Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan-downloader.win32.agent.bq & related window security popup

Started by dcw77 , Oct 07 2008 04:43 PM

  • Please log in to reply

#1
dcw77
Posted 07 October 2008 - 04:43 PM

dcw77

    New Member

  • Member
  • Pip
  • 4 posts
Last night was the first time I see these "Window Security" looking like windows poping up on my computer. They looked real and I actually thought I had keyloggers on my computer when I looked up "trojan-downloader.win32.agent.bq". Since then, it has prompted me a couple other trojans.

I have looked at a couple of other posts on this forum regarding this issue. Although the problems are similar, I can't find the exact spots where the issues are for me to go fix.

This is my hijackthis log. Please help me get rid of this nausance. Thank you.

-------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:27 PM, on 10/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\poherkji.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 825" /O6 "USB001" /M "Stylus Photo 825"
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [SpybotDeletingA6023] command /c del "C:\WINDOWS\system32\smp\msrc.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9082] cmd /c del "C:\WINDOWS\system32\smp\msrc.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [appsmart] C:\WINDOWS\system32\poherkji.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6248] command /c del "C:\WINDOWS\system32\smp\msrc.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4447] cmd /c del "C:\WINDOWS\system32\smp\msrc.exe"
O4 - HKLM\..\Policies\Explorer\Run: [1uGrXDlbBD] C:\Documents and Settings\All Users\Application Data\jufyruhi\jelepchw.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135364453624
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: MonSys - {70AECCFE-9DEC-FA07-0DF8-070D5E0248C7} - C:\Program Files\ghrwdk\MonSys.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9566 bytes
  • 0

Advertisements

#2
dcw77
Posted 07 October 2008 - 07:00 PM

dcw77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I followed the instruction on http://www.geekstogo...bq-t213664.html and did the following.
1) Cleaned with ATF Cleaned
2) Used Malwarebytes' Anti-Malware to scan.
3) Used Combofix
4) Ran Kaspersky WebScanner

This is my MBAM Log.


Malwarebytes' Anti-Malware 1.28
Database version: 1240
Windows 5.1.2600 Service Pack 3

10/7/2008 7:12:58 PM
mbam-log-2008-10-07 (19-12-58).txt

Scan type: Quick Scan
Objects scanned: 51971
Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\appsmart (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\poherkji.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.


-------------------------------------------------
My Combo Fix Log.
ComboFix 08-10-07.06 - David 2008-10-07 19:25:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.518 [GMT -4:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.

2008-10-07 19:07 . 2008-10-07 19:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-07 19:07 . 2008-10-07 19:07 <DIR> d-------- C:\Documents and Settings\David\Application Data\Malwarebytes
2008-10-07 19:07 . 2008-10-07 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-07 19:07 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-07 19:07 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-07 17:26 . 2008-10-07 17:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-07 17:13 . 2008-10-07 17:13 <DIR> d-------- C:\Program Files\Windows Defender
2008-10-07 17:07 . 2008-10-07 17:07 91 --a------ C:\WINDOWS\wininit.ini
2008-10-07 08:12 . 2008-10-07 17:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-10-07 02:14 . 2008-10-07 02:14 <DIR> d-------- C:\Program Files\ghrwdk
2008-10-07 02:13 . 2008-10-07 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\jufyruhi
2008-09-13 04:21 . 2008-09-13 04:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-13 04:21 . 2008-09-13 04:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-13 03:06 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-13 00:54 . 2008-09-13 00:54 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-13 00:54 . 2008-09-13 00:54 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-13 00:54 . 2008-09-13 00:54 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-13 00:21 . 2008-09-13 00:24 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-07 23:23 --------- d-----w C:\Documents and Settings\David\Application Data\uTorrent
2008-10-07 12:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-07 12:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-07 00:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-10-05 20:10 --------- d-----w C:\Program Files\World of Warcraft
2008-10-05 18:25 --------- d-----w C:\Program Files\Trillian Pro
2008-10-02 06:42 --------- d-----w C:\Documents and Settings\David\Application Data\Skype
2008-10-02 05:20 --------- d-----w C:\Documents and Settings\David\Application Data\skypePM
2008-09-13 08:20 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-13 08:18 --------- d-----w C:\Documents and Settings\David\Application Data\Lavasoft
2008-08-30 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\NexonUS
2008-08-30 18:52 --------- d-----w C:\Program Files\Warcraft III
2008-08-30 05:53 --------- d-----w C:\Documents and Settings\David\Application Data\Azureus
2008-08-30 05:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-08-29 04:22 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-15 06:47 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-19 02:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2007-04-11 22:29 25,280 ----a-w C:\Documents and Settings\David\Application Data\GDIPFONTCACHEV1.DAT
2006-07-29 16:37 33,792 -c--a-w C:\Program Files\7.doc
2006-07-29 04:43 33,191 -c--a-w C:\Program Files\july2 (617) 595-3343.csv
2006-07-28 00:19 33,092 -c--a-w C:\Program Files\July(617) 595-3343.csv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 8466432]
"EPSON Stylus Photo 825"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-04-09 74240]
"FastTVSync"="C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe" [2004-03-11 245760]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-09 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 81920]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-01-12 488984]
"LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-01-12 244512]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2008-04-09 826880]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 C:\WINDOWS\soundman.exe]
"nwiz"="nwiz.exe" [2007-06-29 C:\WINDOWS\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 C:\WINDOWS\system32\bthprops.cpl]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 C:\WINDOWS\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 C:\WINDOWS\KHALMNPR.Exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-23 110592]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-26 692224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MonSys"= {70AECCFE-9DEC-FA07-0DF8-070D5E0248C7} - C:\Program Files\ghrwdk\MonSys.dll [2008-10-07 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-08-09 17:33 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wscsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQLite\\ICQLite.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\Nexon\Combat Arms\CombatArms.exe"= C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"C:\Nexon\Combat Arms\Engine.exe"= C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"C:\\Nexon\\Combat Arms\\NMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9357:TCP"= 9357:TCP:BitComet 9357 TCP
"9357:UDP"= 9357:UDP:BitComet 9357 UDP
"17663:TCP"= 17663:TCP:BitComet 17663 TCP
"17663:UDP"= 17663:UDP:BitComet 17663 UDP

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;C:\WINDOWS\system32\DRIVERS\nvcchflt.sys [2005-02-10 16640]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 97928]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-04 76040]
S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINDOWS\system32\DRIVERS\epusbsto.sys [2001-09-10 17976]
S3 Memctl;Memctl;C:\Program Files\ABIT\FlashMenu\Memctl.sys [2001-11-29 4047]

*Newly Created Service* - PROCEXP90
*Newly Created Service* - WINDEFEND
.
Contents of the 'Scheduled Tasks' folder

2008-10-07 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-09-30 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe []

2007-07-08 C:\WINDOWS\Tasks\Uniblue SpyEraser.job
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BitComet - C:\Program Files\BitComet\BitComet.exe
HKLM-Explorer_Run-1uGrXDlbBD - C:\Documents and Settings\All Users\Application Data\jufyruhi\jelepchw.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\David\Application Data\Mozilla\Firefox\Profiles\2pvwb7er.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
FF -: plugin - C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 19:27:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\David\LOCALS~1\Temp\RGI7F.tmp 7075 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-10-07 19:29:47
ComboFix-quarantined-files.txt 2008-10-07 23:28:47

Pre-Run: 49,911,353,344 bytes free
Post-Run: 49,889,386,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

195 --- E O F --- 2008-09-14 07:03:26
  • 0

#3
dcw77
Posted 07 October 2008 - 07:15 PM

dcw77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, October 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, October 08, 2008 00:13:35
Records in database: 1298503
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\

Scan statistics:
Files scanned: 77477
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:54:26


File name / Threat name / Threats count
C:\Program Files\ghrwdk\MonSys.dll Infected: Trojan.Win32.Obfuscated.gx 1

The selected area was scanned.

Edited by dcw77, 07 October 2008 - 07:58 PM.

  • 0

#4
dcw77
Posted 07 October 2008 - 07:20 PM

dcw77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
This my hijackthislog after running everything else.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:17 PM, on 10/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\mplayer2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 825" /O6 "USB001" /M "Stylus Photo 825"
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135364453624
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: MonSys - {70AECCFE-9DEC-FA07-0DF8-070D5E0248C7} - C:\Program Files\ghrwdk\MonSys.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8369 bytes

I notice that a couple of .exe were removed but I am not sure if everything is removed.

I rescanned with Kaspersky and there is no issue...

Edited by dcw77, 07 October 2008 - 09:30 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP