Solved Help removing Trojan horse(s) & other problems

gooodjunkk · Aug 13, 2010

Hello,

I am having serious problems. Yesterday afternoon my AVG antivirus resident shield detected 2 trojan horse backdoor generic 12.cegh infections, so I sent them to the virus vault. A little later, Malwarebytes informed me that a file named ltk.exe was trying to do something malicious & asked if I should let the program proceed. I said no. Meanwhile Malwarebytes was blocking websites left & right. I found ltk.exe, ltm.exe, ltn.exe, etc in my computer & deleted them.

The problem I am having now is every once in a while a new internet explorer window will pop up & open a webpage offering to refinance my mortgage or some other junk, something called "Security Suite" is running on my computer, scanning for viruses (& finding a bunch), constantly sending me security alerts about infected files on my computer & asking me to buy the software to remove the threats, my AVG antivirus & Malwarebytes are apparently infected & inaccessible, among other things.

Anyway, I read the 8 steps at the top of this forum & went through & did each step. I have the gmer & dds logs on my desktop but can't open them. I get an error message telling me that notepad.exe is infected. I can't get to the Malwarebytes log either, but if I remember correctly it it found 1 infected file & 2 registry entries & sent everything to the vault.

Please help, if you can.

Thank you

crunchie · Aug 13, 2010

Hi and welcome to TechSpot forums

.

====

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

gooodjunkk · Aug 14, 2010

Hi Crunchie,

Thanks so much for responding to my post. My problems have changed. After my first post but before your reply I booted into safe mode & ran malwarebytes & spybot & both found & fixed some stuff. See Mbam log below. Spybot found & fixed something called Fraud.Sysguard & CouponBar. I don't know if it helps, but I attached a report from Spybot.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4425
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
8/13/2010 9:20:45 AM
mbam-log-2010-08-13 (09-20-45).txt
Scan type: Quick scan
Objects scanned: 134270
Time elapsed: 10 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\mejl.tmp\setup.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

So, by the time I read your post, things had changed, but still having problems with ads popping up in IE & Malwarebytes website blocking working double time; notifying me constantly of successful website blocks. Also ever since yesterday when I got the first message from AVG resident shield my system boots up slower than normal & is just slower in general... sluggish.

Anyway, maybe I shouldn't have, but I went ahead & downloaded ComboFix & followed instructions in your reply (instead of posting what I'd already done, etc.), but 7 hours after starting CF, it was still scanning, so I rebooted & came back here.

I'm not sure what to do now. I haven't had any messages from malwarebytes website blocker since I've been here, nor any pop up ads (yet... only been here a couple minutes). System still boots very slowly though & is still sluggish.

Any thoughts on how I should proceed from here?

Thanks again for your help.

crunchie · Aug 14, 2010

Can you boot into safe mode and try to run combofix again.
If it takes more than about 30 minutes, post back and we'll try something else.

gooodjunkk · Aug 14, 2010

I will try.. (I'll be back) Thanks

gooodjunkk · Aug 14, 2010

Yay! It worked. I got a message before CF started that AVG real time scanning needed to be disabled before proceeding. So, I disabled it (or so I thought)... pressed "OK" & got another message saying was still enabled but that CF would go ahead & run anyway, but at my own risk. Tried to figure out how to disable before I pressed "OK" again, but I'm not sure it can be done once booted up in safe mode. Anyway, I did run it "at my own risk" with real time scanning enabled.

Log file is attached.

crunchie · Aug 14, 2010

Looks ok. Are you able to open those DDS logs now?

gooodjunkk · Aug 14, 2010

Yes, should I run them again or post the old ones?

crunchie · Aug 14, 2010

Run them again please.

gooodjunkk · Aug 15, 2010

Ok, I did the 8 steps again. Here are the logs.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4431

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/14/2010 9:47:54 PM
mbam-log-2010-08-14 (21-47-54).txt

Scan type: Quick scan
Objects scanned: 131644
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-15 01:11:49
Windows 5.1.2600 Service Pack 3
Running: z7jlymmj.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\uglyypod.sys

---- System - GMER 1.0.15 ----

SSDT IPVNMon.sys (IPVNMon/Visual Networks) ZwDeviceIoControlFile [0xF7B29803]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF77F7300]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMSetAttributesEx] [F7B29744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterMiniport] [F7B2951E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7B2971A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7B296A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMSetAttributesEx] [F7B29744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7B29380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterMiniport] [F7B2951E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7B29380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7B296A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7B2971A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMSetAttributesEx] [F7B29744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMRegisterMiniport] [F7B2951E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMSetAttributesEx] [F7B29744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterMiniport] [F7B2951E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisIMRegisterLayeredMiniport] [F7B2948B] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7B29380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7B296A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisMSetAttributesEx] [F7B29744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7B2971A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\raspti.sys[NDIS.SYS!NdisMSetAttributesEx] [F7B29744] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\raspti.sys[NDIS.SYS!NdisMRegisterMiniport] [F7B2951E] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7B29380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7B2971A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7B296A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7B2971A] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7B296A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7B29380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7B29380] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7B296A7] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7B2971A] IPVNMon.sys (IPVNMon/Visual Networks)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs B0764400

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Control\SecurePipeServers\winreg@Description Registry Server
Reg HKLM\SYSTEM\ControlSet001\Control\SecurePipeServers\winreg\AllowedPaths (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?
Reg HKLM\SYSTEM\ControlSet002\Control\SecurePipeServers\winreg@Description Registry Server
Reg HKLM\SYSTEM\ControlSet002\Control\SecurePipeServers\winreg\AllowedPaths (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?
Reg HKLM\SYSTEM\ControlSet003\Control\SecurePipeServers\winreg@Description Registry Server
Reg HKLM\SYSTEM\ControlSet003\Control\SecurePipeServers\winreg\AllowedPaths (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?
Reg HKLM\SYSTEM\ControlSet004\Control\SecurePipeServers\winreg@Description Registry Server
Reg HKLM\SYSTEM\ControlSet004\Control\SecurePipeServers\winreg\AllowedPaths (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg@Description Registry Server
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?
Reg HKLM\SYSTEM\ControlSet006\Control\SecurePipeServers\winreg@Description Registry Server
Reg HKLM\SYSTEM\ControlSet006\Control\SecurePipeServers\winreg\AllowedPaths (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?

---- EOF - GMER 1.0.15 ----

crunchie · Aug 15, 2010

1. Please open Notepad

Click Start , then Run
Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

DDS::
mURLSearchHooks: H - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

Combofix.txt

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

gooodjunkk · Aug 15, 2010

Here is the combofix log

ComboFix 10-08-12.03 - Owner 08/15/2010 7:50.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2031.1520 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-07-15 to 2010-08-15 )))))))))))))))))))))))))))))))
.

2010-08-13 12:26 . 2010-08-13 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\qldfhicrt
2010-08-13 07:59 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-13 07:59 . 2010-08-13 07:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-13 07:59 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-12 21:53 . 2010-08-12 21:53 57344 --sha-r- c:\windows\system32\TsWpfWrpx.dll
2010-08-12 21:52 . 2010-08-12 21:52 -------- d-----w- c:\documents and settings\Owner\Application Data\41C28C7638D87F0CA4294A5BC8D8943F
2010-08-06 09:57 . 2010-08-06 09:57 438 ----a-w- c:\program files\080620102570757.bat
2010-08-06 07:15 . 2010-08-06 07:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Oberon Media
2010-08-06 07:14 . 2010-08-06 09:57 -------- d-----w- c:\program files\MSN Games
2010-07-30 04:06 . 2010-07-30 04:06 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-07-20 15:33 . 2010-07-20 15:33 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-20 15:33 . 2010-07-20 15:33 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-20 15:33 . 2010-07-20 15:33 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 08:26 . 2010-05-26 21:54 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2010-08-12 12:14 . 2005-06-25 11:34 -------- d-----w- c:\program files\Paint Shop Pro 6
2010-08-06 08:21 . 2009-12-12 09:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-30 03:55 . 2009-07-23 07:16 -------- d-----w- c:\program files\Graboid
2010-07-30 03:54 . 2009-07-23 07:22 -------- d-----w- c:\program files\VideoLAN
2010-07-28 03:58 . 2005-06-25 11:44 -------- d-----w- c:\program files\Punch! Pro
2010-07-15 15:09 . 2008-12-11 14:34 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 15:09 . 2010-07-15 15:09 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 15:08 . 2008-12-11 14:34 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-11 05:03 . 2005-06-25 12:48 72 ----a-w- c:\windows\popcinfo.dat
2010-07-10 10:58 . 2010-07-10 10:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2010-06-14 14:31 . 2004-08-26 18:01 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-05 13:47 . 2010-06-05 13:47 14366 ----a-w- c:\windows\skype.dat
2010-06-05 13:47 . 2010-06-05 13:45 32854 ----a-w- c:\windows\iniLS.dat
2010-06-02 16:49 . 2008-12-11 14:34 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-27 19:00 . 2010-05-26 22:14 1880 ----a-w- c:\windows\AUTOLNCH.REG
2010-05-27 18:36 . 2005-06-25 18:19 51984 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 21:37 . 2010-05-26 21:06 168242 ----a-w- c:\windows\hphins33.dat
2005-06-24 08:02 . 2005-06-24 08:02 0 --sha-w- c:\windows\SMINST\HPCD.sys
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[-] 2003-03-31 . 95B858761A00E1D4F81F79A0DA019ACA . 86912 . . [5.1.2600.1106] . . c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"hpppta"="c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe" [2001-12-13 98304]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoCommonGroups"= 0 (0x0)
"NoFileSharing"= 1 (0x1)
"NoPrintSharing"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSimpleStartMenu"= 0 (0x0)
"NoSMMyDocs"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\Symantec\WinFax\WfxSeh32.Dll" [1998-07-27 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 15:09 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.sys

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Broadband Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Broadband Support Center.lnk
backup=c:\windows\pss\Broadband Support Center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax DllCmd 4.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax DllCmd 4.0.lnk
backup=c:\windows\pss\eFax DllCmd 4.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 4.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eFax Tray Menu 4.0.lnk
backup=c:\windows\pss\eFax Tray Menu 4.0.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MiniEYE-MiniREAD Launch.lnk
backup=c:\windows\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TurboUSA HiSpeed.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TurboUSA HiSpeed.lnk
backup=c:\windows\pss\TurboUSA HiSpeed.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TurboUSA HiSpeed.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\TurboUSA HiSpeed.lnk.disabled
backup=c:\windows\pss\TurboUSA HiSpeed.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^GE Mouse.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\GE Mouse.lnk
backup=c:\windows\pss\GE Mouse.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IP Ware Demo.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IP Ware Demo.lnk
backup=c:\windows\pss\IP Ware Demo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^VirtuaGirl.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\VirtuaGirl.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2009-07-31 23:00 1626112 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-11-18 23:13 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
2002-12-11 01:32 155648 ----a-w- c:\program files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
2002-12-11 01:31 61440 ----a-w- c:\program files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-06-08 21:44 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2005-06-08 22:24 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2005-06-08 22:14 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2002-12-11 00:54 127022 ----a-w- c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-07-20 00:32 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 22:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2010-04-29 22:39 437584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MEDIC]
2006-12-28 02:04 192512 ----a-w- c:\program files\MEDIC\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
2000-02-15 00:36 43008 ----a-w- c:\windows\system32\WFXSNT40.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
"McAfeeAntiSpyware"=2 (0x2)
"navapsvc"=3 (0x3)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"wfxsvc"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=2 (0x2)
"gupdate1ca109a4feb59f4"=2 (0x2)
"fsssvc"=3 (0x3)
"VSS"=3 (0x3)
"upnphost"=3 (0x3)
"Themes"=3 (0x3)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=3 (0x3)
"FontCache3.0.0.0"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"ClipSrv"=3 (0x3)
"aspnet_state"=3 (0x3)
"W32Time"=2 (0x2)
"WSearch"=2 (0x2)
"TermService"=3 (0x3)
"lanmanserver"=2 (0x2)
"srservice"=2 (0x2)
"RasMan"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"Alerter"=2 (0x2)
"MSDTC"=3 (0x3)
"SwPrv"=3 (0x3)
"Netlogon"=3 (0x3)
"NtLmSsp"=3 (0x3)
"napagent"=3 (0x3)
"xmlprov"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"RSVP"=3 (0x3)
"SNMPTRAP"=3 (0x3)
"SNMP"=2 (0x2)
"SCardSvr"=3 (0x3)
"lxdxCATSCustConnectService"=2 (0x2)
"AppMgmt"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"medicsp2"=c:\program files\twc\medicsp2\bin\sprtcmd.exe /P medicsp2
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"SlipStream"="c:\program files\TurboUSA\turbocore.exe"
"PCSuiteTrayApplication"=c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"113:TCP"= 113:TCP:4.79.142.206/255.255.255.255

isabled:ShieldsUP!

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/11/2008 7:34 AM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/11/2008 7:34 AM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 8:09 AM 308136]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/13/2010 12:59 AM 20952]
R3 QCEmerald;Logitech QuickCam Web(PID_0850);c:\windows\system32\drivers\lvce.sys [10/7/2006 1:38 AM 44544]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/13/2010 12:59 AM 304464]
S3 MouseMaestro;MouseMaestro;c:\windows\system32\drivers\maestro8.sys [7/28/2009 2:58 PM 8104]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [1/5/2008 12:39 AM 13532]
S4 gupdate1ca109a4feb59f4;Google Update Service (gupdate1ca109a4feb59f4);c:\program files\Google\Update\GoogleUpdate.exe [7/29/2009 3:17 PM 133104]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/18/2007 2:59 PM 24652]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-29 22:16]

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-29 22:16]

2010-08-15 c:\windows\Tasks\User_Feed_Synchronization-{4CA5E084-3902-41C5-AEF5-18AF9700DD82}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-15 07:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2150821798-68253348-304826555-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-08-15 08:01:10
ComboFix-quarantined-files.txt 2010-08-15 15:00
ComboFix2.txt 2010-08-14 07:25

Pre-Run: 35,618,652,160 bytes free
Post-Run: 35,588,128,768 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - D0BF70B4C3E652339306A257119AC327

crunchie · Aug 15, 2010

Do you still have the problem?

gooodjunkk · Aug 15, 2010

I think it's fixed. Thanks a bunch for your help!

crunchie · Aug 15, 2010

Click START then RUN and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

============

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

You will need to use Internet Explorer to complete this scan.
You will need to temporarily Disable your current Anti-virus program.
Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

• Kaspersky Online Scanner

• Panda Active Scan

• Trend Micro HouseCall

• F-Secure Online Virus Scanner

gooodjunkk · Aug 16, 2010

Here is the ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ab3207012866ca45b56e047016e767d0
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-08-16 04:34:27
# local_time=2010-08-15 09:34:27 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 34904722 34904722 0 0
# compatibility_mode=1024 16777191 100 0 12184419 12184419 0 0
# compatibility_mode=1536 16777215 100 0 0 0 0 0
# compatibility_mode=3585 16777214 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=136064
# found=5
# cleaned=0
# scan_time=6617
C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DNSFlushcws1.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
K:\DnldAps\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I
K:\DnldAps\usrat.exe multiple threats 00000000000000000000000000000000 I
K:\DnldAps\wherewasgod.exe multiple threats 00000000000000000000000000000000 I

crunchie · Aug 16, 2010

Ok. If you run ESET again you will be able to select those files for removal. You will have to rescan.
Let me know if there is anything else

.

gooodjunkk · Aug 16, 2010

So, check the "remove found threats" box & scan again, yes?

crunchie · Aug 16, 2010

Yes

. (10 character limit

)

gooodjunkk · Aug 17, 2010

Everything seems to be working fine since I rescanned & removed threats. I can't thank you enough for your help. I really appreciate it.

crunchie · Aug 17, 2010

No worries

Solved Help removing Trojan horse(s) & other problems

Posts: 43 +0

Posts: 728 +0

Posts: 43 +0

Attachments

Posts: 728 +0

Posts: 43 +0

Posts: 43 +0

Attachments

Posts: 728 +0

Posts: 43 +0

Posts: 728 +0

Posts: 43 +0

Attachments

Posts: 728 +0

Posts: 43 +0

Posts: 728 +0

Posts: 43 +0

Posts: 728 +0

Posts: 43 +0

Posts: 728 +0

Posts: 43 +0

Posts: 728 +0

Posts: 43 +0

Posts: 728 +0

Similar threads