Tearing My Hair Out[RESOLVED]

skywatcher · December 23, 2008

i keep getting avast on screen warnings (approx every5 seconds) that trojan horse found. the box says -

file name C:WINNT\system32\tpszxyd.sys (actual file name different each occurence)

malware name Win-32:Refpron-C[Trj].

Malware type: Trojan Horse

VPS versionb: 081222-0,22/12/2008

i have downloaded hijack this and run a scan and got the log as follows (the upload button below would not let me upload the log file for some reason so i have cut and pasted it here):

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:05:21, on 23/12/2008

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINNT\system32\hgcheck.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINNT\system32\internat.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

C:\Program Files\LimeWire\LimeWire.exe

C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE

c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\system32\cmd.exe

C:\WINNT\System32\WScript.exe

C:\WINNT\system32\cmd.exe

C:\WINNT\Down(0).exe

C:\WINNT\system32\cmd.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [hgcheck] C:\WINNT\system32\hgcheck.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224351519192

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: Windows Mang - Unknown owner - C:\WINNT\Windows.exe (file missing)

O23 - Service: ÃÂµÃÂ³ÃŽÃ„Â¼Ã¾ - Unknown owner - C:\WINNT\gfsse11452s.bat

--

End of file - 7754 bytes

can anyone advise what to do now as i do not want to delete all these files as some of them look important. thanks a million to anyone out there who can help.

skywatcher

sarahw · December 29, 2008

Hi,

Yes those files are important, only a couple are Malware.

Can you please uninstall Spybot Search and Destroy. It is a good program but may impede our fix.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

skywatcher · January 1, 2009

hi sarah,

thanks for your help. i have followed your advice and run the software suggested. do i need to do anything else? i disabled avast whilst i did this and have re-enabled it now. can i also reinstall spybot now? here is the log file........ thanks again,

malcolm

log file follows...

ComboFix 08-12-31.01 - Administrator 01/01/2009 22:24:37.1 - NTFSx86

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.711 [GMT 0:00]

Running from: c:\documents and settings\Administrator.SARAH\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\a.bat

c:\recycler\svchost.exe

c:\winnt\Delete.bat

c:\winnt\Downloaded Program Files\setup.inf

c:\winnt\system32\comsa32.sys

c:\winnt\system32\config\SAM.SAV

c:\winnt\system32\delme.bat

c:\winnt\system32\tpszxyd.sys

c:\winnt\Web\default.htt

.

((((((((((((((((((((((((( Files Created from 2008-12-01 to 2009-01-01 )))))))))))))))))))))))))))))))

.

2009-01-01 22:29 . 09-01-01 22:29 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_270.dat

2009-01-01 22:29 . 09-01-01 22:29 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_20c.dat

2009-01-01 21:52 . 03-06-19 12:05 21,552 --a--c--- c:\winnt\system32\dllcache\usbstor.sys

2009-01-01 21:48 . 09-01-01 21:48 <DIR> d-------- c:\program files\LG Electronics

2009-01-01 21:47 . 09-01-01 21:48 <DIR> d-------- c:\program files\LG PC Suite

2009-01-01 21:47 . 09-01-01 21:47 <DIR> d-------- c:\documents and settings\Administrator.SARAH\Application Data\LG Electronics

2009-01-01 21:47 . 08-01-14 17:48 1,703,936 --a------ c:\winnt\system32\gdiplus.dll

2009-01-01 21:47 . 07-11-08 16:26 1,164,728 --a------ c:\winnt\system32\NMSDVDXU.dll

2009-01-01 21:47 . 05-03-18 16:55 630,784 --a------ c:\winnt\system32\vsflex8u.ocx

2009-01-01 21:47 . 07-11-21 14:27 591,872 --a------ c:\winnt\system32\AlbumDisplay.ocx

2009-01-01 21:47 . 05-09-26 22:55 419,240 --a------ c:\winnt\system32\Vsflex7L.ocx

2009-01-01 21:47 . 00-05-22 00:00 244,416 --a------ c:\winnt\system32\Msflxgrd.ocx

2009-01-01 21:46 . 09-01-01 21:46 <DIR> d-------- c:\documents and settings\Administrator.SARAH\Application Data\InstallShield

2008-12-31 15:05 . 08-12-31 15:05 104,658 --a------ c:\winnt\system32\hgcheck.jpg

2008-12-24 13:43 . 08-12-24 13:43 88 --a------ C:\_dele.bat

2008-12-24 13:07 . 08-12-24 13:07 59,904 --a------ c:\winnt\Down(0).exe

2008-12-24 02:13 . 08-12-24 02:13 <DIR> d-------- c:\winnt\Sun

2008-12-24 01:00 . 08-12-24 01:00 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-24 00:40 . 08-12-24 00:40 <DIR> d-------- c:\program files\SpywareBlaster

2008-12-23 22:51 . 08-12-23 22:51 <DIR> d-------- c:\program files\Trend Micro

2008-12-23 12:04 . 09-01-01 22:12 <DIR> d-------- c:\documents and settings\Administrator.SARAH\Application Data\LimeWire

2008-12-23 11:59 . 08-12-23 11:58 410,984 --a------ c:\winnt\system32\deploytk.dll

2008-12-23 11:59 . 08-12-23 11:58 73,728 --a------ c:\winnt\system32\javacpl.cpl

2008-12-23 11:30 . 08-12-24 13:07 104,659 --a------ c:\winnt\system32\hgcheck.exe

2008-12-22 22:30 . 08-12-22 22:30 572,416 -r-hs---- c:\winnt\Windows Mang

2008-12-18 18:48 . 08-12-18 18:48 <DIR> d-------- c:\winnt\uninstall\Football Champions Quiz

2008-12-18 18:48 . 08-12-18 18:48 <DIR> d-------- c:\winnt\uninstall

2008-12-18 18:48 . 08-12-18 18:48 <DIR> d-------- c:\program files\Football Champions Quiz

2008-12-18 18:44 . 08-12-18 18:47 <DIR> d-------- c:\program files\Five-A-Side Football

2008-12-17 19:08 . 08-12-23 18:59 <DIR> d-------- c:\program files\Kick'n'Rush 2006

2008-12-14 18:22 . 08-12-22 01:15 309,949 --a------ c:\winnt\system32\hguest.exe

2008-12-14 18:22 . 08-12-31 15:05 227 --a------ c:\winnt\system32\hgset.ini

2008-12-14 18:22 . 08-12-31 15:26 52 --a------ c:\winnt\system32\work.ini

2008-12-13 15:49 . 08-12-13 15:49 <DIR> d-------- c:\program files\Sibelius Software

2008-12-07 00:32 . 08-12-07 00:33 100,663,296 --a------ c:\winnt\MEMORY.DMP

2008-12-02 23:43 . 08-12-02 23:43 0 --a------ c:\winnt\OpPrintServer.INI

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-01 22:08 --------- d---a-w c:\program files\Spybot - Search & Destroy

2009-01-01 22:08 --------- d---a-w c:\documents and settings\All Users.WINNT\Application Data\Spybot - Search & Destroy

2009-01-01 21:48 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-24 01:02 --------- d---a-w c:\program files\Lavasoft

2008-12-23 11:58 --------- d---a-w c:\program files\Java

2008-12-23 11:52 --------- d---a-w c:\program files\LimeWire

2008-12-16 17:46 85 ----a-w C:\ARP.BAT

2008-12-16 17:46 37 ----a-w C:\bat.bat

2008-11-24 23:24 570,396 --sh--r c:\winnt\gfsse11452s.bat

2008-11-21 18:27 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\WinZip

2008-11-12 10:28 --------- d-----w c:\program files\NOS

2008-11-12 10:28 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\NOS

2008-11-11 16:17 --------- d-----w c:\program files\Common Files\Adobe AIR

2008-11-11 16:16 --------- d---a-w c:\program files\Common Files\Adobe

2008-10-18 20:52 271 ---h--w c:\program files\desktop.ini

2008-10-18 20:52 21,952 ---h--w c:\program files\folder.htt

2008-10-18 00:09 558,142 ----a-w c:\winnt\java\Packages\646JBDNL.ZIP

2008-10-18 00:09 155,995 ----a-w c:\winnt\java\Packages\8EUJ3VB5.ZIP

2006-01-03 22:06 664,161 -c--a-w c:\program files\JuiceUserGuide.pdf

2005-03-10 23:34 84,254 -c--a-w c:\program files\belkin manual.pdf

2000-07-26 17:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys

.

c:\winnt\system32\svchost.exe ... Infected -- Win32.Qhost !!

----a-w 7,952 2000-07-26 17:00:00 c:\winnt\system32\svchost.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\winnt\System32\NVMCTRAY.DLL" [03-05-02 13:19 49152]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-05-21 14:56 68856]

"internat.exe"="internat.exe" [00-07-26 17:00 20752 c:\winnt\system32\internat.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [03-05-02 13:19 4640768]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [08-11-26 17:18 81000]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [08-10-18 18:04 30192]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [08-06-12 02:38 34672]

"hgcheck"="c:\winnt\system32\hgcheck.exe" [08-12-24 13:07 104659]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [08-12-23 11:58 136600]

"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]

"nwiz"="nwiz.exe" [03-05-02 13:19 323584 c:\winnt\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\winnt\System32\NVMCTRAY.DLL" [03-05-02 13:19 49152]

"internat.exe"="internat.exe" [00-07-26 17:00 20752 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

c:\documents and settings\Administrator.SARAH\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2008-09-18 147456]

c:\documents and settings\All Users.WINNT\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-10 113664]

EPSON Status Monitor 3 Environment Check 2.lnk - c:\winnt\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2008-10-19 113152]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

Phone Connection Monitor.lnk - c:\program files\Sony Ericsson\Mobile\audevicemgr.exe [2007-03-21 753664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= mmdrv.dll

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2008-10-18 111184]

R1 cmosa;cmosa;c:\winnt\system32\drivers\cmosa.sys [2008-10-18 29344]

R2 aswFsBlk;aswFsBlk;c:\winnt\system32\DRIVERS\aswFsBlk.sys [2008-12-17 20560]

R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswMon.sys [2008-10-18 93296]

R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;c:\winnt\system32\DRIVERS\el90xbc5.sys [2008-10-18 61712]

R3 Winacpci;Winacpci;c:\winnt\system32\DRIVERS\winacpci.sys [2008-10-18 602128]

S2 ÃÂµÃÂ³ÃŽÃ„Â¼Ã¾;ÃÂµÃÂ³ÃŽÃ„Â¼Ã¾;c:\winnt\gfsse11452s.bat [2008-11-24 570396]

S2 Windows Mang;Windows Mang;c:\winnt\Windows Mang [2008-12-22 572416]

S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-11-14 30192]

S3 scsiscan;SCSI Scanner Driver;c:\winnt\system32\DRIVERS\scsiscan.sys [2008-10-21 10576]

*Newly Created Service* - IPNAT

*Newly Created Service* - RASAUTO

*Newly Created Service* - SHAREDACCESS

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

LSP: %SystemRoot%\system32\msafd.dll

Trusted Zone: www.igindex.co.uk

Trusted Zone: www.theaa.com

O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab

c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-01 22:30:25

Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Mang]

"ImagePath"="c:\winnt\Windows Mang"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ÃÂµÃÂ³ÃŽÃ„Â¼Ã¾]

"ImagePath"="c:\winnt\gfsse11452s.bat"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(192)

c:\winnt\system32\wzcdlg.dll

c:\winnt\system32\WZCSAPI.DLL

.

Completion time: 2009-01-01 22:35:24 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-01 22:35:16

Pre-Run: 29,626,302,464 bytes free

Post-Run: 29,676,556,288 bytes free

171

sarahw · January 2, 2009

Hi,

There are still some things we have to clear up

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

skywatcher · January 2, 2009

hi sarah,

thanks for this. i have run that software which found a trojan and a trojan downloader and here is the log file below. thanks again and do i need to do anything else? also i run avast and have it on all the time, should such a trojan downloader be able to get past it and can you suggest anything i can do in future to reduce the chance of this happening? thanks so much for your help which i am most grateful for.

kind regards,

malcolm

log file follows...

Malwarebytes' Anti-Malware 1.31

Database version: 1596

Windows 5.0.2195 Service Pack 4

02/01/2009 12:43:11

mbam-log-2009-01-02 (12-43-11).txt

Scan type: Quick Scan

Objects scanned: 54648

Time elapsed: 7 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\Down(0).exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINNT\system32\hgcheck.jpg (Trojan.Downloader) -> Quarantined and deleted successfully.

sarahw · January 3, 2009

You are still infected, there are more things to do.

Actually, to be more specific, you have a chinese rootkit. So it will take a few more posts.

We need to delete a few entries from the registry. This can be dangerous so first we need to do a backup.

Go to Start > Run

Type:

regedit

Click OK.

On the leftside, click to highlight My Computer at the top.
Go up to "File > Export"
- Make sure in that window there is a tick next to "All" under Export Branch.
  Leave the "Save As Type" as "Registration Files".
  Under "Filename" put backup
[*]Choose to save it to C:\ or somewhere else safe so that you will remember where you put it (don't put it on the desktop!)
[*]Click save and then go to File > Exit.

This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Download SWReg, and extract it.

Open Notepad and paste the following text into it. Click File then Save As, in the pull down menu, change it to All Files, and save it as fixme.bat on your Desktop.

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo /GA:F

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo /GA:F
SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MANG /GA:F
SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Mang /GA:F

Open Notepad and paste the following text into it. Click File then Save As, in the pull down menu, change it to All Files, and save it as fixme2.reg on your Desktop.

REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MANG]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Mang]

Locate fixme2.reg on your Desktop and double-click on it.

The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

When you have done this, run Combofix again.

If you do not understand anything please ask first.

skywatcher · January 3, 2009

hi sarah,

thanks for this. before i do this can you clarify if the text that you ask me to cut and paste should include the words "code" and "quote" as these look as if perhaps they should not be included in the cut and paste? also should the whole of the following be the first pasted text as it showed up as partly in a box so i thought i would check first - the text as a whole is....

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo /GA:F

CODE

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo /GA:F

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MANG /GA:F

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Mang /GA:F

(also do the line spacings matter?)

thanks,

malcolm

sarahw · January 4, 2009

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo /GA:F

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MANG /GA:F

SWReg ACL HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Mang /GA:F

sarahw · January 4, 2009

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MANG]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Mang]

sarahw · January 4, 2009

the first on is like how it is two posts up.

The last one starts with REGEDIT4. There is a line between each entry. No blank line above REGEDIT4.

There are three lines in the first file

There are four lines in the second file with a gap between each line.

Does that make sense?

skywatcher · January 4, 2009

hi sarah,

for some reason your last post did not come up first of all with the others, and i cut and pasted the posted text which seems to match your comments in the last post anyway. i have run combofix again and here is the log...

ComboFix 09-01-02.01 - Administrator 04/01/2009 0:00:37.2 - NTFSx86

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.593 [GMT 0:00]

Running from: c:\documents and settings\Administrator.SARAH\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))

.

No new files created in this timespan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-03 16:47 --------- d-----w c:\documents and settings\Administrator.SARAH\Application Data\LimeWire

2009-01-02 12:26 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-01-02 12:26 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\Malwarebytes

2009-01-02 12:26 --------- d-----w c:\documents and settings\Administrator.SARAH\Application Data\Malwarebytes

2009-01-01 22:08 --------- d---a-w c:\program files\Spybot - Search & Destroy

2009-01-01 22:08 --------- d---a-w c:\documents and settings\All Users.WINNT\Application Data\Spybot - Search & Destroy

2009-01-01 21:48 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-01 21:48 --------- d-----w c:\program files\LG PC Suite

2009-01-01 21:48 --------- d-----w c:\program files\LG Electronics

2009-01-01 21:47 --------- d-----w c:\documents and settings\Administrator.SARAH\Application Data\LG Electronics

2009-01-01 21:46 --------- d-----w c:\documents and settings\Administrator.SARAH\Application Data\InstallShield

2008-12-24 13:43 88 ----a-w C:\_dele.bat

2008-12-24 13:07 104,659 ----a-w c:\winnt\system32\hgcheck.exe

2008-12-24 01:02 --------- d---a-w c:\program files\Lavasoft

2008-12-24 01:00 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2008-12-24 00:40 --------- d-----w c:\program files\SpywareBlaster

2008-12-23 22:51 --------- d-----w c:\program files\Trend Micro

2008-12-23 18:59 --------- d-----w c:\program files\Kick'n'Rush 2006

2008-12-23 11:58 410,984 ----a-w c:\winnt\system32\deploytk.dll

2008-12-23 11:58 --------- d---a-w c:\program files\Java

2008-12-23 11:52 --------- d---a-w c:\program files\LimeWire

2008-12-22 01:15 309,949 ----a-w c:\winnt\system32\hguest.exe

2008-12-18 18:48 --------- d-----w c:\program files\Football Champions Quiz

2008-12-18 18:47 --------- d-----w c:\program files\Five-A-Side Football

2008-12-16 17:46 85 ----a-w C:\ARP.BAT

2008-12-16 17:46 37 ----a-w C:\bat.bat

2008-12-13 15:49 --------- d-----w c:\program files\Sibelius Software

2008-12-03 19:59 38,496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys

2008-12-03 19:59 15,504 ----a-w c:\winnt\system32\drivers\mbam.sys

2008-11-24 23:24 570,396 --sh--r c:\winnt\gfsse11452s.bat

2008-11-21 18:27 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\WinZip

2008-11-12 10:28 --------- d-----w c:\program files\NOS

2008-11-12 10:28 --------- d-----w c:\documents and settings\All Users.WINNT\Application Data\NOS

2008-11-11 16:17 --------- d-----w c:\program files\Common Files\Adobe AIR

2008-11-11 16:16 --------- d---a-w c:\program files\Common Files\Adobe

2008-10-18 20:52 271 ---h--w c:\program files\desktop.ini

2008-10-18 20:52 21,952 ---h--w c:\program files\folder.htt

2008-10-18 00:09 558,142 ----a-w c:\winnt\java\Packages\646JBDNL.ZIP

2008-10-18 00:09 155,995 ----a-w c:\winnt\java\Packages\8EUJ3VB5.ZIP

2006-01-03 22:06 664,161 -c--a-w c:\program files\JuiceUserGuide.pdf

2005-03-10 23:34 84,254 -c--a-w c:\program files\belkin manual.pdf

2000-07-26 17:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys

.

c:\winnt\system32\svchost.exe ... Infected -- Win32.Qhost !!

----a-w 7,952 2000-07-26 17:00:00 c:\winnt\system32\svchost.exe

((((((((((((((((((((((((((((( snapshot@Thu 2009-01-01_22.33.51.05 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-12-05 22:52:44 114,688 ----a-w c:\winnt\system32\Adobe\Director\np32dsw.dll

+ 2008-12-05 22:53:24 499,712 ----a-w c:\winnt\system32\Adobe\Shockwave 11\Control.dll

+ 2008-12-05 22:33:38 1,798,144 ----a-w c:\winnt\system32\Adobe\Shockwave 11\dirapi.dll

+ 2008-12-05 22:53:28 9,216 ----a-w c:\winnt\system32\Adobe\Shockwave 11\DynaPlayer.dll

+ 2008-12-05 22:25:10 703,488 ----a-w c:\winnt\system32\Adobe\Shockwave 11\gi.dll

+ 2008-12-05 22:25:12 1,145,896 ----a-w c:\winnt\system32\Adobe\Shockwave 11\gt.exe

+ 2008-12-05 22:25:10 52,288 ----a-w c:\winnt\system32\Adobe\Shockwave 11\gtapi.dll

+ 2008-12-05 22:29:48 892,928 ----a-w c:\winnt\system32\Adobe\Shockwave 11\iml32.dll

+ 2008-12-05 22:52:04 266,240 ----a-w c:\winnt\system32\Adobe\Shockwave 11\Plugin.dll

+ 2008-12-05 22:53:58 446,464 ----a-w c:\winnt\system32\Adobe\Shockwave 11\Proj.dll

+ 2008-12-05 23:01:06 460,216 ----a-w c:\winnt\system32\Adobe\Shockwave 11\SwHelper_1103471.exe

+ 2008-12-05 22:51:48 114,688 ----a-w c:\winnt\system32\Adobe\Shockwave 11\SwInit.exe

+ 2008-12-05 22:51:46 94,208 ----a-w c:\winnt\system32\Adobe\Shockwave 11\SwMenu.dll

+ 2008-12-05 22:25:10 58,736 ----a-w c:\winnt\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL

+ 1999-06-25 10:55:30 149,504 ----a-w c:\winnt\system32\Adobe\Shockwave 11\UNWISE.EXE

+ 2008-12-04 01:03:22 53,248 ----a-w c:\winnt\system32\Macromed\Common\SwSupport.dll

+ 2008-12-04 00:59:26 581,632 ----a-w c:\winnt\system32\Macromed\Shockwave 10\Control.dll

+ 2008-12-04 00:59:30 1,490,944 ----a-w c:\winnt\system32\Macromed\Shockwave 10\dirapiX.dll

+ 2008-12-04 00:59:26 24,576 ----a-w c:\winnt\system32\Macromed\Shockwave 10\DynaPlayer.dll

+ 2008-12-04 00:59:30 606,208 ----a-w c:\winnt\system32\Macromed\Shockwave 10\iml32X.dll

+ 2008-12-04 00:59:26 339,968 ----a-w c:\winnt\system32\Macromed\Shockwave 10\Plugin.dll

+ 2008-12-04 00:59:26 475,136 ----a-w c:\winnt\system32\Macromed\Shockwave 10\PluginPing.dll

+ 2008-12-04 00:59:26 180,224 ----a-w c:\winnt\system32\Macromed\Shockwave 10\Proj.dll

+ 2008-12-04 00:59:26 77,824 ----a-w c:\winnt\system32\Macromed\Shockwave 10\SwInit.exe

+ 2008-12-04 00:59:26 86,016 ----a-w c:\winnt\system32\Macromed\Shockwave 10\SwMenuX.dll

+ 2008-12-04 00:59:26 98,304 ----a-w c:\winnt\system32\Macromed\Shockwave 10\SwOnce.dll

+ 2009-01-02 14:17:04 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_218.dat

+ 2009-01-02 12:22:15 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_21c.dat

+ 2009-01-02 18:21:19 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_220.dat

+ 2009-01-02 12:22:08 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_27c.dat

+ 2009-01-03 23:59:57 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_c8.dat

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\winnt\System32\NVMCTRAY.DLL" [02/05/03 13:19 49152]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [21/05/07 14:56 68856]

"internat.exe"="internat.exe" [26/07/00 17:00 20752 c:\winnt\system32\internat.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [02/05/03 13:19 4640768]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [26/11/08 17:18 81000]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [18/10/08 18:04 30192]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [12/06/08 02:38 34672]

"hgcheck"="c:\winnt\system32\hgcheck.exe" [24/12/08 13:07 104659]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [23/12/08 11:58 136600]

"Synchronization Manager"="mobsync.exe" [19/06/03 11:05 111376 c:\winnt\system32\mobsync.exe]

"nwiz"="nwiz.exe" [02/05/03 13:19 323584 c:\winnt\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"NvMediaCenter"="c:\winnt\System32\NVMCTRAY.DLL" [02/05/03 13:19 49152]

"internat.exe"="internat.exe" [26/07/00 17:00 20752 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [19/06/03 11:05 186640]