whiterose Posted October 7, 2009 Posted October 7, 2009 I have an HP pavilion with an AMD Athlon running Windows XP Home. I use AVG Free(latest Ed) and have found it quite effective..until now...that is.. Couple of days ago it detected Trojans going by the name of: Trojan Horse Agent2 TVH -------"---- Back Door Agent ACGG and.. -------"---- Win32 cryptor The virus seems to have infected one ore more files in Windows\system32 and cannot be healed permanently so is recurring. It isnt proving a great problem, more of an inconvenience. The main symptom is a "program not responding" when closing down a word document. The program is still actually running fine,it doesnt need rebooting at all. Any ideas on how to locate this or is it too complicated for a novice like me. Can,t understand how its got past the update database to do the damage in the first place. Guess thats why its free.. Any help appreciated Quote
snow Posted October 7, 2009 Posted October 7, 2009 Hi whiterose, welcome to Extreme Tech Support - Free PC Help Here is our starting procedure for Malware removal. Once you've posted the logs asked for, our Malware expert will provide further assistance. Please download the latest version of HijackThis from Trend Micro and save it to your desktop. Download HJTInstall.exe to your desktop. Doubleclick HJTInstall.exe to install HijackThis. By default it will install to C:Program FilesTrend MicroHijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed, it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Include this log in your next reply. Notes: Do not use the AnalyseThis button, its findings are dangerous if misinterpreted. Do not have Hijackthis fix anything yet. Most of what it finds will be harmless, or required for your computer to run like it should. Quote Need help with your computer problems? Then why not join Free PC Help. Register here If Free PC Help has helped you then please consider a donation. Click here We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs. Antec 900 Case | Intel Q9550 @ 2.83GHz with Scythe Infinity cooling (Passive) | 8Gb Corsair DHX CAS4 RAM | ATI PowerColour HD 4870 512Mb OC
whiterose Posted October 7, 2009 Author Posted October 7, 2009 Virus report As requested..hope its attached ok. :confused:virus rep1.txt Quote
Plastic Nev Posted October 7, 2009 Posted October 7, 2009 Hi Whiterose, Welcome to Extreme Tech Support - Free PC Help. It would be better if you could copy and paste that log into your next reply rather than as an attachment please. Nev. Quote Need help with your computer problems? Then why not join Free PC Help. Register here. If Free PC Help has helped you then please consider a donation. Click here We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs. -------------------------------------------------------------------- I have installed Windows, now how do I install the curtains? 😄
whiterose Posted October 7, 2009 Author Posted October 7, 2009 Sorry about that.I knew as soon as I had sent it that it wasnt the right way to do it but I am not very familiar with the copy and paste method with a notepad message. I just dont copy and paste very much.. and I dont think i have used notepad in my LIFE to be honest. I cant find the icons on this "add new post" toolbar. Give me a quick run down on the steps.. Quote
chiaz Posted October 7, 2009 Posted October 7, 2009 Hello Whiterose. :) I do see an infection in your log. And to copy and paste the log: When the Notepad file opens, simply select all by pressing Ctrl+A. Then proceed to copy (Ctrl+C) before pasting it in your reply (Ctrl+V). A few things before we start.... 1. Please Read All Instructions Carefully. 2. If you don't understand something, stop and ask! Don't keep going on. 3. Please do not run any other tools or scans whilst I am helping you. 4. If you have to go away for an extended period of time, let me know. 5. Please continue to respond until I give you the "All Clear". (Just because you can't see a problem doesn't mean it isn't there) ========================== First download Malwarebytes' Anti-Malware by clicking the link below: |MG| Malwarebytes Anti-Malware 1.41 Download Double Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Quick Scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * You'll be required to post the contents of this log later. Please Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. ==================== Then download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool: Go here ======> A guide and tutorial on using ComboFix <====== Go here Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should get a prompt that says: The Recovery Console was successfully installed. Please continue as follows: (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. (2) Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Please copy and paste the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system. Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems. Quote
whiterose Posted October 8, 2009 Author Posted October 8, 2009 Trojan virus infection Malware and combofix downloads complete and have files on notepad but cant copy/paste reports to this site! Got plastic nevs idiot guide but it wont do it...highlites ok, copies ok(i think..nothing actually happens it just stays as the highlighted screen but I presume its gone to clipboard. Bring up this window alongside notepad,edit,paste..nothing appears on this message window. Tried practising offline to other document locations but no success either way.Im not familiar with this process but Im no novice either. What am I doing wrong. Any suggestions anybody? By the time I have figured this out for myself my trojan will have eaten away at most of my software and will be starting on the wifes slippers! In the words of Terry Wogan....Is it me? :confused: Quote
chiaz Posted October 8, 2009 Posted October 8, 2009 If it doesn't work, don't sweat over it. You can attach the reports to your next reply. Quote
Plastic Nev Posted October 8, 2009 Posted October 8, 2009 OK Whiterose, while we are waiting for chaz, just try this, after doing the copy, click start, then run, and type in the box - clipbrd then hit enter or click OK. that should open the clipboard viewer, see if your copy is there. If so then you may be doing something wrong in paste, if not then something is wrong in copy. This may be down to the infection though, so for now attach the log as you did last time. Nev. Quote Need help with your computer problems? Then why not join Free PC Help. Register here. If Free PC Help has helped you then please consider a donation. Click here We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs. -------------------------------------------------------------------- I have installed Windows, now how do I install the curtains? 😄
whiterose Posted October 8, 2009 Author Posted October 8, 2009 trojan infection Tried your suggestion nev..nothing in clipboard just a plain dark grey screen so I have given up and attached..I hope... Just to update...whatever scans have been performed so far have already improved situation. trojan warnings from antivirus have gone and symptoms with them but lets go the whole hog and have a look see. its probably just lurking around a corner in my firmware just WAITING to bite me on the backside! regards, Chrisvirus rep1.txtComboFix.txtmbam-log-2009-10-08 (09-07-36).txt Quote
chiaz Posted October 8, 2009 Posted October 8, 2009 Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open *notepad* and copy/paste the text in the quotebox below into it: Driver:: bed231b btsc6d5 crl9444 dtsb44e ehf9f23 fgf0625 fih96d2 gqo69a0 htrf884 jkia364 jmk0b9f lkjc280 ntr5541 pfef197 qedc204 qqp4897 rec45cf tcbc210 File:: C:\WINDOWS\system32\sdra64.exe c:\windows\system32\149523544.sys c:\windows\system32\drivers\bed231b.sys c:\windows\system32\drivers\btsc6d5.sys c:\windows\system32\drivers\crl9444.sys c:\windows\system32\drivers\dtsb44e.sys c:\windows\system32\drivers\ehf9f23.sys c:\windows\system32\drivers\fgf0625.sys c:\windows\system32\drivers\fih96d2.sys c:\windows\system32\drivers\gqo69a0.sys c:\windows\system32\drivers\htrf884.sys c:\windows\system32\drivers\jkia364.sys c:\windows\system32\drivers\jmk0b9f.sys c:\windows\system32\drivers\lkjc280.sys c:\windows\system32\drivers\ntr5541.sys c:\windows\system32\drivers\pfef197.sys c:\windows\system32\drivers\qedc204.sys c:\windows\system32\drivers\qqp4897.sys c:\windows\system32\drivers\rec45cf.sys c:\windows\system32\drivers\tcbc210.sys Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop. http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Please copy and paste the ComboFix.txt in your new reply, as well as a new HijackThis log. Note that you posted the same HijackThis log in your last post. I will need you to run a new scan with HijackThis this time round. *Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.* Quote
whiterose Posted October 9, 2009 Author Posted October 9, 2009 Trojan infection Evening people, I did what follows as a quick reply but Im not sure if it was successful so am doing it again. ==================================== ComboFix 09-10-08.03 - User 09/10/2009 20:25.3.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.423 [GMT 1:00] Running from: c:\documents and settings\User\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FILE :: "c:\windows\system32\149523544.sys" "c:\windows\system32\drivers\bed231b.sys" "c:\windows\system32\drivers\btsc6d5.sys" "c:\windows\system32\drivers\crl9444.sys" "c:\windows\system32\drivers\dtsb44e.sys" "c:\windows\system32\drivers\ehf9f23.sys" "c:\windows\system32\drivers\fgf0625.sys" "c:\windows\system32\drivers\fih96d2.sys" "c:\windows\system32\drivers\gqo69a0.sys" "c:\windows\system32\drivers\htrf884.sys" "c:\windows\system32\drivers\jkia364.sys" "c:\windows\system32\drivers\jmk0b9f.sys" "c:\windows\system32\drivers\lkjc280.sys" "c:\windows\system32\drivers\ntr5541.sys" "c:\windows\system32\drivers\pfef197.sys" "c:\windows\system32\drivers\qedc204.sys" "c:\windows\system32\drivers\qqp4897.sys" "c:\windows\system32\drivers\rec45cf.sys" "c:\windows\system32\drivers\tcbc210.sys" "c:\windows\system32\sdra64.exe" . ((((((((((((((((((((((((( Files Created from 2009-09-09 to 2009-10-09 ))))))))))))))))))))))))))))))) . 2009-10-08 07:35 . 2009-10-08 07:35 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes 2009-10-08 07:35 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-08 07:35 . 2009-10-08 07:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-10-08 07:35 . 2009-10-08 07:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-08 07:35 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-07 14:42 . 2009-10-07 14:42 -------- d-----w- c:\program files\Trend Micro 2009-09-23 17:18 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-08 08:49 . 2008-12-24 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-08-19 08:38 . 2009-04-02 22:35 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-19 08:38 . 2009-04-02 22:35 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-19 08:38 . 2009-04-02 22:35 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-05 09:01 . 2007-01-09 09:27 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2007-01-09 09:23 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-12 11:21 . 2007-01-09 09:28 233472 ----a-w- c:\windows\system32\wmpdxm.dll . ((((((((((((((((((((((((((((( SnapShot@2009-10-08_09.28.19 ))))))))))))))))))))))))))))))))))))))))) . + 2007-01-09 09:28 . 2008-04-14 00:12 26624 c:\windows\system32\dllcache\startoc.dll + 2007-01-09 09:28 . 2008-04-13 16:43 62976 c:\windows\system32\dllcache\spgrmr.dll + 2008-02-16 12:38 . 2008-04-14 00:12 65536 c:\windows\system32\dllcache\oledb32r.dll + 2007-01-09 09:27 . 2008-04-14 00:12 57344 c:\windows\system32\dllcache\ndisnpp.dll + 2008-02-16 12:38 . 2008-04-14 00:12 24576 c:\windows\system32\dllcache\msxactps.dll + 2007-01-09 09:26 . 2008-04-14 00:12 39936 c:\windows\system32\dllcache\mslwvtts.dll + 2008-02-16 12:38 . 2008-04-14 00:11 36864 c:\windows\system32\dllcache\msdfmap.dll + 2008-02-16 12:38 . 2008-04-14 00:11 20480 c:\windows\system32\dllcache\msdatt.dll + 2008-02-16 12:38 . 2008-04-14 00:11 94208 c:\windows\system32\dllcache\msdatl3.dll + 2008-02-16 12:38 . 2008-04-13 17:26 16384 c:\windows\system32\dllcache\msdasqlr.dll + 2008-02-16 12:38 . 2008-04-13 17:25 16384 c:\windows\system32\dllcache\msdaremr.dll + 2008-02-16 12:38 . 2008-04-13 17:25 16384 c:\windows\system32\dllcache\msdaprsr.dll + 2008-02-16 12:38 . 2008-04-14 00:11 77824 c:\windows\system32\dllcache\msdaosp.dll + 2008-02-16 12:38 . 2008-04-13 17:24 16384 c:\windows\system32\dllcache\msdaorar.dll + 2008-02-16 12:38 . 2008-04-14 00:11 57344 c:\windows\system32\dllcache\msadrh15.dll + 2008-02-16 12:38 . 2008-04-14 00:11 57344 c:\windows\system32\dllcache\msador15.dll + 2008-02-16 12:38 . 2008-04-13 17:26 24576 c:\windows\system32\dllcache\msader15.dll + 2008-02-16 12:38 . 2008-04-13 17:25 24576 c:\windows\system32\dllcache\msaddsr.dll + 2008-02-16 12:38 . 2008-04-14 00:11 53248 c:\windows\system32\dllcache\msadcs.dll + 2008-02-16 12:38 . 2008-04-13 17:25 16384 c:\windows\system32\dllcache\msadcor.dll + 2008-02-16 12:38 . 2008-04-13 17:25 16384 c:\windows\system32\dllcache\msadcfr.dll + 2008-02-16 12:38 . 2008-04-14 00:11 61440 c:\windows\system32\dllcache\msadcf.dll + 2008-02-16 12:38 . 2008-04-13 17:25 20480 c:\windows\system32\dllcache\msadcer.dll + 2007-01-09 09:26 . 2008-04-14 00:11 19968 c:\windows\system32\dllcache\log.dll + 2008-02-16 12:38 . 2008-04-14 00:12 20480 c:\windows\system32\dllcache\inetwiz.exe + 2008-02-16 12:38 . 2008-04-14 00:11 49152 c:\windows\system32\dllcache\icwutil.dll + 2008-02-16 12:38 . 2008-04-14 00:12 24576 c:\windows\system32\dllcache\icwrmind.exe + 2008-02-16 12:38 . 2008-04-14 00:11 32768 c:\windows\system32\dllcache\icwdl.dll + 2008-02-16 12:38 . 2008-04-14 00:12 86016 c:\windows\system32\dllcache\icwconn2.exe + 2008-02-16 12:38 . 2008-04-14 00:11 61440 c:\windows\system32\dllcache\icwconn.dll + 2009-01-16 16:52 . 2008-04-13 16:44 17920 c:\windows\system32\dllcache\cobramsg.dll + 2007-01-09 09:23 . 2008-04-14 00:11 24064 c:\windows\system32\dllcache\agtintl.dll + 2007-01-09 09:23 . 2007-04-02 18:26 20480 c:\windows\system32\dllcache\agt0c0a.dll + 2007-01-09 09:23 . 2007-04-02 18:26 20992 c:\windows\system32\dllcache\agt0816.dll + 2008-02-16 12:25 . 2007-04-02 18:26 19456 c:\windows\system32\dllcache\agt041f.dll + 2007-01-09 09:23 . 2007-04-02 18:26 19456 c:\windows\system32\dllcache\agt041d.dll + 2008-02-16 12:25 . 2007-04-02 18:26 19456 c:\windows\system32\dllcache\agt0419.dll + 2007-01-09 09:23 . 2007-04-02 18:26 20480 c:\windows\system32\dllcache\agt0416.dll + 2008-02-16 12:25 . 2007-04-02 18:26 19456 c:\windows\system32\dllcache\agt0415.dll + 2007-01-09 09:23 . 2007-04-02 18:26 19456 c:\windows\system32\dllcache\agt0414.dll + 2007-01-09 09:23 . 2007-04-02 18:26 20992 c:\windows\system32\dllcache\agt0413.dll + 2007-01-09 09:23 . 2007-04-02 18:26 20992 c:\windows\system32\dllcache\agt0410.dll + 2008-02-16 12:25 . 2007-04-02 18:26 19968 c:\windows\system32\dllcache\agt040e.dll + 2007-01-09 09:23 . 2007-04-02 18:26 21504 c:\windows\system32\dllcache\agt040c.dll + 2007-01-09 09:23 . 2007-04-02 18:26 19456 c:\windows\system32\dllcache\agt040b.dll + 2008-02-16 12:25 . 2007-04-02 18:26 22016 c:\windows\system32\dllcache\agt0408.dll + 2007-01-09 09:23 . 2007-04-02 18:26 21504 c:\windows\system32\dllcache\agt0407.dll + 2007-01-09 09:23 . 2007-04-02 18:25 19456 c:\windows\system32\dllcache\agt0406.dll + 2008-02-16 12:25 . 2007-04-02 18:25 19456 c:\windows\system32\dllcache\agt0405.dll + 2007-01-09 09:23 . 2008-04-14 00:11 44032 c:\windows\system32\dllcache\agentsr.dll + 2007-01-09 09:23 . 2008-04-14 00:11 57344 c:\windows\system32\dllcache\agentdpv.dll + 2007-01-09 09:23 . 2008-04-14 00:11 24064 c:\windows\system32\dllcache\agentanm.dll + 2008-02-16 12:39 . 2008-04-14 00:12 5632 c:\windows\system32\dllcache\wmm2res2.dll + 2008-02-16 12:39 . 2008-04-14 00:12 7680 c:\windows\system32\dllcache\wmm2ext.dll + 2008-02-16 12:39 . 2008-04-14 00:12 4096 c:\windows\system32\dllcache\wmm2eres.dll + 2008-02-16 12:38 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdaurl.dll + 2008-02-16 12:38 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdasc.dll + 2008-02-16 12:38 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdaer.dll + 2008-02-16 12:38 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdaenum.dll + 2008-02-16 12:38 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdadc.dll + 2008-02-16 12:39 . 2008-04-14 00:12 325632 c:\windows\system32\dllcache\wmm2fxb.dll + 2008-02-16 12:39 . 2008-04-14 00:12 502272 c:\windows\system32\dllcache\wmm2fxa.dll + 2008-02-16 12:39 . 2008-04-14 00:12 402432 c:\windows\system32\dllcache\wmm2filt.dll + 2008-02-16 12:39 . 2008-04-14 00:12 167936 c:\windows\system32\dllcache\wmm2ae.dll + 2009-01-16 16:58 . 2008-04-14 00:12 173568 c:\windows\system32\dllcache\sysmoda.dll + 2007-01-09 09:28 . 2008-04-14 00:12 193024 c:\windows\system32\dllcache\sysmod.dll + 2008-02-16 12:38 . 2008-04-14 00:12 217088 c:\windows\system32\dllcache\sqlxmlx.dll + 2007-01-09 09:28 . 2008-04-14 00:12 110592 c:\windows\system32\dllcache\sqlse20.dll + 2007-01-09 09:28 . 2008-04-14 00:12 462848 c:\windows\system32\dllcache\sqlqp20.dll + 2007-01-09 09:28 . 2008-04-14 00:12 151552 c:\windows\system32\dllcache\sqldb20.dll + 2009-01-16 16:58 . 2008-04-13 18:40 576512 c:\windows\system32\dllcache\sprc0424.dll + 2009-01-16 16:58 . 2008-04-13 18:40 577536 c:\windows\system32\dllcache\sprc041b.dll + 2007-01-09 09:28 . 2008-04-13 18:38 732160 c:\windows\system32\dllcache\sprb0424.dll + 2007-01-09 09:28 . 2008-04-13 18:38 757248 c:\windows\system32\dllcache\sprb041b.dll + 2007-01-09 09:28 . 2008-04-13 18:35 192512 c:\windows\system32\dllcache\spra0424.dll + 2007-01-09 09:28 . 2008-04-13 18:35 192512 c:\windows\system32\dllcache\spra041b.dll + 2007-01-09 09:28 . 2008-04-14 00:12 130048 c:\windows\system32\dllcache\softkbd.dll + 2009-01-16 16:58 . 2008-04-14 00:12 199680 c:\windows\system32\dllcache\scripta.dll + 2007-01-09 09:27 . 2008-04-14 00:12 215552 c:\windows\system32\dllcache\script.dll + 2008-02-16 12:25 . 2008-04-14 00:12 741376 c:\windows\system32\dllcache\sapi.dll + 2008-02-16 12:36 . 2008-04-14 00:12 281088 c:\windows\system32\dllcache\pinball.exe + 2007-01-09 09:27 . 2008-04-13 18:40 408576 c:\windows\system32\dllcache\obrb0424.dll + 2007-01-09 09:27 . 2008-04-13 18:40 405504 c:\windows\system32\dllcache\obrb041b.dll + 2008-02-16 12:38 . 2008-04-14 00:12 102400 c:\windows\system32\dllcache\msjro.dll + 2008-02-16 12:38 . 2008-04-14 00:11 315392 c:\windows\system32\dllcache\msdasql.dll + 2008-02-16 12:38 . 2008-04-14 00:11 118784 c:\windows\system32\dllcache\msdarem.dll + 2008-02-16 12:38 . 2008-04-14 00:11 204800 c:\windows\system32\dllcache\msdaps.dll + 2008-02-16 12:38 . 2008-04-14 00:11 200704 c:\windows\system32\dllcache\msdaprst.dll + 2008-02-16 12:38 . 2008-04-14 00:11 233472 c:\windows\system32\dllcache\msdaora.dll + 2007-01-09 09:26 . 2008-04-14 00:11 220160 c:\windows\system32\dllcache\mscandui.dll + 2008-02-16 12:38 . 2008-04-14 00:11 200704 c:\windows\system32\dllcache\msadox.dll + 2008-02-16 12:38 . 2008-04-14 00:11 180224 c:\windows\system32\dllcache\msadomd.dll + 2008-02-16 12:38 . 2008-04-14 00:11 155648 c:\windows\system32\dllcache\msadds.dll + 2009-01-16 16:55 . 2008-04-14 00:11 261120 c:\windows\system32\dllcache\migisma.dll + 2007-01-09 09:26 . 2008-04-14 00:11 274432 c:\windows\system32\dllcache\migism.dll + 2008-02-16 12:38 . 2008-04-14 00:11 172032 c:\windows\system32\dllcache\icwhelp.dll + 2008-02-16 12:38 . 2008-04-14 00:12 214528 c:\windows\system32\dllcache\icwconn1.exe + 2009-01-16 16:53 . 2008-04-14 00:11 115200 c:\windows\system32\dllcache\guitrna.dll + 2007-01-09 09:25 . 2008-04-14 00:11 133120 c:\windows\system32\dllcache\guitrn.dll + 2008-02-16 12:43 . 2008-04-14 00:11 618605 c:\windows\system32\dllcache\fp4autl.dll + 2007-01-09 09:23 . 2008-04-14 00:11 214016 c:\windows\system32\dllcache\agentctl.dll + 2007-01-09 09:23 . 2008-04-14 00:11 116224 c:\windows\system32\dllcache\acxtrnal.dll + 2007-01-09 09:23 . 2008-04-14 00:11 245248 c:\windows\system32\dllcache\acspecfc.dll + 2007-01-09 09:23 . 2008-04-14 00:11 141312 c:\windows\system32\dllcache\aclua.dll + 2007-01-09 09:23 . 2008-04-14 00:11 451072 c:\windows\system32\dllcache\aclayers.dll + 2008-02-16 12:39 . 2008-04-14 00:11 3166208 c:\windows\system32\dllcache\msgr3en.dll + 2008-02-16 12:39 . 2008-04-14 00:12 3558912 c:\windows\system32\dllcache\moviemk.exe . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2006-09-15 2048000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-06 2023704] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2006-11-17 577536] "S3TRAY2"="S3tray2.exe" - c:\windows\system32\S3tray2.exe [2003-02-25 69632] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-19 08:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02/04/2009 23:35 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [02/04/2009 23:35 108552] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [02/04/2009 23:34 908056] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02/04/2009 23:34 297752] S2 gupdate1c9b6c16b61bf62;Google Update Service (gupdate1c9b6c16b61bf62);c:\program files\Google\Update\GoogleUpdate.exe [06/04/2009 15:10 133104] . Contents of the 'Scheduled Tasks' folder 2009-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 14:09] 2009-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-06 14:09] . . ------- Supplementary Scan ------- . uStart Page = hxxp://search.babylon.com/home IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2009-10-09 20:30 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*] "Licence0"="REMOVED" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1872) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . Completion time: 2009-10-09 20:32 ComboFix-quarantined-files.txt 2009-10-09 19:32 ComboFix2.txt 2009-10-09 10:57 Pre-Run: 32,136,962,048 bytes free Post-Run: 32,131,891,200 bytes free 227 --- E O F --- 2009-09-24 21:09 =============================== Have just been told that text is too long in this message so will have to send Hijack report in seperate. Regards, Chris Quote
whiterose Posted October 9, 2009 Author Posted October 9, 2009 Trojan infection Right, here is the Hijack report that should have been on the last post.. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:45:14, on 09/10/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16876) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\S3tray2.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Babylon Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: (no name) - {4FBACD73-F67C-42AE-B46A-03960AFE3DFB} - C:\PROGRA~1\ORANGE~1\TOOLBA~4.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer255.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [s3TRAY2] S3tray2.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Google Update Service (gupdate1c9b6c16b61bf62) (gupdate1c9b6c16b61bf62) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe -- End of file - 4435 bytes regards,Chris Quote
chiaz Posted October 10, 2009 Posted October 10, 2009 OK, now: Download: CCleaner (freeware) |MG| CCleaner Slim 2.24.1010 Download Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar). Once installed, run CCleaner click the Windows [tab] The following should be selected by default, if not, please select: http://i210.photobucket.com/albums/bb164/jedi_030/CCleanerA.png Next: click Options click the Settings tab Uncheck: "Only delete files older than 48 hrs.", click Ok Then click Run Cleaner (bottom right) then Exit Next, please go HERE to run Panda ActiveScan 2.0Click the big green Scan now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) Once the scan is completed, please hit the notepad icon next to the text Export to: Save it to a convenient location such as your Desktop Post the contents of the ActiveScan.txt in your next reply. Also let me know what other problems you are experiencing now. Quote
whiterose Posted October 11, 2009 Author Posted October 11, 2009 Had to abort Activescan. It was running for 3 hours and still only 31% of way thru! It was ticking over at one file every 20sec or so...Cant be right...can it? regards, Chris Quote
chiaz Posted October 11, 2009 Posted October 11, 2009 Panda ActiveScan does take some time to complete. Try Kaspersky Online Scanner instead, and copy and paste the scan report in your next post. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.