TechSpot

Help removing win32/heur

By stubert
Oct 10, 2010
  1. Hello,

    Thought i posted this earlier can't see it though, got win32/heur today my AVG keeps finding virus's but from what ive read most are false positives, ran malwarebytes and deleted everything it found but was the same after restart.

    Malwarebytes

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4788

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/10/2010 16:13:29
    mbam-log-2010-10-10 (16-13-29).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 277607
    Time elapsed: 3 hour(s), 20 minute(s), 40 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 2
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 11

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\rbadza.sys (Trojan.Goldun) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\rbadza.sys (Trojan.Goldun) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0a054738-0626-82f3-3d65-458aef4334c9} (Trojan.ZbotR.Gen) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\rn.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\My Documents\Everythings in here\Sound forge\Sony_Sound_Forge_8.0\Damn_MainConcept_MPEG_1&2_Plugin_v1.0_Keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\My Documents\Everythings in here\Stuff\APSCS3EP.UPPED.BY.ADZAPPER\APSCS3EP.UPPED.BY.ADZAPPER\Adobe Photoshop CS3 Extended Portable\CSDATA\10000005700002i\mspaint.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\My Documents\Everythings in here\Stuff\APSCS3EP.UPPED.BY.ADZAPPER\APSCS3EP.UPPED.BY.ADZAPPER\Adobe Photoshop CS3 Extended Portable\CSDATA\1000000600002i\svchost.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\My Documents\Everythings in here\Stuff\APSCS3EP.UPPED.BY.ADZAPPER\APSCS3EP.UPPED.BY.ADZAPPER\Adobe Photoshop CS3 Extended Portable\CSDATA\1000000b00002i\rundll32.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\My Documents\Everythings in here\Stuff\APSCS3EP.UPPED.BY.ADZAPPER\APSCS3EP.UPPED.BY.ADZAPPER\Adobe Photoshop CS3 Extended Portable\CSDATA\1000000b00002i\verclsid.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\My Documents\Everythings in here\Stuff\APSCS3EP.UPPED.BY.ADZAPPER\APSCS3EP.UPPED.BY.ADZAPPER\Adobe Photoshop CS3 Extended Portable\CSDATA\400000a500003i\FNPLicensingService.exe (Rootkit.Dropper) -> Quarantined and deleted successfully.
    C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> Delete on reboot.
    C:\Documents and Settings\Owner\Local Settings\Temp\0.24235449347660787.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Local Settings\Temp\pdfupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\Yloz\zeaq.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.


    Hijackthis


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:19:17, on 10/10/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Home Cinema\PowerDVD\PDVDServ.exe
    C:\WINDOWS\tsnp2std.exe
    C:\WINDOWS\vsnp2std.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Pando Networks\Media Booster\PMB.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\System32\TUProgSt.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.tiscali.co.uk/broadband
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\Home Cinema\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
    O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
    O15 - Trusted Zone: http://asia.msi.com.tw
    O15 - Trusted Zone: http://global.msi.com.tw
    O15 - Trusted Zone: http://www.msi.com.tw
    O15 - Trusted Zone: *.line6.net
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1084026504781
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173015837546
    O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
    O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://cdn1.acclaimdownloads.com/solidstateion.cab
    O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O20 - Winlogon Notify: rbadzm - rbadzm.dll (file missing)
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
    O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

    --
    End of file - 9415 bytes


    dunno what to do? :confused:
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware, but it's going to take more than these 2 programs!

    Note: You did have another thread. since the same logs were on it, I will delete that thread and we'll use this thread only.
    http://www.techspot.com/vb/topic154659.html


    First, I'd like you to remove these Domains from the Trusted Zone:
    O15 - Trusted Zone: http://asia.msi.com.tw
    O15 - Trusted Zone: http://global.msi.com.tw
    O15 - Trusted Zone: http://www.msi.com.tw
    O15 - Trusted Zone: *.line6.net

    Unless you have some kind of Intranet set up, nothing need to be in this Zone. It has lower security than the Internet so can be a vulnerability to the system.

    Click on Start> Control Panel> Internet Options> Security tab> Trusted Sites> Sites> highlight each of the site> Remove.

    I'd like you to run this online AV scan first, then paste the long in to your next reply. After I see that, I'll know better what to have you do next. We have preliminary programs to run, but before I give you that, I want to see this log.

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. stubert

    stubert TS Rookie Topic Starter

    Hello and thanks :)

    Deleted the entrys from trusted sites ones that end with .tw come back though

    Scan results (ended first scan early because it seemed to have frozen)

    View attachment log.txt


    Thanks for the help!
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry, bad news. You system is badly infected with Ramnit. This is not curable. Please read:
     
  5. stubert

    stubert TS Rookie Topic Starter

    Hmm lol good thing this pc was on its way out anyway.

    Will this virus prevent me from using my pc atall eventually? its working fine atm. Obviously wont use any emails/banking etc with it will change all my pass's on a different pc tonight but if i can still use it for youtube and games untill i get a new pc i dont mind.

    thanks for the help anyway
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes.
    You should not be using this system at all- for anything. It is very possible that you may pass on an infected file in addition to your own files being trashed.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...