Trojan horse Crypt.AA

View previous topic View next topic Go down

Trojan horse Crypt.AA

Post by goodeye on Thu Nov 26, 2009 8:57 pm

Hi,
Happy Thanksgiving! (Please feel free to help me tomorrow... just had some time today.)

AVG 9 has detected vngtcqb.dat Trojan horse Crypt.AA on a Windows XP Pro Media Center SP3 computer.
Symptoms are:
  • hijacked browser results (tried IE and Chrome)
  • unable to update AVG remotely
  • Malwarebytes and SuperAntiSpyware crash as soon as started even in safe mode

I did get latest AVG updates installed locally.
Neither AVG nor GMER detected any rootkit trouble.
AVG detects it in safe mode command line, and says it removes it, but it is still there. It does not detect it in normal mode with the UI scan.

Here is a hijackthis log: (I downloaded HijackThis directly from Trend Micro - the link from GeekPolice/sendspace downloads winlogon.scr, so I was unsure).

Thanks,
Bob


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:46 PM, on 11/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\4Team Corporation\Sync2\Sync2.exe
C:\Documents and Settings\sue\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Set\AppSetup\Utilities\Anti-Virus\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [DellNSCST_GRNCH] "C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sync2] "C:\Program Files\4Team Corporation\Sync2\Sync2.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\sue\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE8E7A3D-57EC-480C-BBA5-69D50B03B95D}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7321 bytes

goodeye
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-11-26
OS : XP Pro SP3

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by Belahzur on Thu Nov 26, 2009 9:17 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by goodeye on Thu Nov 26, 2009 9:32 pm

Thank you for the quick response. I did the 3 fix steps in HijackThis, but Malwarebytes still crashes immediately after starting a scan.
edit:
Note that I had previously installed Malwarebytes, so this re-install noted it was there and up to date. It starts up, but crashes when starting a scan.

Bob

goodeye
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-11-26
OS : XP Pro SP3

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by Belahzur on Fri Nov 27, 2009 12:30 am

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by goodeye on Fri Nov 27, 2009 7:47 pm

Combo-Fix results, thank you:

ComboFix 09-11-26.02 - sue 11/27/2009 11:30.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.520 [GMT -8:00]
Running from: c:\documents and settings\sue\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Business Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\sue\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-27 to 2009-11-27 )))))))))))))))))))))))))))))))
.

2009-11-26 20:05 . 2009-11-26 20:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-26 20:05 . 2009-11-26 20:05 -------- d-----w- c:\program files\Java
2009-11-26 03:57 . 2009-11-26 03:57 -------- d-----w- c:\documents and settings\sue\Application Data\Malwarebytes
2009-11-26 03:53 . 2009-11-26 21:29 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-26 03:52 . 2009-11-26 03:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-26 03:52 . 2009-02-11 18:19 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 03:52 . 2009-02-11 18:19 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 03:52 . 2009-11-26 21:29 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2009-11-26 03:52 . 2009-11-26 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 00:05 . 2009-11-26 00:05 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-26 00:05 . 2009-11-26 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-26 00:04 . 2009-11-26 00:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-26 00:04 . 2009-11-26 00:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-11-26 00:04 . 2009-11-26 00:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-25 17:06 . 2009-11-25 17:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-11-24 08:01 . 2009-11-24 08:01 -------- d-----w- C:\$AVG
2009-11-24 08:01 . 2009-11-24 08:01 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-24 08:01 . 2009-11-24 08:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-24 08:01 . 2009-11-24 08:01 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-24 08:01 . 2009-11-24 08:01 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-24 08:01 . 2009-11-24 08:01 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-24 08:01 . 2009-11-25 02:31 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-24 08:00 . 2009-11-24 08:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-23 20:51 . 2009-11-24 05:57 -------- d-----w- C:\AVGTemp
2009-11-21 15:40 . 2009-11-21 15:40 47360 ----a-w- c:\documents and settings\sue\Application Data\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 11:16 . 2007-05-18 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-25 23:48 . 2007-05-20 02:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-23 20:06 . 2009-01-11 03:30 -------- d-----w- c:\program files\AVG
2009-11-21 15:40 . 2007-05-08 20:18 -------- d-----w- c:\documents and settings\sue\Application Data\Vso
2009-11-13 22:02 . 2007-05-08 03:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-06 03:16 . 2007-05-18 04:37 -------- d-----w- c:\program files\Google
2009-09-11 14:18 . 2006-08-26 12:04 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-08-26 12:04 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-02-09 12:10 . 2006-08-26 12:04 26624 ----a-w- c:\program files\vngtcqb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-18 68856]
"Sync2"="c:\program files\4Team Corporation\Sync2\Sync2.exe" [2009-06-09 3180552]
"Google Update"="c:\documents and settings\sue\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-10 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-01-26 143360]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"DellNSCST_GRNCH"="c:\program files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" [2006-12-06 278528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-24 2020120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-26 149280]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-01-23 15969280]

c:\documents and settings\sue\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-24 08:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/24/2009 12:01 AM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/24/2009 12:01 AM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/24/2009 12:01 AM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/24/2009 12:00 AM 285392]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [5/15/2007 8:34 AM 938112]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 cmuda2;C-Media USB Audio Interface;c:\windows\system32\drivers\cmuda2.sys --> c:\windows\system32\drivers\cmuda2.sys [?]
S3 EzInstDrv;EzInstDrv;\??\d:\ezinstall\EzInstDrv.sys --> d:\ezinstall\EzInstDrv.sys [?]
S3 OpenDrvKmd;OpenDrvKmd;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\CheckModel.tmp\OpenDrvKmd.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\CheckModel.tmp\OpenDrvKmd.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\BackupVino_Data_Set1.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-24 c:\windows\Tasks\BackupVino_Data_Set2.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-25 c:\windows\Tasks\BackupVino_Data_Set3.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-26 c:\windows\Tasks\BackupVino_Data_Set4.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-27 c:\windows\Tasks\BackupVino_Data_Set5.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-14 c:\windows\Tasks\BackupVino_Data_Set6.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-22 c:\windows\Tasks\BackupVino_Data_Set7.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-23 c:\windows\Tasks\BackupVino_SystemState_Set1.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-24 c:\windows\Tasks\BackupVino_SystemState_Set2.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-25 c:\windows\Tasks\BackupVino_SystemState_Set3.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-26 c:\windows\Tasks\BackupVino_SystemState_Set4.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-27 c:\windows\Tasks\BackupVino_SystemState_Set5.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-14 c:\windows\Tasks\BackupVino_SystemState_Set6.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-22 c:\windows\Tasks\BackupVino_SystemState_Set7.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-18 16:39]

2009-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-2000478354-725345543-1004Core.job
- c:\documents and settings\sue\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-10 16:20]

2009-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-2000478354-725345543-1004UA.job
- c:\documents and settings\sue\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-10 16:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: time.gov
TCP: {AE8E7A3D-57EC-480C-BBA5-69D50B03B95D} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\sue\Application Data\Mozilla\Firefox\Profiles\h6ypfvll.default\
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-KB913433 - c:\windows\system32\MacroMed\Flash\genuinst.exe
AddRemove-Pdf995 - c:\pdf995\setup.exe uninstall
AddRemove-Tweak UI 2.10 - c:\windows\system32\mshta.exe [You must be registered and logged in to see this link.]



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-27 11:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\wininet.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\wininet.dll
.
Completion time: 2009-11-27 11:38
ComboFix-quarantined-files.txt 2009-11-27 19:38

Pre-Run: 59,296,718,848 bytes free
Post-Run: 62,898,663,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 4EC40A884E919FF063A86FA8D56648DC

goodeye
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-11-26
OS : XP Pro SP3

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by Belahzur on Fri Nov 27, 2009 10:57 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by goodeye on Sat Nov 28, 2009 1:46 am

Hi,
It's running better, but I'm not sure if it's 100%.
The browser hijacking seems fixed, but AVG still can't access its update websites, and the safe mode avg scan still shows the trojan file exists (but it didn't even try to heal it this time).

Here is the result of the ComboFix /u

Thanks so much,
Bob


ComboFix 09-11-26.02 - sue 11/27/2009 16:39.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.355 [GMT -8:00]
Running from: c:\documents and settings\sue\Desktop\Combo-Fix.exe
Command switches used :: /u
AV: AVG Anti-Virus Business Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.

2009-11-26 20:05 . 2009-11-26 20:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-26 20:05 . 2009-11-26 20:05 -------- d-----w- c:\program files\Java
2009-11-26 03:57 . 2009-11-26 03:57 -------- d-----w- c:\documents and settings\sue\Application Data\Malwarebytes
2009-11-26 03:53 . 2009-11-26 21:29 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-26 03:52 . 2009-11-26 03:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-26 03:52 . 2009-02-11 18:19 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 03:52 . 2009-02-11 18:19 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 03:52 . 2009-11-26 21:29 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2009-11-26 03:52 . 2009-11-26 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 00:05 . 2009-11-26 00:05 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-26 00:05 . 2009-11-26 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-26 00:04 . 2009-11-26 00:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-26 00:04 . 2009-11-26 00:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-11-26 00:04 . 2009-11-26 00:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-25 17:06 . 2009-11-25 17:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-11-24 08:01 . 2009-11-24 08:01 -------- d-----w- C:\$AVG
2009-11-24 08:01 . 2009-11-24 08:01 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-24 08:01 . 2009-11-24 08:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-24 08:01 . 2009-11-24 08:01 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-24 08:01 . 2009-11-24 08:01 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-24 08:01 . 2009-11-24 08:01 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-24 08:01 . 2009-11-25 02:31 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-24 08:00 . 2009-11-24 08:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-23 20:51 . 2009-11-24 05:57 -------- d-----w- C:\AVGTemp
2009-11-21 15:40 . 2009-11-21 15:40 47360 ----a-w- c:\documents and settings\sue\Application Data\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 11:16 . 2007-05-18 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-25 23:48 . 2007-05-20 02:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-23 20:06 . 2009-01-11 03:30 -------- d-----w- c:\program files\AVG
2009-11-21 15:40 . 2007-05-08 20:18 -------- d-----w- c:\documents and settings\sue\Application Data\Vso
2009-11-13 22:02 . 2007-05-08 03:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-06 03:16 . 2007-05-18 04:37 -------- d-----w- c:\program files\Google
2009-09-11 14:18 . 2006-08-26 12:04 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-08-26 12:04 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-02-09 12:10 . 2006-08-26 12:04 26624 ----a-w- c:\program files\vngtcqb.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-18 68856]
"Sync2"="c:\program files\4Team Corporation\Sync2\Sync2.exe" [2009-06-09 3180552]
"Google Update"="c:\documents and settings\sue\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-10 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-01-26 143360]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"DellNSCST_GRNCH"="c:\program files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" [2006-12-06 278528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-24 2020120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-26 149280]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-01-23 15969280]

c:\documents and settings\sue\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-24 08:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/24/2009 12:01 AM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/24/2009 12:01 AM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/24/2009 12:01 AM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/24/2009 12:00 AM 285392]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [5/15/2007 8:34 AM 938112]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 cmuda2;C-Media USB Audio Interface;c:\windows\system32\drivers\cmuda2.sys --> c:\windows\system32\drivers\cmuda2.sys [?]
S3 EzInstDrv;EzInstDrv;\??\d:\ezinstall\EzInstDrv.sys --> d:\ezinstall\EzInstDrv.sys [?]
S3 OpenDrvKmd;OpenDrvKmd;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\CheckModel.tmp\OpenDrvKmd.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\CheckModel.tmp\OpenDrvKmd.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-11-23 c:\windows\Tasks\BackupVino_Data_Set1.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-24 c:\windows\Tasks\BackupVino_Data_Set2.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-25 c:\windows\Tasks\BackupVino_Data_Set3.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-26 c:\windows\Tasks\BackupVino_Data_Set4.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-27 c:\windows\Tasks\BackupVino_Data_Set5.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-14 c:\windows\Tasks\BackupVino_Data_Set6.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-22 c:\windows\Tasks\BackupVino_Data_Set7.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-23 c:\windows\Tasks\BackupVino_SystemState_Set1.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-24 c:\windows\Tasks\BackupVino_SystemState_Set2.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-25 c:\windows\Tasks\BackupVino_SystemState_Set3.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-26 c:\windows\Tasks\BackupVino_SystemState_Set4.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-27 c:\windows\Tasks\BackupVino_SystemState_Set5.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-14 c:\windows\Tasks\BackupVino_SystemState_Set6.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-22 c:\windows\Tasks\BackupVino_SystemState_Set7.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-18 16:39]

2009-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-2000478354-725345543-1004Core.job
- c:\documents and settings\sue\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-10 16:20]

2009-11-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-2000478354-725345543-1004UA.job
- c:\documents and settings\sue\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-10 16:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: time.gov
TCP: {AE8E7A3D-57EC-480C-BBA5-69D50B03B95D} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\sue\Application Data\Mozilla\Firefox\Profiles\h6ypfvll.default\
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-27 16:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\wininet.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\wininet.dll

- - - - - - - > 'explorer.exe'(3548)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-27 16:47
ComboFix-quarantined-files.txt 2009-11-28 00:47
ComboFix2.txt 2009-11-27 19:39

Pre-Run: 62,913,359,872 bytes free
Post-Run: 62,899,142,656 bytes free

- - End Of File - - 13F9E08937971EB1BE5334A9BBA9A79F

goodeye
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-11-26
OS : XP Pro SP3

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by Belahzur on Sat Nov 28, 2009 7:03 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\program files\vngtcqb.dat


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by goodeye on Sat Nov 28, 2009 7:23 pm

Done.


========== FILES ==========
c:\program files\vngtcqb.dat moved successfully.

OTM by OldTimer - Version 3.1.2.0 log created on 11282009_112137

goodeye
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-11-26
OS : XP Pro SP3

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by Belahzur on Sun Nov 29, 2009 1:57 am

Still having problems now? that file you pointed out at the start is now gone.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by goodeye on Sun Nov 29, 2009 3:14 am

Hi,
Thanks for checking - the full scan takes a long time.
AVG still sees the file, and is still blocked from updating remotely.
Actually, AVG now sees the active file and the one that was moved to _OTM. Excerpt from AVG safe mode command line scan:

... (many entries marked: Locked file. Not tested. )
C:\Program Files\vngtcqb.dat Trojan horse Crypt.AA Object was moved to Virus Vault.
...
C:\_OTM\MovedFiles\11282009_112137\c_program files\vngtcqb.dat Trojan horse Crypt.AA Object was moved to Virus Vault.

Thanks again,
Bob

goodeye
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-11-26
OS : XP Pro SP3

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by Belahzur on Sun Nov 29, 2009 7:03 pm

Hmm, something regenerated it.

Submit a file for analysis.

  1. Please visit this website: [You must be registered and logged in to see this link.]
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\system32\msasn1.dll
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by goodeye on Sun Nov 29, 2009 7:58 pm

It was in their system before, but I had it scanned again just in case.

Filename: msasn1.dll
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Sun 29 Nov 2009 20:26:40 (CET)

Thanks,
Bob

goodeye
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-11-26
OS : XP Pro SP3

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by Belahzur on Mon Nov 30, 2009 12:12 am

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by goodeye on Mon Nov 30, 2009 2:01 am

Hi,

Here are the gmer results. Looks similar to my original scan. I can pop this to avg if you wish, but I do appreciate you working on it.

Thanks,
Bob

GMER 1.0.15.15252 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-29 17:58:59
Windows 5.1.2600 Service Pack 3
Running: bobgmr.exe; Driver: C:\DOCUME~1\sue\LOCALS~1\Temp\pxtdypog.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[220] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[220] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[220] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[220] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[220] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[220] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe[220] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Java\jre6\bin\jqs.exe[272] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\Java\jre6\bin\jqs.exe[272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Java\jre6\bin\jqs.exe[272] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\Java\jre6\bin\jqs.exe[272] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Java\jre6\bin\jqs.exe[272] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Java\jre6\bin\jqs.exe[272] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Java\jre6\bin\jqs.exe[272] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Java\jre6\bin\jqs.exe[272] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[372] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[372] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[372] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[372] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[372] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[372] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[372] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\AVG\AVG9\avgam.exe[440] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\AVG\AVG9\avgam.exe[440] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\AVG\AVG9\avgam.exe[440] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\AVG\AVG9\avgam.exe[440] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\AVG\AVG9\avgam.exe[440] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\AVG\AVG9\avgam.exe[440] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\AVG\AVG9\avgam.exe[440] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\AVG\AVG9\avgam.exe[440] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\AVG\AVG9\avgnsx.exe[548] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\AVG\AVG9\avgnsx.exe[548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\AVG\AVG9\avgnsx.exe[548] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\AVG\AVG9\avgnsx.exe[548] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\AVG\AVG9\avgnsx.exe[548] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\AVG\AVG9\avgnsx.exe[548] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\AVG\AVG9\avgnsx.exe[548] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\AVG\AVG9\avgnsx.exe[548] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\winlogon.exe[728] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\winlogon.exe[728] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\winlogon.exe[728] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\winlogon.exe[728] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\winlogon.exe[728] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\winlogon.exe[728] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\winlogon.exe[728] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\winlogon.exe[728] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\services.exe[780] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\services.exe[780] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\services.exe[780] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\services.exe[780] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\services.exe[780] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\services.exe[780] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\services.exe[780] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\lsass.exe[792] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\lsass.exe[792] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[984] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[984] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[984] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[984] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[984] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\System32\svchost.exe[1148] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\System32\svchost.exe[1148] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\System32\svchost.exe[1148] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\System32\svchost.exe[1148] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\System32\svchost.exe[1148] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\spoolsv.exe[1532] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\spoolsv.exe[1532] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\spoolsv.exe[1532] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\spoolsv.exe[1532] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\spoolsv.exe[1532] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\spoolsv.exe[1532] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\spoolsv.exe[1532] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\spoolsv.exe[1532] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\svchost.exe[1868] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\svchost.exe[1868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\svchost.exe[1868] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\svchost.exe[1868] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\svchost.exe[1868] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\svchost.exe[1868] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\svchost.exe[1868] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\svchost.exe[1868] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1916] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1916] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1916] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1916] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1916] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1916] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1916] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\eHome\ehRecvr.exe[1964] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\eHome\ehRecvr.exe[1964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\eHome\ehRecvr.exe[1964] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\eHome\ehRecvr.exe[1964] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\eHome\ehRecvr.exe[1964] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\eHome\ehRecvr.exe[1964] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\eHome\ehRecvr.exe[1964] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\eHome\ehRecvr.exe[1964] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\eHome\ehSched.exe[1988] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\eHome\ehSched.exe[1988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\eHome\ehSched.exe[1988] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\eHome\ehSched.exe[1988] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\eHome\ehSched.exe[1988] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\eHome\ehSched.exe[1988] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\eHome\ehSched.exe[1988] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\eHome\ehSched.exe[1988] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\WINDOWS\system32\dllhost.exe[2520] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\dllhost.exe[2520] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\dllhost.exe[2520] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\dllhost.exe[2520] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\dllhost.exe[2520] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\dllhost.exe[2520] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3564] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10093D80
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3564] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10093BF0
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3564] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10093DF0
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3564] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10093AA4
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3564] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10093218
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3564] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100927E8
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3564] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1009277C
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3564] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10093A50
.text C:\WINDOWS\eHome\ehmsas.exe[3596] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\eHome\ehmsas.exe[3596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\eHome\ehmsas.exe[3596] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\eHome\ehmsas.exe[3596] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\eHome\ehmsas.exe[3596] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\eHome\ehmsas.exe[3596] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\eHome\ehmsas.exe[3596] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\eHome\ehmsas.exe[3596] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3604] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10093D80
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3604] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10093BF0
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3604] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10093DF0
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3604] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10093AA4
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3604] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10093218
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3604] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100927E8
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3604] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1009277C
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3604] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10093A50
.text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[3616] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[3616] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[3616] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[3616] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[3616] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[3616] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[3616] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[3616] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[3676] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[3676] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[3676] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[3676] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[3676] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[3676] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[3676] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\PROGRA~1\AVG\AVG9\avgtray.exe[3676] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Java\jre6\bin\jusched.exe[3724] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\Program Files\Java\jre6\bin\jusched.exe[3724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\Program Files\Java\jre6\bin\jusched.exe[3724] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\Program Files\Java\jre6\bin\jusched.exe[3724] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\Program Files\Java\jre6\bin\jusched.exe[3724] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\Program Files\Java\jre6\bin\jusched.exe[3724] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\Program Files\Java\jre6\bin\jusched.exe[3724] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\Program Files\Java\jre6\bin\jusched.exe[3724] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10033D80
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10033BF0
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10033DF0
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10033AA4
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10033218
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100327E8
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1003277C
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3748] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10033A50
.text C:\WINDOWS\system32\ctfmon.exe[3860] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003D80
.text C:\WINDOWS\system32\ctfmon.exe[3860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003BF0
.text C:\WINDOWS\system32\ctfmon.exe[3860] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003DF0
.text C:\WINDOWS\system32\ctfmon.exe[3860] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AA4
.text C:\WINDOWS\system32\ctfmon.exe[3860] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003218
.text C:\WINDOWS\system32\ctfmon.exe[3860] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027E8
.text C:\WINDOWS\system32\ctfmon.exe[3860] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000277C
.text C:\WINDOWS\system32\ctfmon.exe[3860] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A50

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

goodeye
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-11-26
OS : XP Pro SP3

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by goodeye on Mon Nov 30, 2009 5:31 pm

Hi,

Sorry, but the browser hijacking symptom is back. Should I just re-do the steps from the beginning?

Thanks,
Bob

goodeye
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-11-26
OS : XP Pro SP3

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by Belahzur on Mon Nov 30, 2009 8:19 pm

Re-run Combofix, post the new log. We'll get to the bottom of this eventually.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by goodeye on Mon Nov 30, 2009 8:57 pm

New Combo-Fix (it warned of a newer version, so I re-downloaded/renamed it from your link):

ComboFix 09-11-30.02 - sue 11/30/2009 12:45.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.484 [GMT -8:00]
Running from: c:\documents and settings\sue\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Business Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-28 19:21 . 2009-11-28 19:21 -------- d-----w- C:\_OTM
2009-11-26 20:05 . 2009-11-26 20:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-26 20:05 . 2009-11-26 20:05 -------- d-----w- c:\program files\Java
2009-11-26 03:57 . 2009-11-26 03:57 -------- d-----w- c:\documents and settings\sue\Application Data\Malwarebytes
2009-11-26 03:53 . 2009-11-26 21:29 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-26 03:52 . 2009-11-26 03:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-26 03:52 . 2009-02-11 18:19 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-26 03:52 . 2009-02-11 18:19 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-26 03:52 . 2009-11-26 21:29 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2009-11-26 03:52 . 2009-11-26 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 00:05 . 2009-11-26 00:05 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-26 00:05 . 2009-11-26 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-26 00:04 . 2009-11-26 00:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-26 00:04 . 2009-11-26 00:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-11-26 00:04 . 2009-11-26 00:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-25 17:06 . 2009-11-25 17:06 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2009-11-24 08:01 . 2009-11-24 08:01 -------- d-----w- C:\$AVG
2009-11-24 08:01 . 2009-11-24 08:01 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-11-24 08:01 . 2009-11-24 08:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-24 08:01 . 2009-11-24 08:01 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-24 08:01 . 2009-11-24 08:01 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-24 08:01 . 2009-11-24 08:01 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-24 08:01 . 2009-11-25 02:31 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-24 08:00 . 2009-11-24 08:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-23 20:51 . 2009-11-24 05:57 -------- d-----w- C:\AVGTemp
2009-11-21 15:40 . 2009-11-21 15:40 47360 ----a-w- c:\documents and settings\sue\Application Data\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 14:19 . 2007-05-18 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-25 23:48 . 2007-05-20 02:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-23 20:06 . 2009-01-11 03:30 -------- d-----w- c:\program files\AVG
2009-11-21 15:40 . 2007-05-08 20:18 -------- d-----w- c:\documents and settings\sue\Application Data\Vso
2009-11-13 22:02 . 2007-05-08 03:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-06 03:16 . 2007-05-18 04:37 -------- d-----w- c:\program files\Google
2009-09-11 14:18 . 2006-08-26 12:04 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-08-26 12:04 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-02-09 12:10 . 2006-08-26 12:04 26624 ----a-w- c:\program files\vngtcqb.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-30 00:31 . 2009-11-30 00:31 16384 c:\windows\Temp\Perflib_Perfdata_110.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-18 68856]
"Sync2"="c:\program files\4Team Corporation\Sync2\Sync2.exe" [2009-06-09 3180552]
"Google Update"="c:\documents and settings\sue\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-10 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-02-07 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-01-26 143360]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"DellNSCST_GRNCH"="c:\program files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" [2006-12-06 278528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-24 2020120]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-26 149280]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-01-23 15969280]

c:\documents and settings\sue\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-24 08:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [11/24/2009 12:01 AM 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/24/2009 12:01 AM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/24/2009 12:01 AM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/23/2009 8:43 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/23/2009 8:43 AM 74480]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/24/2009 12:00 AM 285392]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [5/15/2007 8:34 AM 938112]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 cmuda2;C-Media USB Audio Interface;c:\windows\system32\drivers\cmuda2.sys --> c:\windows\system32\drivers\cmuda2.sys [?]
S3 EzInstDrv;EzInstDrv;\??\d:\ezinstall\EzInstDrv.sys --> d:\ezinstall\EzInstDrv.sys [?]
S3 OpenDrvKmd;OpenDrvKmd;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\CheckModel.tmp\OpenDrvKmd.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\CheckModel.tmp\OpenDrvKmd.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/23/2009 8:43 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - pxtdypog
.
Contents of the 'Scheduled Tasks' folder

2009-11-30 c:\windows\Tasks\BackupVino_Data_Set1.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-24 c:\windows\Tasks\BackupVino_Data_Set2.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-25 c:\windows\Tasks\BackupVino_Data_Set3.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-26 c:\windows\Tasks\BackupVino_Data_Set4.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-27 c:\windows\Tasks\BackupVino_Data_Set5.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-28 c:\windows\Tasks\BackupVino_Data_Set6.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-29 c:\windows\Tasks\BackupVino_Data_Set7.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-30 c:\windows\Tasks\BackupVino_SystemState_Set1.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-24 c:\windows\Tasks\BackupVino_SystemState_Set2.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-25 c:\windows\Tasks\BackupVino_SystemState_Set3.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-26 c:\windows\Tasks\BackupVino_SystemState_Set4.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-27 c:\windows\Tasks\BackupVino_SystemState_Set5.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-28 c:\windows\Tasks\BackupVino_SystemState_Set6.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-29 c:\windows\Tasks\BackupVino_SystemState_Set7.job
- c:\windows\system32\ntbackup.exe [2006-08-26 00:12]

2009-11-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-18 16:39]

2009-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-2000478354-725345543-1004Core.job
- c:\documents and settings\sue\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-10 16:20]

2009-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1757981266-2000478354-725345543-1004UA.job
- c:\documents and settings\sue\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-10 16:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: time.gov
TCP: {AE8E7A3D-57EC-480C-BBA5-69D50B03B95D} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\sue\Application Data\Mozilla\Firefox\Profiles\h6ypfvll.default\
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-30 12:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\wininet.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\wininet.dll

- - - - - - - > 'explorer.exe'(3744)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-30 12:54
ComboFix-quarantined-files.txt 2009-11-30 20:54
ComboFix2.txt 2009-11-27 19:39

Pre-Run: 62,929,608,704 bytes free
Post-Run: 62,899,683,328 bytes free

- - End Of File - - 19C42CF9E730988BC12D6483F843332A

goodeye
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-11-26
OS : XP Pro SP3

View user profile

Back to top Go down

Re: Trojan horse Crypt.AA

Post by goodeye on Sat Dec 12, 2009 7:40 pm

Hi,
Just letting you know this was resolved by AVG. I really appreciate your efforts, but this seemed new even to them. I had to send them the reappearing file, since their scans were finding nothing wrong.
The cause was in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
There was a midi9 key with a value that was obviously the virus.
A fresh download of AVG's remagent fixer program removed it.

Again, thanks for all your work here.
Bob

goodeye
Novice
Novice

Status :
Online
Offline

Posts : 11
Joined : 2009-11-26
OS : XP Pro SP3

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum