Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more..

View previous topic View next topic Go down

Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more..

Post by Iamdtdoc on 17th December 2008, 9:05 am

Hello. Earlier I clicked on a link (accidentally of course) encountered a site that was reported by Firefox as an attack site. The site was up for less than a second and my AVG 8.0 Anti-Virus went crazy. Telling me that There have been some trojans found on my computer. I tried to delete them and it quarantined them in the Virus Vault but could not delete them. I then did a full computer scan and sent some other objects that were reported by AVG as trojans, trojan agents and whatever. I deleted the following from my disk that was reported by AVG:

1. Trojan Horse SHeur2.FJD - Prunnet.exe
2. Trojan Horse Agent.AOQG - gadcom.exe
3. Trojan horse downloader agent - wininstall[1].exe
4. Trojan Horse BHO.GQR - geBrrRkk.dll

I deleted those items from my disk. I then did another scan and nothing appeared. I then followed to run a scan with Malwarebytes Anti-Malware. The following is the log:

"Malwarebytes' Anti-Malware 1.31
Database version: 1457
Windows 5.1.2600 Service Pack 2

12/17/2008 2:36:23 AM
mbam-log-2008-12-17 (02-36-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 209973
Time elapsed: 2 hour(s), 17 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
C:\Documents and Settings\Derek\Application Data\gadcom (Trojan.Agent) -> No action taken.

Files Infected:
C:\Documents and Settings\Derek\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Derek\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> No action taken."

Although it says no action taken the files were put into quarantine and I deleted them.

I know that people have had success with these programs in removing malware and whatnot.. but I just want to be extra careful with this since I do my online banking with this computer.

The following is my HijackThis log:

"Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40:45 AM, on 12/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\msconfig.exe /auto
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\program,files\relevantknowledge\rlai.dll,avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8299 bytes"

Hopefully I have provided enough info on this. Please help me! I'm just worried my computer is still infected Indifferent or Blank

Iamdtdoc
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2008-12-17
OS OS : XP
Points Points : 29130
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more..

Post by Belahzur on 17th December 2008, 3:04 pm


  • Download combofix from here, use the top links - [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more..

Post by Iamdtdoc on 17th December 2008, 9:25 pm

Running from: c:\documents and settings\Derek\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Derek\Application Data\inst.exe
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-17 15:12 . 2008-12-17 15:12 d-------- c:\windows\system32\xircom
2008-12-17 15:12 . 2008-12-17 15:12 d-------- c:\windows\srchasst
2008-12-17 15:12 . 2008-12-17 15:12 d-------- c:\program files\microsoft frontpage
2008-12-17 03:15 . 2008-12-17 03:15 d-------- c:\program files\SUPERAntiSpyware
2008-12-17 03:15 . 2008-12-17 03:15 d-------- c:\documents and settings\Derek\Application Data\SUPERAntiSpyware.com
2008-12-17 03:15 . 2008-12-17 03:15 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-17 03:14 . 2008-12-17 03:14 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-04 02:16 . 2008-12-04 02:16 d-------- c:\documents and settings\Guest\Application Data\AVGTOOLBAR
2008-12-04 02:15 . 2008-12-17 02:37 d-------- c:\documents and settings\Guest
2008-12-04 02:05 . 2008-12-04 02:05 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-04 01:55 . 2008-12-04 02:14 d-------- c:\documents and settings\Administrator
2008-12-04 00:52 . 2008-12-04 00:52 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 00:52 . 2008-12-04 00:52 d-------- c:\documents and settings\Derek\Application Data\Malwarebytes
2008-12-04 00:52 . 2008-12-04 00:52 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 00:52 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 00:51 . 2004-02-23 01:00 1,386,496 --a------ c:\windows\MSVBVM60.DLL
2008-12-04 00:36 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:28 . 2008-12-04 00:28 d-------- c:\program files\Trend Micro
2008-11-30 22:10 . 2008-12-16 23:31 d--h----- C:\$AVG8.VAULT$
2008-11-30 19:29 . 2008-12-17 09:14 d-------- c:\windows\system32\drivers\Avg
2008-11-30 19:29 . 2008-12-16 03:35 d-------- c:\documents and settings\Derek\Application Data\AVGTOOLBAR
2008-11-30 19:29 . 2008-11-30 19:29 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-30 19:29 . 2008-11-30 19:29 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-30 19:29 . 2008-11-30 19:29 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-30 19:03 . 2008-11-30 19:29 d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-11-22 00:17 . 2008-11-22 00:17 d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-11-21 23:35 . 2008-11-21 23:35 d-------- c:\program files\LG Software Innovations
2008-11-21 23:35 . 2008-11-21 23:35 d-------- c:\documents and settings\Derek\Application Data\Vso
2008-11-21 23:35 . 2008-11-21 23:42 d-------- c:\documents and settings\All Users\Application Data\1Click DVD Copy Pro
2008-11-21 23:35 . 2008-11-21 23:35 47,360 --a------ c:\documents and settings\Derek\Application Data\pcouffin.sys
2008-11-17 00:45 . 2008-11-17 00:46 d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-17 00:43 . 2008-11-17 00:45 d-------- c:\windows\nview
2008-11-17 00:43 . 2004-10-29 16:50 172,032 --a------ c:\windows\system32\nvudisp.exe
2008-11-17 00:43 . 2004-10-29 16:50 13,653 --a------ c:\windows\system32\nvdisp.nvu
2008-11-17 00:36 . 2008-11-17 00:36 d-------- C:\NVIDIA
2008-11-17 00:22 . 2008-11-17 00:27 d-------- c:\program files\Maxis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 03:18 --------- d-----w c:\program files\Steam
2008-12-14 02:45 --------- d-----w c:\documents and settings\Derek\Application Data\uTorrent
2008-12-07 19:58 --------- d-----w c:\program files\Motorola Phone Tools
2008-12-07 19:56 --------- d-----w c:\program files\Avanquest update
2008-12-06 21:31 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-26 04:33 --------- d-----w c:\documents and settings\Derek\Application Data\Skype
2008-11-26 03:11 --------- d-----w c:\documents and settings\Derek\Application Data\skypePM
2008-11-22 17:47 --------- d-----w c:\documents and settings\Derek\Application Data\LimeWire
2008-11-22 06:15 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-22 05:35 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-11-17 06:22 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-03 06:36 --------- d-----w c:\documents and settings\All Users\Application Data\Zoom Player
2008-11-03 06:35 --------- d-----w c:\program files\Zoom Player
2008-10-31 15:12 --------- d-----w c:\program files\TagRename
2008-10-17 21:03 --------- d-----w c:\program files\007DVD
2008-10-13 04:08 90,112 ----a-w c:\windows\DUMP731c.tmp
2007-08-22 18:44 92,064 ----a-w c:\documents and settings\Derek\mqdmmdm.sys
2007-08-22 18:44 9,232 ----a-w c:\documents and settings\Derek\mqdmmdfl.sys
2007-08-22 18:44 79,328 ----a-w c:\documents and settings\Derek\mqdmserd.sys
2007-08-22 18:44 66,656 ----a-w c:\documents and settings\Derek\mqdmbus.sys
2007-08-22 18:44 6,208 ----a-w c:\documents and settings\Derek\mqdmcmnt.sys
2007-08-22 18:44 5,936 ----a-w c:\documents and settings\Derek\mqdmwhnt.sys
2007-08-22 18:44 4,048 ----a-w c:\documents and settings\Derek\mqdmcr.sys
2007-08-22 18:44 25,600 ----a-w c:\documents and settings\Derek\usbsermptxp.sys
2007-08-22 18:44 22,768 ----a-w c:\documents and settings\Derek\usbsermpt.sys
2007-08-10 02:57 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2007-08-10 02:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-08-10 02:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007080920070810\index.dat
2007-08-10 02:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-03-01 16:14 360704 1157d0d6ba036fb9537d4cd81375b12c c:\windows\system32\dllcache\TCPIP.SYS
2008-03-01 16:14 360704 1157d0d6ba036fb9537d4cd81375b12c c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\system32\msconfig.exe" [2007-07-22 169984]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-01 1261336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2007-07-22 c:\windows\system32\advpack.dll]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI6"= diomidi.dll
"wave6"= Digi32.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCENT.SYS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HideFilesAndFolders_S]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-12-01 09:46 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Computer Alarm Clock]
--a------ 2007-09-06 14:29 696832 c:\progra~1\COMPUT~1\cac.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
--a------ 2003-02-24 15:11 266313 c:\progra~1\AIM\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
--a------ 2006-02-14 23:31 61440 c:\program files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-10-29 16:50 4620288 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-10-29 16:50 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
--a------ 2004-03-02 10:49 86016 c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 18:05 200704 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-08-11 16:46 21741864 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sofonesia Reminder]
--a------ 2008-06-28 18:56 917504 c:\program files\Sofonesia Reminder\Sofonesia_Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-08 15:45 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
--a------ 2008-10-08 16:54 270128 c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-07-25 10:47 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2005-07-25 10:47 2806272 c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-10-29 16:50 921600 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-07-25 10:47 90112 c:\windows\SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11909:TCP"= 11909:TCP:utorent
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:*:Disabled:Adobe Version Cue CS3 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-30 97928]
R1 FDCENT;FDCENT;\??\c:\windows\system32\drivers\FDCENT.SYS [2008-09-12 47470]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-30 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-30 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-30 76040]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-10-02 24652]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2008-09-15 42112]
S3 PciCon;PciCon;\??\D:\PciCon.sys []

NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
WmdmPmSN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs


*Newly Created Service* - HELPSVC
.
Contents of the 'Scheduled Tasks' folder

2008-12-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-17 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Derek\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 21:41]
.

Iamdtdoc
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2008-12-17
OS OS : XP
Points Points : 29130
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more..

Post by Iamdtdoc on 17th December 2008, 9:26 pm

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Derek\Application Data\Mozilla\Firefox\Profiles\f6oe4gor.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Derek\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-17 15:12:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-17 15:18:02 - machine was rebooted [Derek]
ComboFix-quarantined-files.txt 2008-12-17 21:17:59

Pre-Run: 49,877,925,888 bytes free
Post-Run: 49,788,092,416 bytes free

292

Iamdtdoc
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2008-12-17
OS OS : XP
Points Points : 29130
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more..

Post by Belahzur on 17th December 2008, 10:30 pm

Hello.
Download this .reg file from here:
[You must be registered and logged in to see this link.]

Download the file to your desktop.
Double click it and select yes to the registry merge prompt.

What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more..

Post by Doctor Inferno on 17th January 2009, 10:45 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum