Trojan horse PSW Banker5.ANMF

View previous topic View next topic Go down

Trojan horse PSW Banker5.ANMF

Post by blair on Sat Jan 16, 2010 2:43 pm

Hello

I have Trojan horse.banker on my computer I have run AVG virus scan it tells me its in the file ….\Internet Explorer\pdm2.dll Trojan horse PSW Banker5.ANMF (it is unable to move it to the volt or heal it) I also downloaded and run Malwarebyte 5 witch tells me the same thing and also that the file ie8props.propdesc is infected. They are both in my “internet explorer” director The Trojan came in a zip file sent repeatedly to my girlfriends email account it has emailed itself to all her contact list repeatedly too. I think you can hear it working my computer makes a series of clicking sounds (like when you open a web page) by itself like opening web page.

Any help would be very much aprechated thank you very much :smile2:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:36 AM, on 1/16/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\apache\bin\ApacheMonitor.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Users\home\Desktop\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Bho - Browser helper object - {16C56787-98F8-4DBE-9B60-82E31BAD4314} - C:\PROGRA~1\INTERN~1\pdm2.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Bho - Browser helper object - {339DFEAF-D1E7-45C3-A5B4-B00E8616EB56} - C:\PROGRA~1\INTERN~1\pdm2.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Bho - Browser helper object - {5C92058F-071C-4FCA-9A45-D7C10A84EF4E} - C:\PROGRA~1\INTERN~1\pdm2.dll
O2 - BHO: Bho - Browser helper object - {63B60A16-5611-4624-8600-3798C743AF9B} - C:\PROGRA~1\INTERN~1\pdm2.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\Windows\p_981116.exe /Q:A
O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\apache\bin\ApacheMonitor.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\Windows\system32\Shdocvw.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} (System Requirements Lab Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apache2.2 - Apache Software Foundation - C:\apache\bin\httpd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: dlbu_device - - C:\Windows\system32\dlbucoms.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: RelevantKnowledge - Unknown owner - C:\Program Files\RelevantKnowledge\rlservice.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: srvwinupd - Unknown owner - C:\Windows\system32\ntkrnlp.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11436 bytes

blair
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-01-16
OS OS : windows vista
Points Points : 25283
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan horse PSW Banker5.ANMF

Post by Belahzur on Sat Jan 16, 2010 6:25 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: Bho - Browser helper object - {16C56787-98F8-4DBE-9B60-82E31BAD4314} - C:\PROGRA~1\INTERN~1\pdm2.dll
    O2 - BHO: Bho - Browser helper object - {339DFEAF-D1E7-45C3-A5B4-B00E8616EB56} - C:\PROGRA~1\INTERN~1\pdm2.dll
    O2 - BHO: Bho - Browser helper object - {5C92058F-071C-4FCA-9A45-D7C10A84EF4E} - C:\PROGRA~1\INTERN~1\pdm2.dll
    O2 - BHO: Bho - Browser helper object - {63B60A16-5611-4624-8600-3798C743AF9B} - C:\PROGRA~1\INTERN~1\pdm2.dll
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\Windows\p_981116.exe /Q:A



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan horse PSW Banker5.ANMF

Post by blair on Sun Jan 17, 2010 5:49 am

Thank you for replying to my last post but unfortunitly I followed the instructions and it has not seamed to remove the trojan I have pasted the mbam log as asked thank you

Malwarebytes' Anti-Malware 1.44
Database version: 3573
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18865

1/17/2010 12:22:11 AM
mbam-log-2010-01-17 (00-22-11).txt

Scan type: Quick Scan
Objects scanned: 99635
Time elapsed: 8 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Internet Explorer\ielowutil2.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\pdm2.dll (Trojan.Banker) -> Quarantined and deleted successfully.
C:\Users\home\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Let me think Let me think

blair
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-01-16
OS OS : windows vista
Points Points : 25283
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan horse PSW Banker5.ANMF

Post by Belahzur on Sun Jan 17, 2010 4:54 pm

Hello.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan horse PSW Banker5.ANMF

Post by blair on Sun Jan 17, 2010 5:31 pm

This is the first thank you for taking the time to help me your service is amasing

DDS (Ver_09-12-01.01) - NTFSx86
Run by home at 12:08:10.16 on Sun 01/17/2010
Internet Explorer: 8.0.6001.18865
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2814.1420 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k nȯne
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\apache\bin\ApacheMonitor.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\taskeng.exe
C:\apache\bin\httpd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\dlbucoms.exe
C:\apache\bin\httpd.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SMINST\BLService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\ntkrnlp.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system\sqlite\sqlite3.exe
C:\Windows\system32\conime.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TextPad 5\TextPad.exe
C:\Program Files\TextPad 5\TextPad.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysql.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Users\home\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
mCustomizeSearch = [You must be registered and logged in to see this link.]
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [DLBUCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLBUtime.dll,_RunDLLEntry@16
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\home\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\monito~1.lnk - c:\apache\bin\ApacheMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\realit~1.lnk - c:\program files\reality fusion\reality fusion gamecam se\program\RFTRay.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snapfi~1.lnk - c:\program files\snapfish picture mover\SnapfishMediaDetector.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - [You must be registered and logged in to see this link.]
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - [You must be registered and logged in to see this link.]
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - [You must be registered and logged in to see this link.]
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-11 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-11 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-11 108552]
R2 Apache2.2;Apache2.2;c:\apache\bin\httpd.exe [2009-9-28 24645]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-9-11 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-11 297752]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-20 365952]
R2 srvwinupd;srvwinupd;c:\windows\system32\ntkrnlp.exe [2010-1-10 557568]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-20 193840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-5-9 43040]
S2 RelevantKnowledge;RelevantKnowledge;c:\program files\relevantknowledge\rlservice.exe /service --> c:\program files\relevantknowledge\rlservice.exe [?]

=============== Created Last 30 ================

2010-01-15 23:05:03 0 d-----w- c:\program files\Enigma Software Group
2010-01-14 14:41:40 0 d-----w- c:\users\home\appdata\roaming\Malwarebytes
2010-01-14 14:41:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 14:41:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-14 14:41:33 0 d-----w- c:\programdata\Malwarebytes
2010-01-14 14:41:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-13 21:03:42 76 --sh--w- C:\desktop.ini
2010-01-13 21:03:42 516424 ----a-w- C:\Garden.jpg
2010-01-13 15:23:33 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-13 05:24:56 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 05:24:56 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 05:24:53 1399296 ----a-w- c:\windows\system32\msxml6.dll
2010-01-13 05:24:52 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-01-13 05:24:42 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-01-13 05:24:39 714240 ----a-w- c:\windows\system32\timedate.cpl
2010-01-13 05:15:51 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-13 05:15:51 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-01-13 05:15:51 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-13 05:15:35 2035712 ----a-w- c:\windows\system32\win32k.sys
2010-01-13 05:15:33 244224 ----a-w- c:\windows\system32\rastls.dll
2010-01-13 05:15:32 281600 ----a-w- c:\windows\system32\raschap.dll
2010-01-13 05:15:28 351232 ----a-w- c:\windows\system32\WSDApi.dll
2010-01-13 04:58:30 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-01-13 04:58:09 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-01-13 04:57:57 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-01-13 04:57:57 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-01-13 02:45:38 0 d-----r- C:\pictures
2010-01-11 01:12:22 2240 ----a-w- c:\windows\system32\acpi.vxd
2010-01-11 01:12:07 557568 ----a-w- c:\windows\system32\ntkrnlp.exe
2010-01-03 03:04:45 0 d-----w- c:\windows\system\sqlite
2010-01-03 02:18:50 49175 ----a-w- c:\windows\php3.ini
2010-01-03 02:18:50 48985 ----a-w- c:\windows\php.ini
2010-01-03 02:17:37 50177 ----a-w- c:\windows\php2.ini
2009-12-20 01:31:08 0 d-----w- c:\users\home\appdata\roaming\Printer Info Cache

==================== Find3M ====================

2010-01-17 04:03:47 27744 ----a-w- c:\programdata\nvModes.dat
2009-12-11 19:05:28 1154 ----a-w- c:\users\home\appdata\roaming\wklnhst.dat
2009-12-07 15:02:21 70984 ----a-w- c:\users\home\g2mdlhlpx.exe
2009-12-06 03:35:39 133472 ----a-w- c:\windows\hppins20.dat
2009-12-05 16:42:04 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-05 16:42:03 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-12-05 16:42:03 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-29 06:37:40 159722 ----a-w- c:\windows\Scan to PDF Uninstaller.exe
2009-11-28 15:02:33 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-10 17:25:21 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-11-10 17:25:21 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-04-20 11:26:16 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-04-20 11:26:15 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 12:09:15.50 =============== Thank You!

blair
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-01-16
OS OS : windows vista
Points Points : 25283
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan horse PSW Banker5.ANMF

Post by blair on Sun Jan 17, 2010 5:33 pm

sorry boss hope you wanted me to post this as all say to zip it but you state post both so here it is thanks


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume1
Install Date: 6/3/2009 11:45:31 AM
System Uptime: 1/17/2010 9:48:46 AM (3 hours ago)

Motherboard: Wistron | | 303C
Processor: AMD Sempron(tm) SI-42 | Socket A | 2100/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 139 GiB total, 90.651 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 1.777 GiB free.
E: is CDROM (UDF)

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

32 Bit HP CIO Components Installer
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player
Apache HTTP Server 2.2.14
Atheros Driver Installation Program
AVG Free 8.5
BufferChm
Compatibility Pack for the 2007 Office system
Conexant HD Audio
CyberLink DVD Suite
D2300
D2300_Help
Destinations
DeviceManagementQFolder
ESU for Microsoft Vista
GoToMeeting 4.1.0.366
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Deskjet & Photosmart Printer Driver Software 8.0.A
HP Doc Viewer
HP DVD Play 3.7
HP Help and Support
HP Imaging Device Functions 8.0
HP Photosmart Essential
HP Quick Launch Buttons 6.40 H2
HP Total Care Advisor
HP Total Care Setup
HP Update
HP User Guides 0118
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
Java(TM) 6 Update 17
Java(TM) 6 Update 7
Juno Preloader
LabelPrint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Live Search Toolbar
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee Reveal
My HP Games
MySQL Server 5.1
NetWaiting
NetZero Preloader
NVIDIA Drivers
PHP 5.2.11
Power2Go
PowerDirector
QuickCam
RealPlayer 7 Basic
Scan to PDF
SF_CDA_ProductContext
SF_CDA_Software
Skype web features
Skype™ 4.1
Snapfish Picture Mover
SPORE Creature Creator Trial Edition
Status
Synaptics Pointing Device Driver
System Requirements Lab
TextPad 5
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Office 2007 (KB934528)
VLC media player 1.0.1
WebReg
WinRAR archiver
WinZip

==== End Of File ===========================

blair
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-01-16
OS OS : windows vista
Points Points : 25283
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan horse PSW Banker5.ANMF

Post by Belahzur on Sun Jan 17, 2010 6:19 pm

Hello.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight Java(TM) 6 Update 7
  • Click on the Uninstall/Change button at the top.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    RelevantKnowledge


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan horse PSW Banker5.ANMF

Post by blair on Mon Jan 18, 2010 6:08 am

ok I did it it did not ask me to restart or nothing hope this is the log you need thanks sorry i am using so much of your time on this

========== SERVICES/DRIVERS ==========
Service RelevantKnowledge stopped successfully!
Service RelevantKnowledge deleted successfully!

OTM by OldTimer - Version 3.1.6.0 log created on 01182010_010545

blair
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-01-16
OS OS : windows vista
Points Points : 25283
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan horse PSW Banker5.ANMF

Post by Belahzur on Mon Jan 18, 2010 10:17 pm

We can remove OTMoveIt now.

  • Please double-click OTM.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan horse PSW Banker5.ANMF

Post by blair on Wed Jan 20, 2010 3:46 pm

ok boss did all that and ran malware but still the same thing not having any luck I don't know it seams undeletable the little buga :smile2:

blair
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-01-16
OS OS : windows vista
Points Points : 25283
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan horse PSW Banker5.ANMF

Post by Belahzur on Wed Jan 20, 2010 6:41 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan horse PSW Banker5.ANMF

Post by blair on Thu Jan 21, 2010 4:57 am

ok cool all done combo fix automatically restarted the computer then after it produced the text file i tryed to open internet explorer and then other programs and i alway got the message some thing like " on list for deletion" and would not let me use any program so i restarted the computer and no problem every thing work like befor any way thank you for hanging in on this with me her is the text file

ComboFix 10-01-20.04 - home 01/20/2010 23:23:57.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2814.1400 [GMT -5:00]
Running from: c:\users\home\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-186019699-3343149589-3958151831-500
c:\$recycle.bin\S-1-5-21-2142106011-534984412-2782509602-500
C:\desktop.ini
C:\ErrLog.txt
c:\program files\Internet Explorer\acpi.vxd
c:\program files\Internet Explorer\ielowutil2.exe
c:\program files\Internet Explorer\pdm2.dll
c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\system32\acpi.vxd
c:\windows\system32\Cache
c:\windows\system32\ntkrnlp.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_srvwinupd


((((((((((((((((((((((((( Files Created from 2009-12-21 to 2010-01-21 )))))))))))))))))))))))))))))))
.

2010-01-21 04:31 . 2010-01-21 04:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-15 23:05 . 2010-01-15 23:05 -------- d-----w- c:\program files\Enigma Software Group
2010-01-14 14:41 . 2010-01-14 14:41 -------- d-----w- c:\users\home\AppData\Roaming\Malwarebytes
2010-01-14 14:41 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 14:41 . 2010-01-14 14:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 14:41 . 2010-01-14 14:41 -------- d-----w- c:\programdata\Malwarebytes
2010-01-14 14:41 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-13 15:23 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-13 05:24 . 2009-10-19 14:27 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 05:24 . 2009-10-19 14:24 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 05:24 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
2010-01-13 05:24 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-01-13 05:24 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-01-13 05:15 . 2009-11-03 22:17 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-13 05:15 . 2009-11-03 22:15 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-01-13 05:15 . 2009-11-03 19:53 411136 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-13 05:15 . 2009-08-14 13:53 2035712 ----a-w- c:\windows\system32\win32k.sys
2010-01-13 05:15 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2010-01-13 05:15 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll
2010-01-13 05:15 . 2009-08-10 13:05 351232 ----a-w- c:\windows\system32\WSDApi.dll
2010-01-13 04:58 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-01-13 04:58 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2010-01-13 04:58 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2010-01-13 04:58 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-01-13 04:58 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2010-01-13 04:58 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2010-01-13 04:58 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-01-13 04:57 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-01-13 04:57 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-01-13 02:45 . 2010-01-13 21:03 -------- d-----r- C:\pictures
2010-01-03 03:04 . 2010-01-15 04:34 -------- d-----w- c:\windows\system\sqlite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-21 04:34 . 2009-09-09 12:28 27744 ----a-w- c:\programdata\nvModes.dat
2010-01-21 04:32 . 2009-11-11 04:24 -------- d-----w- c:\users\home\AppData\Roaming\Skype
2010-01-21 02:10 . 2009-11-11 04:25 -------- d-----w- c:\users\home\AppData\Roaming\skypePM
2010-01-18 06:02 . 2009-04-20 12:31 -------- d-----w- c:\program files\Java
2010-01-17 05:25 . 2009-09-12 00:50 -------- d-----w- c:\programdata\avg8
2010-01-14 16:12 . 2009-11-10 14:52 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 16:16 . 2009-11-17 16:56 -------- d-----w- c:\program files\Bearshare Premium P2P
2010-01-13 15:40 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-10 16:01 . 2009-11-17 16:56 -------- d-----w- c:\users\home\AppData\Roaming\Bearshare Premium P2P
2010-01-02 21:39 . 2009-11-29 05:57 -------- d-----w- c:\program files\dl_Cats
2009-12-24 18:51 . 2009-12-12 13:33 2066200 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll
2009-12-20 01:31 . 2009-12-20 01:31 -------- d-----w- c:\users\home\AppData\Roaming\Printer Info Cache
2009-12-20 01:31 . 2009-12-20 01:31 -------- d-----w- c:\users\home\AppData\Roaming\Image Zone Express
2009-12-11 19:05 . 2009-11-11 01:33 1154 ----a-w- c:\users\home\AppData\Roaming\wklnhst.dat
2009-12-07 15:02 . 2009-12-07 15:02 -------- d-----w- c:\program files\Citrix
2009-12-07 15:02 . 2009-12-07 15:02 70984 ----a-w- c:\users\home\g2mdlhlpx.exe
2009-12-06 03:35 . 2009-12-05 16:36 133472 ----a-w- c:\windows\hppins20.dat
2009-12-05 17:25 . 2009-12-05 17:25 -------- d-----w- c:\programdata\WEBREG
2009-12-05 17:25 . 2009-12-05 17:25 -------- d-----w- c:\users\home\AppData\Roaming\HP
2009-12-05 17:24 . 2009-12-05 17:21 -------- d-----w- c:\program files\Common Files\HP
2009-12-05 17:24 . 2009-04-20 12:35 -------- d-----w- c:\program files\HP
2009-12-05 17:22 . 2009-12-05 16:34 -------- d-----w- c:\programdata\HP
2009-12-05 16:44 . 2009-04-20 11:10 -------- d-----w- c:\programdata\Hewlett-Packard
2009-12-04 19:28 . 2009-04-20 12:18 -------- d-----w- c:\programdata\CyberLink
2009-11-30 13:59 . 2009-04-20 11:28 -------- d-----w- c:\programdata\WildTangent
2009-11-30 13:39 . 2009-11-30 13:39 -------- d-----w- c:\programdata\MySQL
2009-11-30 13:39 . 2009-11-30 13:39 -------- d-----w- c:\program files\MySQL
2009-11-29 06:37 . 2009-11-29 06:37 159722 ----a-w- c:\windows\Scan to PDF Uninstaller.exe
2009-11-29 06:37 . 2009-11-29 06:37 -------- d-----w- c:\program files\Scan to PDF
2009-11-29 06:15 . 2009-11-29 06:15 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-29 06:15 . 2009-11-29 06:16 38208 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-11-29 06:15 . 2009-11-29 06:08 38208 ----a-w- c:\users\home\AppData\Roaming\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-11-29 06:14 . 2009-09-07 07:08 -------- d-----w- c:\users\home\AppData\Roaming\Snapfish
2009-11-29 06:08 . 2009-11-29 06:08 -------- d-----w- c:\users\home\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-11-28 15:10 . 2009-11-28 15:10 -------- d-----w- c:\users\home\AppData\Roaming\GTek
2009-11-28 15:02 . 2009-11-28 15:02 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-11-28 04:18 . 2009-11-28 04:18 -------- d-----w- c:\users\home\AppData\Roaming\CyberLink
2009-11-26 23:13 . 2009-09-12 00:22 -------- d-----w- c:\users\home\AppData\Roaming\vlc
2009-11-21 06:40 . 2010-01-13 05:23 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2010-01-13 05:23 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2010-01-13 05:23 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2010-01-13 05:23 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-11 04:25 . 2009-11-11 04:25 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-11 04:19 . 2009-11-11 04:16 15318232 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\en-us\Installers\SetupGamesClient.exe
2009-11-10 17:25 . 2009-11-10 17:25 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-11-10 17:25 . 2009-11-10 17:25 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-04-20 11:26 . 2009-04-20 11:16 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 13:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-11 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-11 92704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2009-11-10 20480]
"DLBUCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2007-02-12 73728]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\users\home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
Monitor Apache Servers.lnk - c:\apache\bin\ApacheMonitor.exe [2009-9-28 41051]
Reality Fusion GameCam SE.lnk - c:\program files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe [2000-7-10 323584]
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-5-7 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [9/11/2009 7:51 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [9/11/2009 7:51 PM 108552]
R2 Apache2.2;Apache2.2;c:\apache\bin\httpd.exe [9/28/2009 10:41 PM 24645]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/11/2009 7:50 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/11/2009 7:50 PM 297752]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [4/20/2009 7:35 AM 365952]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [4/20/2009 6:25 AM 193840]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [5/9/2008 2:17 PM 43040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-HijackThis - c:\users\home\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\APW8R4BL\HijackThis.exe
AddRemove-WinZip - c:\program files\WinZip\WINZIP32.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-20 23:34
Windows 6.0.6001 Service Pack 1 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\dlbucoms.exe
c:\program files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\conime.exe
c:\windows\System32\rundll32.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
.
**************************************************************************
.
Completion time: 2010-01-20 23:40:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-21 04:40

Pre-Run: 97,428,983,808 bytes free
Post-Run: 98,054,782,976 bytes free

- - End Of File - - FC335A1F0B69B25E551E15729E6EA056
Thank You!

blair
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-01-16
OS OS : windows vista
Points Points : 25283
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan horse PSW Banker5.ANMF

Post by blair on Thu Jan 21, 2010 5:10 pm

Boss THANK YOU I just ran a virus scan and it came out clean it is all better THANK YOU SO MUCH YOU ARE A CHAMPION!!!!!!!!!!!!!!! Thank You! Hooray!

blair
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-01-16
OS OS : windows vista
Points Points : 25283
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan horse PSW Banker5.ANMF

Post by Belahzur on Thu Jan 21, 2010 11:32 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan horse PSW Banker5.ANMF

Post by blair on Fri Jan 22, 2010 3:48 am

Mate every thing is running somth as thank you so much :smile2:

blair
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-01-16
OS OS : windows vista
Points Points : 25283
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum