Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

View previous topic View next topic Go down

Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 22nd July 2009, 4:38 pm

I haven't really experienced any problems, yet. The thing is that the malware keeps hiding, so I'm not sure if it's removed or not.
So I scanned my computer with COMODO. COMODO found some threats and removed them. My friend told me I should scan my computer again with another program, to be sure the malwares were really gone. I used the online scan from Norton/Symantec: [You must be registered and logged in to see this link.]
This scan told me there were still threats. By this result I downloaded AVG Internet Security which were supposed to able to remove the malwares. After this I tried yet another antivirus program which found threats. (Can't remember the name though, I removed it since you had to pay to get the full version).

I hope this will help me remove the trojans and the virus for good.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:02:43, on 2009-07-22
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ComodoBackupService - COMODO - C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8407 bytes

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 23rd July 2009, 8:54 am

Scanned my computer again with AVG. It found two files with infection of "Trojan Horse Downloader.Generic8.BDKW", as AVG calls it. The files are both located in my external HDD.

Maybe I should make a new HijackThis log file, since I scanned with AVG again and since AVG tries to remove files automatically. But I trust you guys in this, so tell me if I need to do that.

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

bump

Post by Koriander on 24th July 2009, 4:38 pm

bump

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 24th July 2009, 6:36 pm

ok things are getting worse now. the trojan changes my firewall settings, not only during start-up, and everything is getting slower.

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 24th July 2009, 7:17 pm

bump, again

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 25th July 2009, 11:44 pm

79h bump.........

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Belahzur on 26th July 2009, 12:14 am

Hello.
Sorry for the delay, we've been flooded and your post got missed and pushed back.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O20 - AppInit_DLLs:


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 26th July 2009, 11:29 am

Thanks for the reply, I went to bed minutes before it was posted though (bed time in sweden).
I was prompted to restart my computer and just before it did AVG found a threat: Win32.Agent.fu in file SYPNQ.SYS
I let AVG remove this and the file was deleted. Hope nothing went wrong by doing this.

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.39
Database version: 2504
Windows 5.1.2600 Service Pack 3

2009-07-26 13:13:43
mbam-log-2009-07-26 (13-13-43).txt

Scan type: Quick Scan
Objects scanned: 108023
Time elapsed: 8 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RkHit (Rogue.SpywareCease) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Klas Karis\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Cease (Rogue.SpywareCease) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\klas karis\local settings\Temp\INSAB.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\klas karis\start menu\Programs\system security\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\program files\spyware cease\md5.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\mtools.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\networkdll.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\opfile.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\RkHitApi.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\spkdll.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\SpywareCease.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\ussafe.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\zlib1.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Belahzur on 26th July 2009, 5:34 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 26th July 2009, 6:20 pm

DDS (Ver_09-06-26.01) - NTFSx86
Run by Admin at 20:17:50,73 on 2009-07-26
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.513 [GMT 2:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\vcca8g3j.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\personal\bin\np_prsnl.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");
c:\program files\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-7-25 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-25 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-25 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-25 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-25 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-25 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-7-25 1368952]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R2 ComodoBackupService;ComodoBackupService;c:\program files\comodo\backup\CmdBkSvc.exe [2009-6-6 1023488]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-7-25 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-2-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-2-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-2-26 27232]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-7-25 29208]

=============== Created Last 30 ================

2009-07-26 13:02 --d----- c:\docume~1\admin\applic~1\Malwarebytes
2009-07-26 13:01 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-26 13:01 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-26 13:01 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-26 13:01 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-25 12:56 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-25 12:56 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-07-25 12:56 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-25 12:56 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-25 12:56 --d----- c:\windows\system32\drivers\Avg
2009-07-25 12:56 --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-07-25 12:56 --d----- c:\docume~1\admin\applic~1\Windows Search
2009-07-25 12:56 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-07-25 12:56 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-07-25 12:56 --d----- c:\program files\AVG
2009-07-24 23:08 4,786,464 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-24 23:08 66,224 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-24 23:08 15,392 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-07-24 23:08 2,516 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-07-24 23:08 3,913 a------- C:\rollback.ini
2009-07-24 23:01 --d----- c:\program files\common files\ParetoLogic
2009-07-24 23:01 --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-07-24 19:48 --d----- c:\program files\Enigma Software Group
2009-07-22 17:01 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-22 16:37 --d----- c:\documents and settings\admin\.SunDownloadManager
2009-07-22 15:55 --d----- c:\program files\Trend Micro
2009-07-22 15:22 42 a------- c:\windows\system32\scud.udf
2009-07-22 02:11 --d-h--- C:\$AVG8.VAULT$
2009-07-22 01:51 --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-07-22 01:50 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-22 01:45 --d----- c:\docume~1\admin\applic~1\AVG8
2009-07-21 22:44 --d----- c:\docume~1\alluse~1\applic~1\12936094
2009-07-16 16:14 --d----- c:\program files\iPod
2009-07-16 16:13 --d----- c:\program files\iTunes
2009-06-29 17:54 --d----- c:\program files\Sony Ericsson

==================== Find3M ====================

2009-07-22 17:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-22 14:43 1,474,832 a------- c:\windows\system32\drivers\sfi.dat
2009-06-16 16:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 16:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-09 20:58 21,104 a---h--- c:\windows\system32\mlfcache.dat
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-05 11:42 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 21:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-15 20:23 218,624 a------- c:\windows\system32\uxtheme.dll
2009-05-13 07:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 17:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 20:30 3,366,912 a------- c:\windows\system32\GPhotos.scr

============= FINISH: 20:18:36,81 ===============

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Belahzur on 26th July 2009, 8:44 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Folders to delete:
c:\docume~1\alluse~1\applic~1\12936094

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 26th July 2009, 9:10 pm

When I try to execute the script with The Avenger I keep getting an error messege:

"Error: Invalid script. A script must begin with a command directive.
Aborting execution!"

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 26th July 2009, 9:18 pm

ok my mistake didn't copy everything from the code box.

during my malfunctioning a threat was detected by AVG. I quarantined it with AVG. Here's what AVG reported (before restart of computer prompted by The Avenger):

"File name: ibufatkl.sys
Path: c:\windows\system32\drivers
Threat: Win32.Agent.fu
Type: Malware

Successfully removed from Computer."

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 26th July 2009, 9:28 pm

contents of c:\avenger.txt:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Jul 26 23:04:46 2009

23:04:46: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Jul 26 23:07:06 2009

23:07:06: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Jul 26 23:07:19 2009

23:07:19: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 27th July 2009, 8:48 pm

So, am I good? The log doesn't really say anything, only that I was a dumbnut when I didn't copy the whole script...

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Belahzur on 27th July 2009, 9:16 pm

Doesn't matter anymore, I've noticed something I didn't see before.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
dn't see before.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 27th July 2009, 9:57 pm

So, I followed the instructions on how to disable AVG.
When I try to run combofix, AVG says this threat "Malware.gen" with file name "CMD.EXECF" is detected. (But isn't AVG disabled?)

Result of this: combofix wont run and AVG says that "Malware.gen" with "CMD.EXECF is a known piece of malware. It is recommended that you quarantine this threat." So I quarantine it and after that nothing happens.

It's the same threat every time I try to run combofix.

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 27th July 2009, 11:33 pm

So, it's done. Though I did have to disable another function of AVG 8.5, the "AVG ID Protection". Then after the reboot executed by ComboFix, AVG ID Protection was turned on again (start-up feature) and it found yet another threat. This time I allowed the threat so that ComboFix could continue to run and then I disabled it (obviously ComboFix was the "threat").

The ComboFix log is posted next.


Last edited by Koriander on 27th July 2009, 11:38 pm; edited 1 time in total

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 27th July 2009, 11:34 pm

ComboFix 09-07-27.02 - Admin 2009-07-28 1:15.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.569 [GMT 2:00]
Running from: c:\documents and settings\Admin\Desktop\Combo-Fix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_RKHIT
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-06-27 to 2009-07-27 )))))))))))))))))))))))))))))))
.

2009-07-26 20:03 . 2009-07-26 20:03 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc
2009-07-26 11:02 . 2009-07-26 11:02 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-07-26 11:01 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-26 11:01 . 2009-07-26 11:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-26 11:01 . 2009-07-26 11:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-26 11:01 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 11:11 . 2009-07-25 11:11 -------- d-----w- c:\documents and settings\log
2009-07-25 11:02 . 2009-07-25 11:02 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\AVG Security Toolbar
2009-07-25 10:56 . 2009-07-25 10:56 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-07-25 10:56 . 2009-07-25 10:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-25 10:56 . 2009-07-25 10:56 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-25 10:56 . 2009-07-25 10:56 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-25 10:56 . 2009-07-25 10:56 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-25 10:56 . 2009-07-27 22:12 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-25 10:56 . 2009-07-25 11:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-25 10:56 . 2009-07-25 10:56 -------- d-----w- c:\documents and settings\Admin\Application Data\Windows Search
2009-07-25 10:56 . 2009-07-25 10:56 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-07-25 10:56 . 2009-07-25 10:56 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-07-25 10:56 . 2009-07-25 10:56 -------- d-----w- c:\program files\AVG
2009-07-24 21:08 . 2009-07-25 11:06 4786464 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-24 21:08 . 2009-07-25 11:06 15392 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-24 21:01 . 2009-07-25 11:04 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-07-24 21:01 . 2009-07-25 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-07-24 20:55 . 2009-07-24 20:55 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Downloaded Installations
2009-07-24 17:48 . 2009-07-24 17:48 -------- d-----w- c:\program files\Enigma Software Group
2009-07-22 15:10 . 2009-07-22 15:18 -------- d-----w- c:\program files\NOS
2009-07-22 15:10 . 2009-07-22 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-22 15:00 . 2009-07-22 15:00 152576 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-22 14:37 . 2009-07-22 14:51 -------- d-----w- c:\documents and settings\Admin\.SunDownloadManager
2009-07-22 14:17 . 2009-07-22 14:21 -------- d-----w- c:\documents and settings\Klas Karis\.SunDownloadManager
2009-07-22 13:55 . 2009-07-22 13:55 -------- d-----w- c:\program files\Trend Micro
2009-07-22 13:38 . 2009-07-22 13:38 -------- d-----w- c:\documents and settings\Klas Karis\Local Settings\Application Data\Downloaded Installations
2009-07-22 12:58 . 2009-07-22 12:58 -------- d-----w- c:\documents and settings\Klas Karis\Local Settings\Application Data\AVG Security Toolbar
2009-07-22 00:11 . 2009-07-24 17:50 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-21 23:51 . 2009-07-21 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-07-21 23:50 . 2009-07-25 10:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-21 23:45 . 2009-07-21 23:45 -------- d-----w- c:\documents and settings\Admin\Application Data\AVG8
2009-07-21 23:30 . 2009-07-21 23:30 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\COMODO
2009-07-21 21:20 . 2009-07-21 21:20 -------- d-----w- c:\documents and settings\Klas Karis\Local Settings\Application Data\COMODO
2009-07-21 20:44 . 2009-07-22 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\12936094
2009-07-16 19:54 . 2009-07-16 19:56 -------- d-----w- c:\documents and settings\Klas Karis\Application Data\Move Networks
2009-07-16 19:54 . 2008-09-17 08:07 847360 ----a-w- c:\documents and settings\Klas Karis\Application Data\Mozilla\Firefox\Profiles\2tzeirqm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
2009-07-16 14:14 . 2009-07-16 14:14 -------- d-----w- c:\program files\iPod
2009-07-16 14:13 . 2009-07-16 14:14 -------- d-----w- c:\program files\iTunes
2009-07-16 14:07 . 2009-07-16 14:07 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-02 20:53 . 2009-07-05 18:39 -------- d-----w- c:\documents and settings\Lillasyster\Application Data\Move Networks
2009-07-02 20:53 . 2008-09-17 08:07 847360 ----a-w- c:\documents and settings\Lillasyster\Application Data\Mozilla\Firefox\Profiles\laphfc0t.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
2009-06-29 15:54 . 2009-06-29 15:54 -------- d-----w- c:\program files\Sony Ericsson

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 21:12 . 2009-07-26 21:12 120 ----a-w- c:\program files\jzzdng.txt
2009-07-26 20:03 . 2009-07-26 20:03 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc
2009-07-25 11:06 . 2009-07-24 21:08 66224 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-25 11:06 . 2009-07-24 21:08 2516 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-24 21:00 . 2009-05-13 21:16 21832 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-22 15:29 . 2009-06-01 18:55 -------- d-----w- c:\documents and settings\Klas Karis\Application Data\uTorrent
2009-07-22 15:07 . 2007-10-28 16:58 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-22 15:00 . 2009-01-23 20:48 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 14:59 . 2007-10-26 16:20 -------- d-----w- c:\program files\Java
2009-07-22 12:44 . 2008-10-12 13:23 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-22 12:44 . 2009-06-06 18:57 -------- d-----w- c:\program files\Comodo
2009-07-22 12:43 . 2009-06-17 11:00 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-07-18 13:12 . 2009-05-13 21:52 -------- d-----w- c:\documents and settings\Klas Karis\Application Data\Apple Computer
2009-07-16 14:14 . 2009-05-13 21:12 -------- d-----w- c:\program files\Common Files\Apple
2009-07-13 10:11 . 2009-01-23 21:21 1 ----a-w- c:\documents and settings\Klas Karis\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-02 11:02 . 2009-05-15 20:50 1 ----a-w- c:\documents and settings\Lillasyster\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-23 17:14 . 2009-06-23 17:14 -------- d-----w- c:\documents and settings\Klas Karis\Application Data\Windows Search
2009-06-17 11:00 . 2007-09-22 21:28 -------- d-----w- c:\program files\Norman
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 18:51 . 2009-06-15 18:51 98304 ----a-r- c:\documents and settings\Klas Karis\Application Data\Microsoft\Installer\{DE2F2D9C-53E2-40EE-8209-74DA63CB060E}\python_icon.exe
2009-06-14 11:21 . 2009-06-14 10:43 -------- d-----w- c:\documents and settings\Klas Karis\Application Data\vlc
2009-06-14 10:41 . 2009-06-14 10:41 -------- d-----w- c:\program files\VideoLAN
2009-06-11 07:45 . 2008-10-12 13:22 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-10 10:45 . 2007-09-13 16:29 21832 ----a-w- c:\documents and settings\Klas Karis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 19:40 . 2009-06-09 19:39 -------- d-----w- c:\program files\QuickTime
2009-06-09 18:58 . 2009-06-09 18:58 21104 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-09 18:54 . 2009-06-09 18:54 -------- d-----w- c:\documents and settings\Lillasyster\Application Data\Windows Search
2009-06-07 19:07 . 2009-05-15 20:26 21832 ----a-w- c:\documents and settings\Lillasyster\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 14:17 . 2009-06-07 14:17 -------- d-----w- c:\documents and settings\Lillasyster\Application Data\Comodo
2009-06-06 19:00 . 2009-06-06 19:00 -------- d-----w- c:\documents and settings\Klas Karis\Application Data\Comodo
2009-06-06 18:51 . 2009-06-06 18:51 -------- d-----w- c:\program files\JRE
2009-06-06 18:51 . 2009-01-23 21:09 -------- d-----w- c:\program files\OpenOffice.org 3
2009-06-05 09:42 . 2009-05-13 21:13 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 09:42 . 2009-05-13 21:13 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-31 20:51 . 2009-05-31 20:51 152576 ----a-w- c:\documents and settings\Lillasyster\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-24 22:24 . 2008-05-26 20:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-15 18:23 . 2004-08-04 12:00 218624 ----a-w- c:\windows\system32\uxtheme.dll
2009-05-13 21:46 . 2009-05-13 21:46 152576 ----a-w- c:\documents and settings\Klas Karis\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 13:12 . 2007-09-22 20:13 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-07-22 14:22 . 2009-06-09 19:38 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 27th July 2009, 11:35 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-27 12:35 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-27 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-27 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-01-18 137216]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-17 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-17 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-22 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-25 1948440]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-11-17 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-25 10:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-02-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-07-25 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-07-25 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-07-25 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-07-25 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-07-25 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-07-25 1368952]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-02-26 563720]
R2 ComodoBackupService;ComodoBackupService;c:\program files\Comodo\BackUp\CmdBkSvc.exe [2009-06-06 1023488]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-07-25 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2009-02-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2009-02-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2009-02-26 27232]
S0 zlcekvv;zlcekvv;c:\windows\system32\drivers\ibufatkl.sys --> c:\windows\system32\drivers\ibufatkl.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2009-02-26 5576712]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-07-25 29208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-07-27 c:\windows\Tasks\User_Feed_Synchronization-{60DEF766-08B7-4C4F-B5E9-562B13BD6EC7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]

2009-07-27 c:\windows\Tasks\User_Feed_Synchronization-{9E7CD024-AE9D-4426-A89F-BA3A119A6AFC}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]

2009-07-27 c:\windows\Tasks\User_Feed_Synchronization-{C7899E23-2FC5-49C6-971C-389E42CD9F71}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\vcca8g3j.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Personal\bin\np_prsnl.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
.

**************************************************************************

driver loading error catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-28 01:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(228)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\tcpsvcs.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-27 1:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-27 23:24

Pre-Run: 258 316 058 624 bytes free
Post-Run: 258 999 025 664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

283 --- E O F --- 2009-07-22 11:26

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 27th July 2009, 11:49 pm

I hope it was ok to keep the firewall on. I didn't thought of that before executing and combofix did run like a vacuum cleaner anyway.
I first thought of that after posting the log when I read the whole topic of "How To Temporarily Disable Your AV".

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Belahzur on 28th July 2009, 5:18 pm

Hello.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\program files\jzzdng.txt

Folder::
c:\documents and settings\All Users\Application Data\12936094
c:\documents and settings\Klas Karis\Application Data\uTorrent

Driver::
zlcekvv

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 28th July 2009, 9:24 pm

Same this time, AVG ID Protection auto-started at startup but combofix did it's job anyway, I hope. Log file in next post.

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 28th July 2009, 9:25 pm

ComboFix 09-07-28.01 - Admin 2009-07-28 23:09.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.582 [GMT 2:00]
Running from: c:\documents and settings\Admin\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

FILE ::
"c:\program files\jzzdng.txt"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\12936094
c:\documents and settings\All Users\Application Data\12936094\12936094
c:\documents and settings\Klas Karis\Application Data\uTorrent
c:\documents and settings\Klas Karis\Application Data\uTorrent\Advance_Patrol-El_Futuro-2009-TPB.torrent
c:\documents and settings\Klas Karis\Application Data\uTorrent\dht.dat
c:\documents and settings\Klas Karis\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Klas Karis\Application Data\uTorrent\Farbror Brun - Belgien (EP).torrent
c:\documents and settings\Klas Karis\Application Data\uTorrent\HIMYM - Season 4.torrent
c:\documents and settings\Klas Karis\Application Data\uTorrent\HIMYM.1.torrent
c:\documents and settings\Klas Karis\Application Data\uTorrent\HIMYM.torrent
c:\documents and settings\Klas Karis\Application Data\uTorrent\Love Sex Magic - Ciara ft. Justin Timberlake.torrent
c:\documents and settings\Klas Karis\Application Data\uTorrent\NATIONALTEATERN - livet är en fest -72-80.rar.torrent
c:\documents and settings\Klas Karis\Application Data\uTorrent\resume.dat
c:\documents and settings\Klas Karis\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Klas Karis\Application Data\uTorrent\Royksopp - Junior [mp3-192-2009].torrent
c:\documents and settings\Klas Karis\Application Data\uTorrent\rss.dat
c:\documents and settings\Klas Karis\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Klas Karis\Application Data\uTorrent\Season 4.1.torrent
c:\documents and settings\Klas Karis\Application Data\uTorrent\Season 4.torrent
c:\documents and settings\Klas Karis\Application Data\uTorrent\settings.dat
c:\documents and settings\Klas Karis\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Klas Karis\Application Data\uTorrent\utorrent.lng
c:\program files\jzzdng.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_zlcekvv


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-28 )))))))))))))))))))))))))))))))
.

2009-07-26 20:03 . 2009-07-26 20:03 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc
2009-07-26 11:02 . 2009-07-26 11:02 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-07-26 11:01 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-26 11:01 . 2009-07-26 11:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-26 11:01 . 2009-07-26 11:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-26 11:01 . 2009-07-13 11:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 11:11 . 2009-07-25 11:11 -------- d-----w- c:\documents and settings\log
2009-07-25 11:02 . 2009-07-25 11:02 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\AVG Security Toolbar
2009-07-25 10:56 . 2009-07-25 10:56 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-07-25 10:56 . 2009-07-25 10:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-25 10:56 . 2009-07-25 10:56 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-25 10:56 . 2009-07-25 10:56 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-25 10:56 . 2009-07-25 10:56 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-25 10:56 . 2009-07-28 10:31 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-25 10:56 . 2009-07-25 11:02 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-25 10:56 . 2009-07-25 10:56 -------- d-----w- c:\documents and settings\Admin\Application Data\Windows Search
2009-07-25 10:56 . 2009-07-25 10:56 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-07-25 10:56 . 2009-07-25 10:56 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-07-25 10:56 . 2009-07-25 10:56 -------- d-----w- c:\program files\AVG
2009-07-24 21:08 . 2009-07-25 11:06 4786464 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-24 21:08 . 2009-07-25 11:06 15392 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-07-24 21:01 . 2009-07-25 11:04 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-07-24 21:01 . 2009-07-25 11:04 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-07-24 20:55 . 2009-07-24 20:55 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Downloaded Installations
2009-07-24 17:48 . 2009-07-24 17:48 -------- d-----w- c:\program files\Enigma Software Group
2009-07-22 15:10 . 2009-07-22 15:18 -------- d-----w- c:\program files\NOS
2009-07-22 15:10 . 2009-07-22 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-22 15:00 . 2009-07-22 15:00 152576 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-22 14:37 . 2009-07-22 14:51 -------- d-----w- c:\documents and settings\Admin\.SunDownloadManager
2009-07-22 14:17 . 2009-07-22 14:21 -------- d-----w- c:\documents and settings\Klas Karis\.SunDownloadManager
2009-07-22 13:55 . 2009-07-22 13:55 -------- d-----w- c:\program files\Trend Micro
2009-07-22 13:38 . 2009-07-22 13:38 -------- d-----w- c:\documents and settings\Klas Karis\Local Settings\Application Data\Downloaded Installations
2009-07-22 12:58 . 2009-07-22 12:58 -------- d-----w- c:\documents and settings\Klas Karis\Local Settings\Application Data\AVG Security Toolbar
2009-07-22 00:11 . 2009-07-24 17:50 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-21 23:51 . 2009-07-21 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-07-21 23:50 . 2009-07-25 10:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-21 23:45 . 2009-07-21 23:45 -------- d-----w- c:\documents and settings\Admin\Application Data\AVG8
2009-07-21 23:30 . 2009-07-21 23:30 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\COMODO
2009-07-21 21:20 . 2009-07-21 21:20 -------- d-----w- c:\documents and settings\Klas Karis\Local Settings\Application Data\COMODO
2009-07-16 19:54 . 2009-07-16 19:56 -------- d-----w- c:\documents and settings\Klas Karis\Application Data\Move Networks
2009-07-16 19:54 . 2008-09-17 08:07 847360 ----a-w- c:\documents and settings\Klas Karis\Application Data\Mozilla\Firefox\Profiles\2tzeirqm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
2009-07-16 14:14 . 2009-07-16 14:14 -------- d-----w- c:\program files\iPod
2009-07-16 14:13 . 2009-07-16 14:14 -------- d-----w- c:\program files\iTunes
2009-07-16 14:07 . 2009-07-16 14:07 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-02 20:53 . 2009-07-05 18:39 -------- d-----w- c:\documents and settings\Lillasyster\Application Data\Move Networks
2009-07-02 20:53 . 2008-09-17 08:07 847360 ----a-w- c:\documents and settings\Lillasyster\Application Data\Mozilla\Firefox\Profiles\laphfc0t.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
2009-06-29 15:54 . 2009-06-29 15:54 -------- d-----w- c:\program files\Sony Ericsson

.

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 28th July 2009, 9:26 pm

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-26 20:03 . 2009-07-26 20:03 -------- d-----w- c:\documents and settings\Admin\Application Data\vlc
2009-07-25 11:06 . 2009-07-24 21:08 66224 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-25 11:06 . 2009-07-24 21:08 2516 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-24 21:00 . 2009-05-13 21:16 21832 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-22 15:07 . 2007-10-28 16:58 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-22 15:00 . 2009-01-23 20:48 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 14:59 . 2007-10-26 16:20 -------- d-----w- c:\program files\Java
2009-07-22 12:44 . 2008-10-12 13:23 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-22 12:44 . 2009-06-06 18:57 -------- d-----w- c:\program files\Comodo
2009-07-22 12:43 . 2009-06-17 11:00 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-07-18 13:12 . 2009-05-13 21:52 -------- d-----w- c:\documents and settings\Klas Karis\Application Data\Apple Computer
2009-07-16 14:14 . 2009-05-13 21:12 -------- d-----w- c:\program files\Common Files\Apple
2009-07-13 10:11 . 2009-01-23 21:21 1 ----a-w- c:\documents and settings\Klas Karis\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-02 11:02 . 2009-05-15 20:50 1 ----a-w- c:\documents and settings\Lillasyster\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-23 17:14 . 2009-06-23 17:14 -------- d-----w- c:\documents and settings\Klas Karis\Application Data\Windows Search
2009-06-17 11:00 . 2007-09-22 21:28 -------- d-----w- c:\program files\Norman
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 18:51 . 2009-06-15 18:51 98304 ----a-r- c:\documents and settings\Klas Karis\Application Data\Microsoft\Installer\{DE2F2D9C-53E2-40EE-8209-74DA63CB060E}\python_icon.exe
2009-06-14 11:21 . 2009-06-14 10:43 -------- d-----w- c:\documents and settings\Klas Karis\Application Data\vlc
2009-06-14 10:41 . 2009-06-14 10:41 -------- d-----w- c:\program files\VideoLAN
2009-06-11 07:45 . 2008-10-12 13:22 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-10 10:45 . 2007-09-13 16:29 21832 ----a-w- c:\documents and settings\Klas Karis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 19:40 . 2009-06-09 19:39 -------- d-----w- c:\program files\QuickTime
2009-06-09 18:58 . 2009-06-09 18:58 21104 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-09 18:54 . 2009-06-09 18:54 -------- d-----w- c:\documents and settings\Lillasyster\Application Data\Windows Search
2009-06-07 19:07 . 2009-05-15 20:26 21832 ----a-w- c:\documents and settings\Lillasyster\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 14:17 . 2009-06-07 14:17 -------- d-----w- c:\documents and settings\Lillasyster\Application Data\Comodo
2009-06-06 19:00 . 2009-06-06 19:00 -------- d-----w- c:\documents and settings\Klas Karis\Application Data\Comodo
2009-06-06 18:51 . 2009-06-06 18:51 -------- d-----w- c:\program files\JRE
2009-06-06 18:51 . 2009-01-23 21:09 -------- d-----w- c:\program files\OpenOffice.org 3
2009-06-05 09:42 . 2009-05-13 21:13 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 09:42 . 2009-05-13 21:13 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-31 20:51 . 2009-05-31 20:51 152576 ----a-w- c:\documents and settings\Lillasyster\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-24 22:24 . 2008-05-26 20:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-15 18:23 . 2004-08-04 12:00 218624 ----a-w- c:\windows\system32\uxtheme.dll
2009-05-13 21:46 . 2009-05-13 21:46 152576 ----a-w- c:\documents and settings\Klas Karis\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-12 13:12 . 2007-09-22 20:13 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-07-22 14:22 . 2009-06-09 19:38 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 17:41 . 2009-07-11 17:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
- 2007-08-13 16:54 . 2009-03-08 02:31 55296 c:\windows\system32\msfeedsbs.dll
+ 2007-08-13 16:54 . 2009-07-03 17:09 55296 c:\windows\system32\msfeedsbs.dll
+ 2004-08-04 12:00 . 2009-07-03 17:09 25600 c:\windows\system32\jsproxy.dll
- 2004-08-04 12:00 . 2009-04-30 21:22 25600 c:\windows\system32\jsproxy.dll
- 2009-06-11 07:36 . 2009-04-30 21:22 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-06-11 07:36 . 2009-07-03 17:09 12800 c:\windows\system32\dllcache\xpshims.dll
- 2008-10-12 13:20 . 2009-03-08 02:31 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-10-12 13:20 . 2009-07-03 17:09 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-08-13 16:54 . 2009-04-30 21:22 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-08-13 16:54 . 2009-07-03 17:09 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2009-07-28 20:10 . 2009-04-30 21:22 12800 c:\windows\ie8updates\KB972260-IE8\xpshims.dll
+ 2009-07-28 20:10 . 2009-03-08 02:31 55296 c:\windows\ie8updates\KB972260-IE8\msfeedsbs.dll
+ 2009-07-28 20:10 . 2009-04-30 21:22 25600 c:\windows\ie8updates\KB972260-IE8\jsproxy.dll
+ 2009-07-28 20:05 . 2009-07-28 20:10 2712 c:\windows\SoftwareDistribution\EventCache\{5BE88E84-1DFC-4F4F-92F6-1C976C32F30B}.bin
+ 2004-08-04 12:00 . 2009-07-03 17:09 206848 c:\windows\system32\occache.dll
- 2007-08-13 16:54 . 2009-03-08 02:32 594432 c:\windows\system32\msfeeds.dll
+ 2007-08-13 16:54 . 2009-07-03 17:09 594432 c:\windows\system32\msfeeds.dll
- 2007-09-13 17:06 . 2009-07-27 23:20 219498 c:\windows\system32\inetsrv\MetaBase.bin
+ 2007-09-13 17:06 . 2009-07-28 21:15 219498 c:\windows\system32\inetsrv\MetaBase.bin
+ 2004-08-04 12:00 . 2009-07-03 17:09 184320 c:\windows\system32\iepeers.dll
+ 2004-08-04 12:00 . 2009-07-03 17:09 386048 c:\windows\system32\iedkcs32.dll
- 2004-08-04 12:00 . 2009-04-30 11:21 173056 c:\windows\system32\ie4uinit.exe
+ 2004-08-04 12:00 . 2009-07-03 11:01 173056 c:\windows\system32\ie4uinit.exe
- 2007-08-13 16:54 . 2009-05-13 05:15 915456 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-13 16:54 . 2009-07-03 17:09 915456 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-13 16:44 . 2009-07-03 17:09 206848 c:\windows\system32\dllcache\occache.dll
+ 2008-10-12 13:20 . 2009-07-03 17:09 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2008-10-12 13:20 . 2009-03-08 02:32 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2009-06-11 07:36 . 2009-04-30 21:22 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-06-11 07:36 . 2009-07-03 17:09 246272 c:\windows\system32\dllcache\ieproxy.dll
+ 2007-08-13 16:54 . 2009-07-03 17:09 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-13 16:39 . 2009-07-03 17:09 386048 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-08-13 16:39 . 2009-07-03 11:01 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-13 16:39 . 2009-04-30 11:21 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-07-28 20:10 . 2009-07-28 20:10 248832 c:\windows\Installer\72aac.msi
+ 2009-07-28 20:10 . 2009-05-13 05:15 915456 c:\windows\ie8updates\KB972260-IE8\wininet.dll
+ 2009-07-28 20:10 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB972260-IE8\spuninst\updspapi.dll
+ 2009-07-28 20:10 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB972260-IE8\spuninst\spuninst.exe
+ 2009-07-28 20:10 . 2009-03-08 02:34 109568 c:\windows\ie8updates\KB972260-IE8\occache.dll
+ 2009-07-28 20:10 . 2009-03-08 02:32 594432 c:\windows\ie8updates\KB972260-IE8\msfeeds.dll
+ 2009-07-28 20:10 . 2009-04-30 21:22 246272 c:\windows\ie8updates\KB972260-IE8\ieproxy.dll
+ 2009-07-28 20:10 . 2009-03-08 02:31 183808 c:\windows\ie8updates\KB972260-IE8\iepeers.dll
+ 2009-07-28 20:10 . 2009-04-30 21:22 385536 c:\windows\ie8updates\KB972260-IE8\iedkcs32.dll
+ 2009-07-28 20:10 . 2009-04-30 11:21 173056 c:\windows\ie8updates\KB972260-IE8\ie4uinit.exe
+ 2004-08-04 12:00 . 2009-07-03 17:09 1208832 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2009-07-19 13:18 5937152 c:\windows\system32\mshtml.dll
+ 2007-08-13 16:34 . 2009-07-03 17:09 1985536 c:\windows\system32\iertutil.dll
+ 2007-08-13 16:54 . 2009-07-03 17:09 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2007-08-13 16:54 . 2009-07-19 13:18 5937152 c:\windows\system32\dllcache\mshtml.dll
+ 2008-10-12 13:20 . 2009-07-03 17:09 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2009-07-28 20:10 . 2009-04-30 21:22 1207808 c:\windows\ie8updates\KB972260-IE8\urlmon.dll
+ 2009-07-28 20:10 . 2009-05-13 05:15 5936128 c:\windows\ie8updates\KB972260-IE8\mshtml.dll
+ 2009-07-28 20:10 . 2009-04-30 21:22 1985024 c:\windows\ie8updates\KB972260-IE8\iertutil.dll
+ 2007-08-13 16:54 . 2009-07-19 16:48 11067392 c:\windows\system32\ieframe.dll
+ 2008-10-12 13:20 . 2009-07-19 16:48 11067392 c:\windows\system32\dllcache\ieframe.dll
+ 2009-07-28 20:10 . 2009-04-30 21:22 11064832 c:\windows\ie8updates\KB972260-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 28th July 2009, 9:26 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-27 12:35 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-27 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-27 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-01-18 137216]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-17 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-17 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-22 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-25 1948440]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-11-17 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-25 10:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-02-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-07-25 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-07-25 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-07-25 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-07-25 907032]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-07-25 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-07-25 1368952]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2009-02-26 5576712]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-02-26 563720]
R2 ComodoBackupService;ComodoBackupService;c:\program files\Comodo\BackUp\CmdBkSvc.exe [2009-06-06 1023488]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-07-25 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2009-02-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2009-02-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2009-02-26 27232]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-07-25 29208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2009-07-28 c:\windows\Tasks\User_Feed_Synchronization-{60DEF766-08B7-4C4F-B5E9-562B13BD6EC7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]

2009-07-28 c:\windows\Tasks\User_Feed_Synchronization-{9E7CD024-AE9D-4426-A89F-BA3A119A6AFC}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]

2009-07-28 c:\windows\Tasks\User_Feed_Synchronization-{C7899E23-2FC5-49C6-971C-389E42CD9F71}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 02:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\vcca8g3j.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Personal\bin\np_prsnl.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".se");
.

**************************************************************************

catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-28 23:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(248)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\searchindexer.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-07-28 23:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-28 21:20
ComboFix2.txt 2009-07-27 23:24

Pre-Run: 258 832 523 264 bytes free
Post-Run: 258 788 446 208 bytes free

357 --- E O F --- 2009-07-28 20:10

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Belahzur on 29th July 2009, 5:46 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 29th July 2009, 6:13 pm

Since I didn't really had any problems before I don't experience any difference. Is there any way I could check if everything is ok? Like running a full scan with AVG? Or is nortons on-line scanner better?

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Origin on 29th July 2009, 6:48 pm

I would recommend installing Avira free edition, its a way better AV then AVG:

[You must be registered and logged in to see this link.]

You can do a full scan with the AV and if it catches something post it back here, also can you do another Malwarebytes scan and post the log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 29th July 2009, 7:16 pm

I did a quick scan with Malwarebytes. I will now install your recommended AVan do a full scan with it.

Malwarebytes log file:

Malwarebytes' Anti-Malware 1.39
Database version: 2504
Windows 5.1.2600 Service Pack 3

2009-07-29 21:14:08
mbam-log-2009-07-29 (21-13-57).txt

Scan type: Quick Scan
Objects scanned: 99482
Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Admin\Desktop\avenger.exe (Trojan.Agnet) -> No action taken.

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Origin on 29th July 2009, 8:11 pm

Everything looks clean, that was a false positive, it was a program we use to detect rootkits Wink


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 29th July 2009, 9:07 pm

Avira found these threats:

#1

Information from Avira database:
Virus: TR/Dropper.Gen
Date discovered: 19/06/2007
Type: Trojan
Subtype: Dropper
In the wild: Yes
Reported Infections: Low
Distribution Potential: Low
Damage Potential: Low
Static file: No
Engine version: 7.04.00.34

#2
object: svchost
detection: DR/Agent.cqva

No details could be found in Avira database

Log report:



Avira AntiVir Personal
Report file date: den 29 juli 2009 21:42

Scanning for 1577820 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : Admin
Computer name : KLAS

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 08:14:47
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 09:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 10:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 09:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 11:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 19:35:15
ANTIVIR2.VDF : 7.1.4.253 1779200 Bytes 7/19/2009 19:37:24
ANTIVIR3.VDF : 7.1.5.47 350720 Bytes 7/29/2009 19:37:56
Engineversion : 8.2.0.234
AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 10:52:04
AEscript.DLL : 8.1.2.21 450939 Bytes 7/29/2009 19:39:27
AESCN.DLL : 8.1.2.4 127348 Bytes 7/29/2009 19:39:17
AERDL.DLL : 8.1.2.4 430452 Bytes 7/29/2009 19:39:13
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 15:07:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/29/2009 19:39:02
AEHEUR.DLL : 8.1.0.147 1884536 Bytes 7/29/2009 19:39:00
AEHELP.DLL : 8.1.5.3 233846 Bytes 7/29/2009 19:38:22
AEGEN.DLL : 8.1.1.51 352629 Bytes 7/29/2009 19:38:12
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 13:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 7/29/2009 19:38:05
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 13:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 07:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 09:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 13:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 09:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 14:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 09:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 14:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 07:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 09:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 14:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 09:19:48

Configuration settings for the scan:
Jobname.............................: Manual Selection
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\PROFILES\folder.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+JOKE,+PCK,+SPR,

Start of the scan: den 29 juli 2009 21:42

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'WindowsSearch.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'NvMixerTray.exe' - '1' Module(s) have been scanned
Scan process 'nvraidservice.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'searchindexer.exe' - '1' Module(s) have been scanned
Scan process 'tcpsvcs.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'inetinfo.exe' - '1' Module(s) have been scanned
Scan process 'CmdBkSvc.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
38 processes with 38 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '54' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Klas Karis\My Documents\Downloads\setup.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
Begin scan in 'D:\'
D:\Backup\Documents and Settings\Klas Karis\Local Settings\Temp\svchost.exe
[DETECTION] Contains recognition pattern of the DR/Agent.cqva dropper
D:\Backup\Documents and Settings\Klas Karis\Local Settings\Temporary Internet Files\Content.IE5\0HOYRLBA\svchost[1].exe
[DETECTION] Contains recognition pattern of the DR/Agent.cqva dropper
D:\Backup\Documents and Settings\Klas Karis\My Documents\Downloads\setup.exe
[DETECTION] Is the TR/Dropper.Gen Trojan

Beginning disinfection:
C:\Documents and Settings\Klas Karis\My Documents\Downloads\setup.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4ae4ba41.qua'!
D:\Backup\Documents and Settings\Klas Karis\Local Settings\Temp\svchost.exe
[DETECTION] Contains recognition pattern of the DR/Agent.cqva dropper
[NOTE] The file was moved to '4ad3ba53.qua'!
D:\Backup\Documents and Settings\Klas Karis\Local Settings\Temporary Internet Files\Content.IE5\0HOYRLBA\svchost[1].exe
[DETECTION] Contains recognition pattern of the DR/Agent.cqva dropper
[NOTE] The file was moved to '4bbe5094.qua'!
D:\Backup\Documents and Settings\Klas Karis\My Documents\Downloads\setup.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4ae4ba42.qua'!


End of the scan: den 29 juli 2009 23:06
Used time: 1:00:07 Hour(s)

The scan has been done completely.

21401 Scanned directories
459905 Files were scanned
4 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
4 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
459899 Files not concerned
4090 Archives were scanned
2 Warnings
6 Notes

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Belahzur on 30th July 2009, 6:46 pm

Hello.
The files found were deleted.

How is it now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 30th July 2009, 6:49 pm

Nothing, I suppose. If Avira did it's job I think it's clean. No warnings or anything since like two days ago or something.

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Koriander on 30th July 2009, 6:57 pm

So if I'm good (but even if I'm not Cheesy Grin (sparkly ) I really appreciated your help and everything! Now I don't to need to bike to my university to check my bank accounts and stuff Smile
THANKS GP!

Koriander
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-07-22
OS OS : Windows XP Pro 2002 SP3
Points Points : 27008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus: Packed.Monder and trojans: Downloader.Zlob.ANTY and SHeur2.ARBS

Post by Origin on 31st July 2009, 3:35 pm

Glad we could help Wink

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum