mutltiple trojans found and a trojan banker bug wont keeps restoring and reloc

View previous topic View next topic Go down

mutltiple trojans found and a trojan banker bug wont keeps restoring and reloc

Post by mameck33 on 8th June 2009, 9:44 am

My dell inspirion 1100 laptop was and still seems to be running fine i was on the web earlier this afternoon and the infamous pop up window came up on my screen & it stated there was multiple virus and spyware threats on my PC i knew what this was and i attempted to close my firefox browser and i was stuck i pressed ctrl-alt-delete and ended the browser task for firefox. i did not click on the pop up though. it closed and i immediately run my anti virus program nothing showed up , i ran Malwarebytes anti malware quick scan and it found the following trojans on my system they were supposedly quarintined and deleted per malware bytes program they do appear in my quarintined vault.

Files Infected:
c:\documents and settings\cleanup.exe (Trojan.Banker) -> No action taken.
C:\WINDOWS\SYSTEM32\svhost.exe (Trojan.Agent) -> No action taken.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.

After the reboot i decide to run a malewarebytes full system scan and the following infected files were found.

Files Infected:
c:\program files\ascentive\performance center\APCLang.dll (Rogue.AscentivePerformance) -> No action taken.

THE FILE WAS quarintined and deleted by malwarebytes OR SO THE PROGRAM SAID

LATER AFTER A SECOND REBOOT I RAN ANOTHER QIUICK SCAN AND IT TURNED UP CLEAN THEN I RAN A 2ND FULL SYSTEMS SCAN AND LOW AND BEHOLD THERE WAS THAT STINKING TROJAN BANKER. VIRUS AGAIN, IT WAS IN MY VOLUME.INFO/RESTORE. FILES. THE EXACT NAME AND LOCATION IS AS FOLLOWS.

Files Infected:
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\RP172\A0020076.exe (Trojan.Banker) -> No action taken. A

malwarebytes reported again that the file had been quarintined and deleted i have not been able to find any root kits or hidden drivers thus far but i know when it time to stop and to let the pros take over the hunt.

here is my current hijack this log

hijackthis log 1:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:10 AM, on 6/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Memory Improve Master\MemoryImproveMaster.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\SYSTEM32\osk.exe
C:\WINDOWS\SYSTEM32\MSSWCHX.EXE
C:\Documents and Settings\Mark\Desktop\Spyware, Malware, Adware Removal Tools\Hijack(GP)This.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" //mailurl:mailto:?body=http%3A%2F%2Fcache.brandreachsys.com%2Fthumbs%2Ffling%2Fr%2Fstatic%2Fr_apr0609_160x160_12.jpg&subject=
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SmartRAM] "C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICSer_WPC54 - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe

--
End of file - 3925 bytes

mameck33
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-06-08
OS OS : xp
Points Points : 27437
# Likes # Likes : 0

View user profile

Back to top Go down

Re: mutltiple trojans found and a trojan banker bug wont keeps restoring and reloc

Post by mameck33 on 8th June 2009, 9:54 am

sorry i forgot to make sure word wrap was checked here is another copy of the hijack this log again sorry and thnks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:10 AM, on 6/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Memory Improve Master\MemoryImproveMaster.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\SYSTEM32\osk.exe
C:\WINDOWS\SYSTEM32\MSSWCHX.EXE
C:\Documents and Settings\Mark\Desktop\Spyware, Malware, Adware Removal Tools\Hijack(GP)This.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" //mailurl:mailto:?body=http%3A%2F%2Fcache.brandreachsys.com%2Fthumbs%2Ffling%2Fr%2Fstatic%2Fr_apr0609_160x160_12.jpg&subject=
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SmartRAM] "C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" /m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICSer_WPC54 - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe

--
End of file - 3925 bytes

mameck33
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-06-08
OS OS : xp
Points Points : 27437
# Likes # Likes : 0

View user profile

Back to top Go down

Re: mutltiple trojans found and a trojan banker bug wont keeps restoring and reloc

Post by Belahzur on 8th June 2009, 5:15 pm

Can you post the full MBAM log?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: mutltiple trojans found and a trojan banker bug wont keeps restoring and reloc

Post by mameck33 on 8th June 2009, 5:58 pm

here is the full scan:

Malwarebytes' Anti-Malware 1.37
Database version: 2246
Windows 5.1.2600 Service Pack 3

6/7/2009 10:56:43 PM
mbam-log-2009-06-07 (22-56-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 145283
Time elapsed: 1 hour(s), 14 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{b37680b2-ba0a-4e5d-bf30-83e44c588624}\RP172\A0020076.exe (Trojan.Banker) -> Quarantined and deleted successfully.

I copied the quick scan just incase you might need them :

quick scan 1:

Malwarebytes' Anti-Malware 1.37
Database version: 2246
Windows 5.1.2600 Service Pack 3

6/7/2009 6:20:43 PM
mbam-log-2009-06-07 (18-20-43).txt

Scan type: Quick Scan
Objects scanned: 89190
Time elapsed: 8 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\cleanup.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\svhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

quick scan 2:

Malwarebytes' Anti-Malware 1.37
Database version: 2246
Windows 5.1.2600 Service Pack 3

6/7/2009 7:04:57 PM
mbam-log-2009-06-07 (19-04-57).txt

Scan type: Quick Scan
Objects scanned: 89204
Time elapsed: 9 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

quick scan 3:

6/8/2009 12:30:07 AM
mbam-log-2009-06-08 (00-30-07).txt

Scan type: Quick Scan
Objects scanned: 89507
Time elapsed: 11 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


let me know if you need any other logs

mameck33
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-06-08
OS OS : xp
Points Points : 27437
# Likes # Likes : 0

View user profile

Back to top Go down

Re: mutltiple trojans found and a trojan banker bug wont keeps restoring and reloc

Post by mameck33 on 8th June 2009, 6:32 pm

I forgot that i had run afull scan with spybot seek and destroy it was broken up into 3 different saved text files i have included them just incase they might be of some use. i fixed the security center issue.. that was my fault.

08.06.2009 09:44:50 - ##### check started #####
08.06.2009 09:44:50 - ### Version: 1.6.2
08.06.2009 09:44:50 - ### Date: 6/8/2009 9:44:50 AM
08.06.2009 09:44:55 - ##### checking bots #####
08.06.2009 09:53:19 - found: Microsoft.WindowsSecurityCenter.AntiVirusOverride Settings
08.06.2009 10:18:59 - ##### check finished #####





--- Report generated: 2009-06-08 10:19 ---

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-06-08 spybotsd162.exe (1.6.2.0)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-06-08 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-02 Includes\HijackersC.sbi (*)
2009-05-06 Includes\Keyloggers.sbi (*)
2009-06-02 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-05-12 Includes\Malware.sbi (*)
2009-06-02 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-06-02 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-06-02 Includes\SpywareC.sbi (*)
2009-04-07 Includes\Tracks.uti
2009-06-02 Includes\Trojans.sbi (*)
2009-06-02 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- Report generated: 2009-06-08 10:19 ---

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-06-08 spybotsd162.exe (1.6.2.0)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-06-08 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-02 Includes\HijackersC.sbi (*)
2009-05-06 Includes\Keyloggers.sbi (*)
2009-06-02 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-05-12 Includes\Malware.sbi (*)
2009-06-02 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-06-02 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-06-02 Includes\SpywareC.sbi (*)
2009-04-07 Includes\Tracks.uti
2009-06-02 Includes\Trojans.sbi (*)
2009-06-02 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

mameck33
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-06-08
OS OS : xp
Points Points : 27437
# Likes # Likes : 0

View user profile

Back to top Go down

Re: mutltiple trojans found and a trojan banker bug wont keeps restoring and reloc

Post by Belahzur on 8th June 2009, 8:26 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Avast!)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: mutltiple trojans found and a trojan banker bug wont keeps restoring and reloc

Post by mameck33 on 8th June 2009, 9:39 pm

ComboFix 09-06-07.07 - Mark 06/08/2009 13:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.687 [GMT -7:00]
Running from: c:\documents and settings\Mark\Desktop\downloads & files\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090607-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\cleanmgr.exe
c:\windows\system\oeminfo.ini

.
((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))
.

2009-06-08 16:28 . 2009-06-08 16:29 -------- d-----w- c:\program files\sunbelt-personal-firewall
2009-06-08 16:28 . 2009-06-08 16:28 -------- d-----w- c:\program files\Ad-AwareAE
2009-06-08 16:27 . 2009-06-08 16:27 -------- d-----w- c:\program files\spywareguardsetup
2009-06-08 16:25 . 2009-06-08 16:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-08 15:34 . 2009-06-08 15:34 -------- d-----w- c:\program files\CCleaner
2009-06-08 09:01 . 2009-06-08 09:01 -------- d-----w- c:\program files\NOS
2009-06-08 09:01 . 2009-03-03 21:53 109420 ----a-w- c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\gpaqeb66.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\plugins\np_gp.dll
2009-06-08 09:01 . 2009-03-03 21:53 17464 ----a-w- c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\gpaqeb66.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\chrome\content\getPlus_Adobe_reg.exe
2009-06-08 09:01 . 2009-03-03 21:53 12792 ----a-w- c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\gpaqeb66.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\chrome\content\getPlus_Adobe_reg_bootstrap.exe
2009-06-08 08:51 . 2009-06-08 08:51 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-08 08:35 . 2009-06-08 08:52 -------- d-----w- c:\program files\JavaRa
2009-06-08 01:09 . 2009-06-08 13:30 -------- d-----w- c:\program files\avenger
2009-06-08 01:08 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-08 01:08 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-08 01:08 . 2009-06-08 01:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-07 22:41 . 2009-06-07 22:41 -------- d--h--w- c:\documents and settings\Mark\Local Settings\Application Data\{CEC42AA7-80BC-42B4-B5F3-8E754D04A118}
2009-06-07 21:30 . 2009-06-07 21:31 -------- d-----w- c:\windows\shell
2009-06-07 12:38 . 2009-06-07 12:38 -------- d-----w- c:\program files\Common Files\Stardock
2009-06-07 12:37 . 2009-06-07 12:37 -------- d-----w- c:\documents and settings\Mark\Application Data\Stardock
2009-06-07 12:37 . 2009-06-07 23:15 -------- d-----w- c:\program files\Stardock
2009-06-07 12:37 . 2009-06-07 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Stardock
2009-06-07 11:46 . 2009-06-07 12:32 -------- d-----w- c:\program files\uxpatcher
2009-06-03 22:15 . 2009-06-03 22:15 -------- d-----w- c:\program files\VistaZ4
2009-06-03 22:14 . 2009-06-03 22:14 -------- d-----w- C:\New Folder
2009-06-03 22:12 . 2009-06-03 22:12 -------- d-----w- c:\program files\The Royal Remixed Theme (it has its own installer
2009-06-02 15:51 . 2009-06-02 15:51 -------- d-----w- c:\documents and settings\Mark\Application Data\VSRevoGroup
2009-05-31 08:52 . 2009-05-31 08:52 -------- d-----w- c:\documents and settings\Mark\Application Data\GRETECH
2009-05-31 08:43 . 2009-05-31 08:43 -------- d-----w- c:\program files\GRETECH
2009-05-31 02:32 . 2009-05-31 02:32 -------- d-----w- c:\windows\system32\XPSViewer
2009-05-31 02:32 . 2009-05-31 02:32 -------- d-----w- c:\program files\MSBuild
2009-05-31 02:31 . 2009-05-31 02:31 -------- d-----w- c:\program files\Reference Assemblies
2009-05-31 02:30 . 2009-05-31 02:30 -------- d-----w- c:\windows\Driver Cache
2009-05-31 02:30 . 2008-07-06 12:06 117760 ----a-w- c:\windows\system32\prntvpt.dll
2009-05-31 02:30 . 2008-07-06 12:06 89088 -c--a-w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-31 02:30 . 2008-07-06 12:06 575488 -c--a-w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-31 02:30 . 2008-07-06 12:06 575488 ----a-w- c:\windows\system32\xpsshhdr.dll
2009-05-31 02:30 . 2008-07-06 12:06 1676288 -c--a-w- c:\windows\system32\dllcache\xpssvcs.dll
2009-05-31 02:30 . 2008-07-06 12:06 1676288 ----a-w- c:\windows\system32\xpssvcs.dll
2009-05-31 02:30 . 2008-07-06 10:50 597504 -c--a-w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-31 02:30 . 2009-05-31 02:31 -------- d-----w- C:\3a5c51725bdc6c6903622f
2009-05-31 00:57 . 2009-06-07 21:27 -------- d-----w- c:\program files\TGTSoft
2009-05-30 22:41 . 2009-05-30 22:41 -------- d-----w- c:\program files\TrueTransparency
2009-05-30 22:40 . 2009-06-02 16:07 -------- d-----w- c:\windows\win7xp
2009-05-30 22:22 . 2009-06-07 12:32 -------- d-----w- c:\program files\7-Zip
2009-05-30 21:55 . 2009-05-30 21:55 -------- d-----w- c:\program files\Mozilla firefox 3.4 Beta 4
2009-05-30 07:02 . 2009-05-30 07:02 -------- d-----w- c:\program files\Trend Micro
2009-05-30 06:56 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-05-30 06:56 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-05-30 06:56 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-05-30 06:56 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-05-30 06:56 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-05-30 06:56 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-05-30 06:56 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-05-30 06:56 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-05-30 06:55 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-05-30 06:55 . 2009-06-08 13:34 -------- d-----w- c:\program files\Alwil Software
2009-05-29 12:10 . 2009-05-29 12:10 79872 ----a-w- c:\windows\system32\Cleanup.exe
2009-05-28 07:25 . 2009-03-28 11:25 3644290 ----a-w- c:\windows\system32\wlcm.exe
2009-05-26 17:04 . 2009-05-26 17:04 22528 ----a-w- c:\windows\system32\spoolss.exe
2009-05-23 18:59 . 2009-05-23 18:59 -------- d-----w- C:\VIDEO_TS
2009-05-23 18:30 . 2009-04-23 04:29 76794605 ----a-w- c:\program files\9440INST-C.EXE
2009-05-22 05:36 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-05-22 05:36 . 2009-02-20 18:09 78336 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-05-21 06:52 . 2005-08-15 04:24 3307 ----a-w- c:\windows\system32\verifiar.exe
2009-05-21 05:05 . 2009-05-21 05:05 1295 ----a-w- c:\windows\system32\addelay.cmd
2009-05-19 08:41 . 2009-05-19 08:41 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2009-05-16 15:37 . 2009-05-23 17:59 -------- d-----w- c:\documents and settings\Mark\Application Data\uTorrent
2009-05-16 15:24 . 2009-05-16 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Zoom Player
2009-05-15 20:14 . 2009-05-16 21:56 -------- d-----w- c:\documents and settings\Mark\Application Data\FreshDiagnose
2009-05-15 17:57 . 2009-05-31 00:36 -------- d-----w- c:\windows\Desktop Themes
2009-05-15 15:15 . 2009-05-15 15:15 -------- d-----w- C:\Prefetch
2009-05-11 10:06 . 2009-05-24 01:37 -------- d-----w- c:\program files\IObit
2009-05-10 00:33 . 2009-05-28 05:28 -------- d-----w- C:\b60a1632802d6c53952758f624c15a
2009-05-10 00:33 . 2009-05-10 00:38 -------- d-----w- C:\6d0fedcb7209516a9e6f2de47035
2009-05-10 00:15 . 2009-05-10 00:15 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

mameck33
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-06-08
OS OS : xp
Points Points : 27437
# Likes # Likes : 0

View user profile

Back to top Go down

Re: mutltiple trojans found and a trojan banker bug wont keeps restoring and reloc

Post by mameck33 on 8th June 2009, 9:43 pm

COMBO FIX LOG FILE PART 2:

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-08 16:33 . 2009-04-29 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-08 16:23 . 2009-04-28 19:00 -------- d-----w- c:\program files\java jre 6U 13 windows 158 (update) & Java RA Setup EXE. files
2009-06-08 16:14 . 2009-04-24 16:39 -------- d-----w- c:\program files\windows malicous software removal tool
2009-06-08 13:34 . 2009-04-28 18:41 -------- d-----w- c:\program files\VS Revo Group
2009-06-08 13:33 . 2009-05-02 21:57 -------- d-----w- c:\program files\Memory Improve Master
2009-06-08 13:28 . 2009-05-09 14:40 -------- d-----w- c:\program files\New Folder
2009-06-08 09:01 . 2009-04-28 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-08 08:50 . 2004-01-29 00:05 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-08 08:31 . 2008-11-03 23:16 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-08 08:31 . 2003-11-18 13:02 -------- d-----w- c:\program files\Java
2009-06-08 01:50 . 2008-01-08 21:49 100408 ----a-w- c:\documents and settings\Mark\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 09:56 . 2009-04-08 02:53 -------- d-----w- c:\program files\SkinStudio
2009-06-04 09:55 . 2003-11-18 13:20 -------- d-----w- c:\program files\MUSICMATCH
2009-06-04 09:55 . 2006-12-21 20:37 -------- d-----w- c:\program files\Microsoft Location Finder
2009-06-04 09:55 . 2007-07-17 07:33 -------- d-----w- c:\program files\Modem Helper
2009-06-03 06:57 . 2004-08-24 19:24 -------- d-----w- c:\program files\Yahoo!
2009-05-30 21:54 . 2009-01-05 19:51 -------- d-----w- c:\program files\ant.com toolbar
2009-05-23 18:23 . 2009-02-10 07:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Speedbit
2009-05-22 07:06 . 2009-04-23 08:49 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-05-22 06:56 . 2009-02-21 01:38 -------- d-----w- c:\program files\Common Files\Motive
2009-05-19 10:17 . 2009-04-23 09:30 2328704 ----a-w- c:\windows\system32\TUKernel.exe
2009-05-16 22:09 . 2009-04-10 17:52 -------- d-----w- c:\documents and settings\Mark\Application Data\Styler
2009-05-11 12:44 . 2008-11-01 16:05 -------- d-----w- c:\documents and settings\Mark\Application Data\IObit
2009-05-10 00:16 . 2009-04-24 16:18 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-05-09 13:52 . 2009-02-06 07:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-05-09 13:28 . 2003-11-18 13:22 -------- d-----w- c:\program files\WordPerfect Office 11
2009-05-07 02:48 . 2009-05-07 02:48 574 ----a-w- c:\windows\cleanup.bat
2009-05-02 06:49 . 2009-04-30 18:40 -------- d-----w- c:\program files\Lavasoft
2009-05-02 06:49 . 2009-04-30 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-29 11:52 . 2003-11-18 13:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-04-28 19:38 . 2003-11-18 13:19 -------- d-----w- c:\program files\Dell Computer
2009-04-28 16:05 . 2009-04-28 16:05 -------- d-----w- c:\documents and settings\Mark\Application Data\Malwarebytes
2009-04-28 16:05 . 2009-04-28 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-28 13:39 . 2009-04-28 09:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Active Shield
2009-04-28 09:38 . 2009-04-28 09:38 -------- d-----w- c:\documents and settings\Mark\Application Data\True Sword
2009-04-24 19:35 . 2009-04-10 13:11 -------- d-----w- c:\documents and settings\Mark\Application Data\New Folder
2009-04-24 16:52 . 2009-04-24 16:52 -------- d-----w- c:\documents and settings\Mark\Application Data\Apple Computer
2009-04-23 08:51 . 2009-04-23 08:51 -------- d-----w- c:\documents and settings\Mark\Application Data\TuneUp Software
2009-04-23 08:50 . 2009-04-23 08:50 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-04-20 03:58 . 2003-11-29 23:19 -------- d-----w- c:\program files\The Learning Company
2009-04-20 02:48 . 2007-04-11 23:42 -------- d-----w- c:\program files\DellSupport
2009-04-10 05:13 . 2009-04-07 13:04 -------- d-----w- c:\documents and settings\Mark\Application Data\vghd
2009-04-08 00:10 . 2009-02-06 10:35 255264 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-03-08 03:15 . 2008-10-13 20:59 18742560 --sha-w- c:\windows\SYSTEM32\DRIVERS\fidbox.dat

mameck33
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-06-08
OS OS : xp
Points Points : 27437
# Likes # Likes : 0

View user profile

Back to top Go down

Re: mutltiple trojans found and a trojan banker bug wont keeps restoring and reloc

Post by mameck33 on 8th June 2009, 9:44 pm

COMBO FIX LOG FILE PART 3:


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Memory Improve Master"="c:\program files\Memory Improve Master\MemoryImproveMaster.exe" [2009-03-16 5095424]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2009-02-10 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SYSTEM32\wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-G Notebook Adapter Utility.lnk]
backup=c:\windows\pss\Wireless-G Notebook Adapter Utility.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VIPv3_Auto_Update

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"DVDSentry"=c:\windows\System32\DSentry.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [5/29/2009 11:56 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [5/29/2009 11:56 PM 20560]
S1 SuperMounter;SuperMounter; [x]
S2 NICSer_WPC54;NICSer_WPC54;c:\program files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [4/24/2009 8:28 AM 441344]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;c:\windows\SYSTEM32\DRIVERS\a311.sys [12/31/1979 11:00 PM 31799]
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;c:\windows\SYSTEM32\DRIVERS\a310.sys [12/31/1979 11:00 PM 33335]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [6/8/2009 2:01 AM 33176]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\SYSTEM32\DRIVERS\LCcfltr.sys [1/5/2008 11:28 PM 12413]
S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\system32\DRIVERS\tnet1130x.sys --> c:\windows\system32\DRIVERS\tnet1130x.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\AWC AutoCare.job
- c:\program files\IObit\Advanced SystemCare 3\AutoCare.exe [2009-06-02 22:11]

2009-06-08 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2009-06-02 22:35]

2009-06-08 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-06-02 17:15]

2009-06-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 03:20]

2009-06-08 c:\windows\Tasks\User_Feed_Synchronization-{B8DAE155-D757-48F4-B05F-4A436B7938D9}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:05]
.
- - - - ORPHANS REMOVED - - - -

Notify-WBSrv - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:?body=http%3A%2F%2Fcache.brandreachsys.com%2Fthumbs%2Ffling%2Fr%2Fstatic%2Fr_apr0609_160x160_12.jpg&subject=
FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\gpaqeb66.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-08 14:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-08 14:08
ComboFix-quarantined-files.txt 2009-06-08 21:07

Pre-Run: 6,773,940,224 bytes free
Post-Run: 7,217,135,616 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin /TUTag=V53AJ2 /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional (TuneUp Backup)" /fastdetect /noexecute=optin /TUTag=V53AJ2-BAK

250 --- E O F --- 2009-06-08 10:24

mameck33
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-06-08
OS OS : xp
Points Points : 27437
# Likes # Likes : 0

View user profile

Back to top Go down

Re: mutltiple trojans found and a trojan banker bug wont keeps restoring and reloc

Post by Belahzur on 9th June 2009, 5:29 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: mutltiple trojans found and a trojan banker bug wont keeps restoring and reloc

Post by afreshgeeksterwannabe on 10th June 2009, 9:35 pm

Well it seems to be running pretty well, there are quite a few processes that are running after start up though, it bogs down the PC for a short time. I had run a program called GREM. EXE and it identified that there was a root kit and a hidden driver found... i was not able to save the log though... i did not attempt to delete it nor run any script through GREM. Nor Through other commands.... Let me know what you think should be the next step. I would be happy to rerun GREM and try to provide you with a copy of the log... Please advise...

afreshgeeksterwannabe
Novice
Novice

Posts Posts : 8
Joined Joined : 2009-06-09
OS OS : XP
Points Points : 27410
# Likes # Likes : 0

View user profile

Back to top Go down

Re: mutltiple trojans found and a trojan banker bug wont keeps restoring and reloc

Post by Belahzur on 10th June 2009, 9:54 pm

GMER you mean?

Yes, run another scan with it and upload me the log file.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum