Trojan Virus infection

[whiterose]

I have an HP pavilion with an AMD Athlon running Windows XP Home.

I use AVG Free(latest Ed) and have found it quite effective..until now...that is..

Couple of days ago it detected Trojans going by the name of:

Trojan Horse Agent2 TVH

-------"---- Back Door Agent ACGG and..

-------"---- Win32 cryptor

 

The virus seems to have infected one ore more files in Windows\system32 and cannot be healed permanently so is recurring. It isnt proving a great problem, more of an inconvenience. The main symptom is a "program not responding" when closing down a word document. The program is still actually running fine,it doesnt need rebooting at all.

 

Any ideas on how to locate this or is it too complicated for a novice like me.

 

Can,t understand how its got past the update database to do the damage in the first place. Guess thats why its free..

 

Any help appreciated

[snow]

Hi whiterose, welcome to Extreme Tech Support - Free PC Help

 

Here is our starting procedure for Malware removal. Once you've posted the logs asked for, our Malware expert will provide further assistance.

 

Please download the latest version of HijackThis from Trend Micro and save it to your desktop.

 

• Download HJTInstall.exe to your desktop.
  
• Doubleclick HJTInstall.exe to install HijackThis.
  
• By default it will install to C:Program FilesTrend MicroHijackThis .
  
• Click on Install.
  
• It will create a HijackThis icon on the desktop.
  
• Once installed, it will launch Hijackthis.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Include this log in your next reply.
  

Notes:

Do not use the AnalyseThis button, its findings are dangerous if misinterpreted.

Do not have Hijackthis fix anything yet. Most of what it finds will be harmless, or required for your computer to run like it should.

[whiterose]

Virus report

 

As requested..hope its attached ok.

:confused:

virus rep1.txt

[Plastic Nev]

Hi Whiterose, Welcome to Extreme Tech Support - Free PC Help. It would be better if you could copy and paste that log into your next reply rather than as an attachment please.

Nev.

[whiterose]

Sorry about that.I knew as soon as I had sent it that it wasnt the right way to do it but I am not very familiar with the copy and paste method with a notepad message. I just dont copy and paste very much.. and I dont think i have used notepad in my LIFE to be honest. I cant find the icons on this "add new post" toolbar. Give me a quick run down on the steps..

[chiaz]

Hello Whiterose. :)

 

I do see an infection in your log. And to copy and paste the log: When the Notepad file opens, simply select all by pressing Ctrl+A. Then proceed to copy (Ctrl+C) before pasting it in your reply (Ctrl+V).

 

 

A few things before we start....

1. Please Read All Instructions Carefully.

2. If you don't understand something, stop and ask! Don't keep going on.

3. Please do not run any other tools or scans whilst I am helping you.

4. If you have to go away for an extended period of time, let me know.

5. Please continue to respond until I give you the "All Clear".

(Just because you can't see a problem doesn't mean it isn't there)

 

 

==========================

 

First download Malwarebytes' Anti-Malware by clicking the link below:

|MG| Malwarebytes Anti-Malware 1.41 Download

 

Double Click mbam-setup.exe to install the application.

 

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform Quick Scan", then click Scan.

* The scan may take some time to finish,so please be patient.

* When the scan is complete, click OK, then Show Results to view the results.

* Make sure that everything is checked, and click Remove Selected.

* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

* You'll be required to post the contents of this log later.

 

Please Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

 

====================

 

Then download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

 

Go here ======> A guide and tutorial on using ComboFix <====== Go here

 

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

 

Once installed, you should get a prompt that says:

 

The Recovery Console was successfully installed.

 

Please continue as follows:

 

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

(2) Click Yes to allow ComboFix to continue scanning for malware.

 

When the tool is finished, it will produce a report for you.

 

 

Please copy and paste the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.

 

 

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

[whiterose]

Trojan virus infection

 

Malware and combofix downloads complete and have files on notepad but cant copy/paste reports to this site!

 

Got plastic nevs idiot guide but it wont do it...highlites ok, copies ok(i think..nothing actually happens it just stays as the highlighted screen but I presume its gone to clipboard. Bring up this window alongside notepad,edit,paste..nothing appears on this message window. Tried practising offline to other document locations but no success either way.Im not familiar with this process but Im no novice either. What am I doing wrong. Any suggestions anybody? By the time I have figured this out for myself my trojan will have eaten away at most of my software and will be starting on the wifes slippers!

 

In the words of Terry Wogan....Is it me? :confused:

[chiaz]

If it doesn't work, don't sweat over it. You can attach the reports to your next reply.

[Plastic Nev]

OK Whiterose, while we are waiting for chaz, just try this, after doing the copy, click start, then run, and type in the box -

 

clipbrd

 

then hit enter or click OK. that should open the clipboard viewer, see if your copy is there.

If so then you may be doing something wrong in paste, if not then something is wrong in copy.

 

This may be down to the infection though, so for now attach the log as you did last time.

Nev.

[whiterose]

trojan infection

 

Tried your suggestion nev..nothing in clipboard just a plain dark grey screen so I have given up and attached..I hope...

 

Just to update...whatever scans have been performed so far have already improved situation. trojan warnings from antivirus have gone and symptoms with them but lets go the whole hog and have a look see. its probably just lurking around a corner in my firmware just WAITING to bite me on the backside!

 

regards, Chris

virus rep1.txt

ComboFix.txt

mbam-log-2009-10-08 (09-07-36).txt

[chiaz]

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

 

It's IMPORTANT to carry out the instructions in the sequence listed below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

 

Open *notepad* and copy/paste the text in the quotebox below into it:

 

Driver::
bed231b
btsc6d5
crl9444
dtsb44e
ehf9f23
fgf0625
fih96d2
gqo69a0
htrf884
jkia364
jmk0b9f
lkjc280
ntr5541
pfef197
qedc204
qqp4897
rec45cf
tcbc210

File::
C:\WINDOWS\system32\sdra64.exe
c:\windows\system32\149523544.sys
c:\windows\system32\drivers\bed231b.sys
c:\windows\system32\drivers\btsc6d5.sys 
c:\windows\system32\drivers\crl9444.sys 
c:\windows\system32\drivers\dtsb44e.sys 
c:\windows\system32\drivers\ehf9f23.sys 
c:\windows\system32\drivers\fgf0625.sys 
c:\windows\system32\drivers\fih96d2.sys 
c:\windows\system32\drivers\gqo69a0.sys 
c:\windows\system32\drivers\htrf884.sys
c:\windows\system32\drivers\jkia364.sys
c:\windows\system32\drivers\jmk0b9f.sys 
c:\windows\system32\drivers\lkjc280.sys 
c:\windows\system32\drivers\ntr5541.sys 
c:\windows\system32\drivers\pfef197.sys 
c:\windows\system32\drivers\qedc204.sys 
c:\windows\system32\drivers\qqp4897.sys 
c:\windows\system32\drivers\rec45cf.sys 
c:\windows\system32\drivers\tcbc210.sys 

 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

 

 

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

 

Refering to the picture above, drag CFScript.txt into ComboFix.exe

 

 

When finished, it shall produce a log for you at C:\ComboFix.txt

 

Please copy and paste the ComboFix.txt in your new reply, as well as a new HijackThis log. Note that you posted the same HijackThis log in your last post. I will need you to run a new scan with HijackThis this time round.

 

*Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*

[whiterose]

Trojan infection

 

Evening people,

 

I did what follows as a quick reply but Im not sure if it was successful so am doing it again.

 

====================================

 

ComboFix 09-10-08.03 - User 09/10/2009 20:25.3.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.423 [GMT 1:00]

Running from: c:\documents and settings\User\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\windows\system32\149523544.sys"

"c:\windows\system32\drivers\bed231b.sys"

"c:\windows\system32\drivers\btsc6d5.sys"

"c:\windows\system32\drivers\crl9444.sys"

"c:\windows\system32\drivers\dtsb44e.sys"

"c:\windows\system32\drivers\ehf9f23.sys"

"c:\windows\system32\drivers\fgf0625.sys"

"c:\windows\system32\drivers\fih96d2.sys"

"c:\windows\system32\drivers\gqo69a0.sys"

"c:\windows\system32\drivers\htrf884.sys"

"c:\windows\system32\drivers\jkia364.sys"

"c:\windows\system32\drivers\jmk0b9f.sys"

"c:\windows\system32\drivers\lkjc280.sys"

"c:\windows\system32\drivers\ntr5541.sys"

"c:\windows\system32\drivers\pfef197.sys"

"c:\windows\system32\drivers\qedc204.sys"

"c:\windows\system32\drivers\qqp4897.sys"

"c:\windows\system32\drivers\rec45cf.sys"

"c:\windows\system32\drivers\tcbc210.sys"

"c:\windows\system32\sdra64.exe"

.

((((((((((((((((((((((((( Files Created from 2009-09-09 to 2009-10-09 )))))))))))))))))))))))))))))))

.

2009-10-08 07:35 . 2009-10-08 07:35 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes

2009-10-08 07:35 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-08 07:35 . 2009-10-08 07:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-08 07:35 . 2009-10-08 07:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-08 07:35 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-07 14:42 . 2009-10-07 14:42 -------- d-----w- c:\program files\Trend Micro

2009-09-23 17:18 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-08 08:49 . 2008-12-24 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-08-19 08:38 . 2009-04-02 22:35 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-19 08:38 . 2009-04-02 22:35 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-19 08:38 . 2009-04-02 22:35 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-05 09:01 . 2007-01-09 09:27 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-17 19:01 . 2007-01-09 09:23 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-12 11:21 . 2007-01-09 09:28 233472 ----a-w- c:\windows\system32\wmpdxm.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-10-08_09.28.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-01-09 09:28 . 2008-04-14 00:12 26624 c:\windows\system32\dllcache\startoc.dll

+ 2007-01-09 09:28 . 2008-04-13 16:43 62976 c:\windows\system32\dllcache\spgrmr.dll

+ 2008-02-16 12:38 . 2008-04-14 00:12 65536 c:\windows\system32\dllcache\oledb32r.dll

+ 2007-01-09 09:27 . 2008-04-14 00:12 57344 c:\windows\system32\dllcache\ndisnpp.dll

+ 2008-02-16 12:38 . 2008-04-14 00:12 24576 c:\windows\system32\dllcache\msxactps.dll

+ 2007-01-09 09:26 . 2008-04-14 00:12 39936 c:\windows\system32\dllcache\mslwvtts.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 36864 c:\windows\system32\dllcache\msdfmap.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 20480 c:\windows\system32\dllcache\msdatt.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 94208 c:\windows\system32\dllcache\msdatl3.dll

+ 2008-02-16 12:38 . 2008-04-13 17:26 16384 c:\windows\system32\dllcache\msdasqlr.dll

+ 2008-02-16 12:38 . 2008-04-13 17:25 16384 c:\windows\system32\dllcache\msdaremr.dll

+ 2008-02-16 12:38 . 2008-04-13 17:25 16384 c:\windows\system32\dllcache\msdaprsr.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 77824 c:\windows\system32\dllcache\msdaosp.dll

+ 2008-02-16 12:38 . 2008-04-13 17:24 16384 c:\windows\system32\dllcache\msdaorar.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 57344 c:\windows\system32\dllcache\msadrh15.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 57344 c:\windows\system32\dllcache\msador15.dll

+ 2008-02-16 12:38 . 2008-04-13 17:26 24576 c:\windows\system32\dllcache\msader15.dll

+ 2008-02-16 12:38 . 2008-04-13 17:25 24576 c:\windows\system32\dllcache\msaddsr.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 53248 c:\windows\system32\dllcache\msadcs.dll

+ 2008-02-16 12:38 . 2008-04-13 17:25 16384 c:\windows\system32\dllcache\msadcor.dll

+ 2008-02-16 12:38 . 2008-04-13 17:25 16384 c:\windows\system32\dllcache\msadcfr.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 61440 c:\windows\system32\dllcache\msadcf.dll

+ 2008-02-16 12:38 . 2008-04-13 17:25 20480 c:\windows\system32\dllcache\msadcer.dll

+ 2007-01-09 09:26 . 2008-04-14 00:11 19968 c:\windows\system32\dllcache\log.dll

+ 2008-02-16 12:38 . 2008-04-14 00:12 20480 c:\windows\system32\dllcache\inetwiz.exe

+ 2008-02-16 12:38 . 2008-04-14 00:11 49152 c:\windows\system32\dllcache\icwutil.dll

+ 2008-02-16 12:38 . 2008-04-14 00:12 24576 c:\windows\system32\dllcache\icwrmind.exe

+ 2008-02-16 12:38 . 2008-04-14 00:11 32768 c:\windows\system32\dllcache\icwdl.dll

+ 2008-02-16 12:38 . 2008-04-14 00:12 86016 c:\windows\system32\dllcache\icwconn2.exe

+ 2008-02-16 12:38 . 2008-04-14 00:11 61440 c:\windows\system32\dllcache\icwconn.dll

+ 2009-01-16 16:52 . 2008-04-13 16:44 17920 c:\windows\system32\dllcache\cobramsg.dll

+ 2007-01-09 09:23 . 2008-04-14 00:11 24064 c:\windows\system32\dllcache\agtintl.dll

+ 2007-01-09 09:23 . 2007-04-02 18:26 20480 c:\windows\system32\dllcache\agt0c0a.dll

+ 2007-01-09 09:23 . 2007-04-02 18:26 20992 c:\windows\system32\dllcache\agt0816.dll

+ 2008-02-16 12:25 . 2007-04-02 18:26 19456 c:\windows\system32\dllcache\agt041f.dll

+ 2007-01-09 09:23 . 2007-04-02 18:26 19456 c:\windows\system32\dllcache\agt041d.dll

+ 2008-02-16 12:25 . 2007-04-02 18:26 19456 c:\windows\system32\dllcache\agt0419.dll

+ 2007-01-09 09:23 . 2007-04-02 18:26 20480 c:\windows\system32\dllcache\agt0416.dll

+ 2008-02-16 12:25 . 2007-04-02 18:26 19456 c:\windows\system32\dllcache\agt0415.dll

+ 2007-01-09 09:23 . 2007-04-02 18:26 19456 c:\windows\system32\dllcache\agt0414.dll

+ 2007-01-09 09:23 . 2007-04-02 18:26 20992 c:\windows\system32\dllcache\agt0413.dll

+ 2007-01-09 09:23 . 2007-04-02 18:26 20992 c:\windows\system32\dllcache\agt0410.dll

+ 2008-02-16 12:25 . 2007-04-02 18:26 19968 c:\windows\system32\dllcache\agt040e.dll

+ 2007-01-09 09:23 . 2007-04-02 18:26 21504 c:\windows\system32\dllcache\agt040c.dll

+ 2007-01-09 09:23 . 2007-04-02 18:26 19456 c:\windows\system32\dllcache\agt040b.dll

+ 2008-02-16 12:25 . 2007-04-02 18:26 22016 c:\windows\system32\dllcache\agt0408.dll

+ 2007-01-09 09:23 . 2007-04-02 18:26 21504 c:\windows\system32\dllcache\agt0407.dll

+ 2007-01-09 09:23 . 2007-04-02 18:25 19456 c:\windows\system32\dllcache\agt0406.dll

+ 2008-02-16 12:25 . 2007-04-02 18:25 19456 c:\windows\system32\dllcache\agt0405.dll

+ 2007-01-09 09:23 . 2008-04-14 00:11 44032 c:\windows\system32\dllcache\agentsr.dll

+ 2007-01-09 09:23 . 2008-04-14 00:11 57344 c:\windows\system32\dllcache\agentdpv.dll

+ 2007-01-09 09:23 . 2008-04-14 00:11 24064 c:\windows\system32\dllcache\agentanm.dll

+ 2008-02-16 12:39 . 2008-04-14 00:12 5632 c:\windows\system32\dllcache\wmm2res2.dll

+ 2008-02-16 12:39 . 2008-04-14 00:12 7680 c:\windows\system32\dllcache\wmm2ext.dll

+ 2008-02-16 12:39 . 2008-04-14 00:12 4096 c:\windows\system32\dllcache\wmm2eres.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdaurl.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdasc.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdaer.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdaenum.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdadc.dll

+ 2008-02-16 12:39 . 2008-04-14 00:12 325632 c:\windows\system32\dllcache\wmm2fxb.dll

+ 2008-02-16 12:39 . 2008-04-14 00:12 502272 c:\windows\system32\dllcache\wmm2fxa.dll

+ 2008-02-16 12:39 . 2008-04-14 00:12 402432 c:\windows\system32\dllcache\wmm2filt.dll

+ 2008-02-16 12:39 . 2008-04-14 00:12 167936 c:\windows\system32\dllcache\wmm2ae.dll

+ 2009-01-16 16:58 . 2008-04-14 00:12 173568 c:\windows\system32\dllcache\sysmoda.dll

+ 2007-01-09 09:28 . 2008-04-14 00:12 193024 c:\windows\system32\dllcache\sysmod.dll

+ 2008-02-16 12:38 . 2008-04-14 00:12 217088 c:\windows\system32\dllcache\sqlxmlx.dll

+ 2007-01-09 09:28 . 2008-04-14 00:12 110592 c:\windows\system32\dllcache\sqlse20.dll

+ 2007-01-09 09:28 . 2008-04-14 00:12 462848 c:\windows\system32\dllcache\sqlqp20.dll

+ 2007-01-09 09:28 . 2008-04-14 00:12 151552 c:\windows\system32\dllcache\sqldb20.dll

+ 2009-01-16 16:58 . 2008-04-13 18:40 576512 c:\windows\system32\dllcache\sprc0424.dll

+ 2009-01-16 16:58 . 2008-04-13 18:40 577536 c:\windows\system32\dllcache\sprc041b.dll

+ 2007-01-09 09:28 . 2008-04-13 18:38 732160 c:\windows\system32\dllcache\sprb0424.dll

+ 2007-01-09 09:28 . 2008-04-13 18:38 757248 c:\windows\system32\dllcache\sprb041b.dll

+ 2007-01-09 09:28 . 2008-04-13 18:35 192512 c:\windows\system32\dllcache\spra0424.dll

+ 2007-01-09 09:28 . 2008-04-13 18:35 192512 c:\windows\system32\dllcache\spra041b.dll

+ 2007-01-09 09:28 . 2008-04-14 00:12 130048 c:\windows\system32\dllcache\softkbd.dll

+ 2009-01-16 16:58 . 2008-04-14 00:12 199680 c:\windows\system32\dllcache\scripta.dll

+ 2007-01-09 09:27 . 2008-04-14 00:12 215552 c:\windows\system32\dllcache\script.dll

+ 2008-02-16 12:25 . 2008-04-14 00:12 741376 c:\windows\system32\dllcache\sapi.dll

+ 2008-02-16 12:36 . 2008-04-14 00:12 281088 c:\windows\system32\dllcache\pinball.exe

+ 2007-01-09 09:27 . 2008-04-13 18:40 408576 c:\windows\system32\dllcache\obrb0424.dll

+ 2007-01-09 09:27 . 2008-04-13 18:40 405504 c:\windows\system32\dllcache\obrb041b.dll

+ 2008-02-16 12:38 . 2008-04-14 00:12 102400 c:\windows\system32\dllcache\msjro.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 315392 c:\windows\system32\dllcache\msdasql.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 118784 c:\windows\system32\dllcache\msdarem.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 204800 c:\windows\system32\dllcache\msdaps.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 200704 c:\windows\system32\dllcache\msdaprst.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 233472 c:\windows\system32\dllcache\msdaora.dll

+ 2007-01-09 09:26 . 2008-04-14 00:11 220160 c:\windows\system32\dllcache\mscandui.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 200704 c:\windows\system32\dllcache\msadox.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 180224 c:\windows\system32\dllcache\msadomd.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 155648 c:\windows\system32\dllcache\msadds.dll

+ 2009-01-16 16:55 . 2008-04-14 00:11 261120 c:\windows\system32\dllcache\migisma.dll

+ 2007-01-09 09:26 . 2008-04-14 00:11 274432 c:\windows\system32\dllcache\migism.dll

+ 2008-02-16 12:38 . 2008-04-14 00:11 172032 c:\windows\system32\dllcache\icwhelp.dll

+ 2008-02-16 12:38 . 2008-04-14 00:12 214528 c:\windows\system32\dllcache\icwconn1.exe

+ 2009-01-16 16:53 . 2008-04-14 00:11 115200 c:\windows\system32\dllcache\guitrna.dll

+ 2007-01-09 09:25 . 2008-04-14 00:11 133120 c:\windows\system32\dllcache\guitrn.dll

+ 2008-02-16 12:43 . 2008-04-14 00:11 618605 c:\windows\system32\dllcache\fp4autl.dll

+ 2007-01-09 09:23 . 2008-04-14 00:11 214016 c:\windows\system32\dllcache\agentctl.dll

+ 2007-01-09 09:23 . 2008-04-14 00:11 116224 c:\windows\system32\dllcache\acxtrnal.dll

+ 2007-01-09 09:23 . 2008-04-14 00:11 245248 c:\windows\system32\dllcache\acspecfc.dll

+ 2007-01-09 09:23 . 2008-04-14 00:11 141312 c:\windows\system32\dllcache\aclua.dll

+ 2007-01-09 09:23 . 2008-04-14 00:11 451072 c:\windows\system32\dllcache\aclayers.dll

+ 2008-02-16 12:39 . 2008-04-14 00:11 3166208 c:\windows\system32\dllcache\msgr3en.dll

+ 2008-02-16 12:39 . 2008-04-14 00:12 3558912 c:\windows\system32\dllcache\moviemk.exe

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2006-09-15 2048000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-06 2023704]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2006-11-17 577536]

"S3TRAY2"="S3tray2.exe" - c:\windows\system32\S3tray2.exe [2003-02-25 69632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-19 08:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02/04/2009 23:35 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [02/04/2009 23:35 108552]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [02/04/2009 23:34 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02/04/2009 23:34 297752]

S2 gupdate1c9b6c16b61bf62;Google Update Service (gupdate1c9b6c16b61bf62);c:\program files\Google\Update\GoogleUpdate.exe [06/04/2009 15:10 133104]

.

Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 14:09]

2009-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 14:09]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.babylon.com/home

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2009-10-09 20:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="REMOVED"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1872)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2009-10-09 20:32

ComboFix-quarantined-files.txt 2009-10-09 19:32

ComboFix2.txt 2009-10-09 10:57

Pre-Run: 32,136,962,048 bytes free

Post-Run: 32,131,891,200 bytes free

227 --- E O F --- 2009-09-24 21:09

 

===============================

 

Have just been told that text is too long in this message so will have to send Hijack report in seperate.

 

Regards, Chris

[whiterose]

Trojan infection

 

Right, here is the Hijack report that should have been on the last post..

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:45:14, on 09/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\S3tray2.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Babylon Search

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: (no name) - {4FBACD73-F67C-42AE-B46A-03960AFE3DFB} - C:\PROGRA~1\ORANGE~1\TOOLBA~4.DLL

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer255.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Update Service (gupdate1c9b6c16b61bf62) (gupdate1c9b6c16b61bf62) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

--

End of file - 4435 bytes

 

 

regards,Chris

[chiaz]

OK, now:

 

Download: CCleaner (freeware)

|MG| CCleaner Slim 2.24.1010 Download

Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).

Once installed, run CCleaner click the Windows [tab]

The following should be selected by default, if not, please select:

http://i210.photobucket.com/albums/bb164/jedi_030/CCleanerA.png

Next: click Options click the Settings tab

Uncheck: "Only delete files older than 48 hrs.", click Ok

Then click Run Cleaner (bottom right) then Exit

 

 

Next, please go HERE to run Panda ActiveScan 2.0

• Click the big green Scan now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• Once the scan is completed, please hit the notepad icon next to the text Export to:
  
• Save it to a convenient location such as your Desktop
  
• Post the contents of the ActiveScan.txt in your next reply. Also let me know what other problems you are experiencing now.

[whiterose]

Had to abort Activescan. It was running for 3 hours and still only 31% of way thru! It was ticking over at one file every 20sec or so...Cant be right...can it?

 

regards, Chris

[chiaz]

Panda ActiveScan does take some time to complete.

 

Try Kaspersky Online Scanner instead, and copy and paste the scan report in your next post.