setup.exe -s /PATCH,/SRCUPDATEC:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRPSO~1\MOTORO~1\LIVEUP~1\LISTOF ~1.DAT (motorola phones)

O4 - Startup: FileBox eXtender.lnk = C:\Program Files\FileBX\FileBX.exe

hope things go well, happy computing:grinthumb