Infected with SHeur2, Cryptor, Vundo, Generic12

View previous topic View next topic Go down

Solved Infected with SHeur2, Cryptor, Vundo, Generic12

Post by kk_oop on Tue Jan 20, 2009 11:54 am

Hi. My computer (PC running XP SP3) is infected with the following viruses (detected by AVG 8):

SHeur2.MHI
Win32/Cryptor
Vundo.DP
Generic12.AYCO

AVG does not seem able to "heal" these.

I saw a related post at:
[You must be registered and logged in to see this link.]

I wasn't sure if I should just do what is described there or if I should be doing something else. Thanks for any recommendations!

- Ken

kk_oop
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-01-20
OS OS : XP SP 3
Points Points : 28770
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by Belahzur on Tue Jan 20, 2009 12:34 pm

Hello.
Please do not run tools posted for other users, follow these instructions.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by kk_oop on Wed Jan 21, 2009 12:01 am

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 5.1.2600 Service Pack 3

1/20/2009 6:49:23 PM
mbam-log-2009-01-20 (18-49-23).txt

Scan type: Quick Scan
Objects scanned: 61041
Time elapsed: 53 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\emotagakusadiyur (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\blajog (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.

kk_oop
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-01-20
OS OS : XP SP 3
Points Points : 28770
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by Belahzur on Wed Jan 21, 2009 12:04 am

Please post the DDS log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved DDS Log

Post by kk_oop on Wed Jan 21, 2009 12:09 am

Here is the DDS output:

DDS (Ver_09-01-07.01) - NTFSx86
Run by Aaron at 19:03:00.25 on Tue 01/20/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.100 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lenovo\Password Manager\password_manager.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aaron\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\password manager\tvtpwm_ie_com.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [LPManager] c:\progra~1\lenovo\lenovo~2\LPMGR.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [AMSG] c:\progra~1\thinkv~1\amsg\amsg.exe
mRun: []
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Password Manager] "c:\program files\lenovo\password manager\password_manager.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aaron\applic~1\mozilla\firefox\profiles\tf5wadj2.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\lenovo\password manager\pwm firefox extension\components\tvtpwm_moz_xpcom.dll
FF - HiddenExtension: XUL Cache: {56695635-64C6-41FB-9BCF-7D0775BE00A0} - c:\documents and settings\aaron\local settings\application data\{56695635-64C6-41FB-9BCF-7D0775BE00A0}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-12-1 26824]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2006-9-13 35264]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-6 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-6 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-3 76040]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-9-29 991232]
R4 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-5-22 569344]

=============== Created Last 30 ================

2009-01-20 17:53 --d----- c:\docume~1\aaron\applic~1\Malwarebytes
2009-01-20 17:53 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-20 17:53 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 17:53 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 17:53 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-19 10:30 --dsh--- c:\windows\system32\twain32
2009-01-19 10:28 1,409 a------- c:\windows\QTFont.for
2009-01-19 10:28 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-25 14:26 --d-h--- C:\$AVG8.VAULT$

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-07 09:53 182,660 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-12-16 21:12 88 ---shr-- c:\windows\system32\6EE8EF455A.sys
2007-12-16 21:12 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-11-24 07:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-21 15:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat
2007-12-01 10:00 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2007-12-01 10:00 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2007-12-01 10:00 16,384 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 19:03:39.42 ===============

kk_oop
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-01-20
OS OS : XP SP 3
Points Points : 28770
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by Belahzur on Wed Jan 21, 2009 12:11 am

Ah, DDS shows a Goored infection.

Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Please double-click GooredFix.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved GooredFix Log

Post by kk_oop on Wed Jan 21, 2009 1:59 am

Here is the GooredFix log....

GooredFix v1.83 by jpshortstuff
Log created at 20:57 on 20/01/2009 running Option #2 (Aaron)
Firefox version 2.0.0.20 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{56695635-64C6-41FB-9BCF-7D0775BE00A0}"="C:\Documents and Settings\Aaron\Local Settings\Application Data\{56695635-64C6-41FB-9BCF-7D0775BE00A0}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Aaron\Local Settings\Application Data\{56695635-64C6-41FB-9BCF-7D0775BE00A0}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{C0C8B841-60E4-4A2E-86EF-D01923F70B77}"="C:\Documents and Settings\Admin\Local Settings\Application Data\{C0C8B841-60E4-4A2E-86EF-D01923F70B77}\" (Folder Missing)

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

kk_oop
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-01-20
OS OS : XP SP 3
Points Points : 28770
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by Belahzur on Wed Jan 21, 2009 2:03 am

Hello.
Gooredfix shows a leftover, so we need to remove it.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
    "{C0C8B841-60E4-4A2E-86EF-D01923F70B77}"=-

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by kk_oop on Wed Jan 21, 2009 3:23 am

Hi. After I did all this, I restarted my PC, and then AVG Resident Shield Alert reported this:
*************
Threat detected!
File name: C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\9J9DUJ3A\traff[1].jpg

Threat name: Trojan horse SHeur2.MHI
Detected on open.
**************

So it looks like something is still up.

kk_oop
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-01-20
OS OS : XP SP 3
Points Points : 28770
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by kk_oop on Wed Jan 21, 2009 5:07 am

Here are the logs:

Malwarebytes' Anti-Malware 1.33
Database version: 1673
Windows 5.1.2600 Service Pack 3

1/20/2009 11:58:38 PM
mbam-log-2009-01-20 (23-58-38).txt

Scan type: Quick Scan
Objects scanned: 61823
Time elapsed: 53 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*************

DDS (Ver_09-01-18.01) - NTFSx86
Run by Aaron at 0:04:49.82 on Wed 01/21/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.181 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Lenovo\Password Manager\password_manager.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aaron\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\password manager\tvtpwm_ie_com.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [LPManager] c:\progra~1\lenovo\lenovo~2\LPMGR.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [AMSG] c:\progra~1\thinkv~1\amsg\amsg.exe
mRun: []
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Password Manager] "c:\program files\lenovo\password manager\password_manager.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aaron\applic~1\mozilla\firefox\profiles\tf5wadj2.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\lenovo\password manager\pwm firefox extension\components\tvtpwm_moz_xpcom.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-20 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-12-1 26824]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2006-9-13 35264]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-6 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-6 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-3 76040]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 942416]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-9-29 991232]
R4 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-5-22 569344]

=============== Created Last 30 ================

2009-01-21 00:03 --d-h--- c:\windows\PIF
2009-01-20 22:02 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-20 21:58 -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-20 21:57 --d----- c:\program files\Lavasoft
2009-01-20 17:53 --d----- c:\docume~1\aaron\applic~1\Malwarebytes
2009-01-20 17:53 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-20 17:53 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 17:53 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 17:53 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-19 10:30 --dsh--- c:\windows\system32\twain32
2009-01-19 10:28 1,409 a------- c:\windows\QTFont.for
2009-01-19 10:28 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-25 14:26 --d-h--- C:\$AVG8.VAULT$

==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-07 09:53 182,660 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-12-16 21:12 88 ---shr-- c:\windows\system32\6EE8EF455A.sys
2007-12-16 21:12 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-11-24 07:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-21 15:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat
2007-12-01 10:00 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2007-12-01 10:00 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2007-12-01 10:00 16,384 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 0:05:29.79 ===============

kk_oop
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-01-20
OS OS : XP SP 3
Points Points : 28770
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by kk_oop on Wed Jan 21, 2009 5:11 am

GooredFix v1.83 by jpshortstuff
Log created at 00:09 on 21/01/2009 running Option #2 (Aaron)
Firefox version 2.0.0.20 (en-US)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

kk_oop
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-01-20
OS OS : XP SP 3
Points Points : 28770
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by kk_oop on Wed Jan 21, 2009 11:48 am

Hi again. I ran an AVG scan which did not detect any threats, but overnight, once again the Resident Shield found the Trojan horse SHeur2.MHI. The file name was:

C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP206\A0015339.dll

This morning I ran a Lavasoft Ad-Aware scan (Anniversary Edition/Free edition). It is still running, but during the run, the AVG Resident Shield found the following threats:

A Virus called Win32/Cryptor. The file name is:
C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\HL2PMA5M\sie[1].jpg

Another Cryptor called:
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\P206\A0015348.exe

A Trojan horse Vundo.DP file name:
C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP206\A0015347.dll


Note that the user account having the problem is Aaron. I have one other account on this same computer which hasn't had this problem (though I haven't logged on there much since this problem started). I should also mention that when AVG finds these threats, I click the "Heal" option, then AVG moves it into the "virus vault."

kk_oop
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-01-20
OS OS : XP SP 3
Points Points : 28770
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by kk_oop on Wed Jan 21, 2009 1:46 pm

The Ad-Aware run completed and found one suspicious file. Here is the log:

Logfile created: 1/21/2009 6:52:16
Lavasoft Ad-Aware version: 8.0
Extended engine version: 8.1
User performing scan: Aaron

*********************** Definitions database information ***********************
Lavasoft definition file: 145.0
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 112144
Objects detected: 1


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 1
Folders.........: 0
LSPs............: 0
Cookies.........: 0
Browser hijacks.: 0
MRU objects.....: 0



Skipped items:
Description: C:\WINDOWS\system32\vidccleaner.exe Family Name: Suspicious Object Clean status: Success Item ID: 0 Family ID: 0

kk_oop
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-01-20
OS OS : XP SP 3
Points Points : 28770
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by kk_oop on Wed Jan 21, 2009 1:53 pm

Here is some interesting information. This is the AVG Resident Shield info. It seems to indicate that some of my current threats are associated with the various spyware programs I have been running, including Ad-Aware and mbam:

*********

Resident Shield detection
"Infection";"Object";"Result";"Detection time";"Object Type";"Process"

"Trojan horse Delf.HTH";"C:\WINDOWS\TEMP\mcenspc.dll";"Infected";"1/19/2009, 10:32:43 AM";"file";"C:\WINDOWS\TEMP\2E.tmp"

"Trojan horse Delf.HTH";"C:\WINDOWS\system32\mcenspc.dll";"Moved to Virus Vault";"1/19/2009, 10:32:43 AM";"file";"C:\WINDOWS\TEMP\2E.tmp"

"Trojan horse SHeur2.MHI";"C:\WINDOWS\EDAPAGECAGUHIMU.DLL";"Moved to Virus Vault";"1/20/2009, 5:53:25 AM";"file";""

"Virus identified Win32/Cryptor";"C:\WINDOWS\system32\twex.exe";"Moved to Virus Vault";"1/20/2009, 5:59:11 AM";"file";"C:\WINDOWS\system32\winlogon.exe"

"Trojan horse Vundo.DP";"C:\WINDOWS\ejobuxey.dll";"Moved to Virus Vault";"1/20/2009, 5:59:11 AM";"file";"C:\WINDOWS\system32\rundll32.exe"

"Trojan horse SHeur2.MHI";"C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\9J9DUJ3A\traff[1].jpg";"Infected";"1/20/2009, 5:59:23 PM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

"Trojan horse SHeur2.MHI";"C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\9J9DUJ3A\traff[1].jpg";"Moved to Virus Vault";"1/20/2009, 10:12:03 PM";"file";"C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"

"Virus identified Win32/Cryptor";"C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\HL2PMA5M\sie[1].jpg";"Infected";"1/20/2009, 11:10:33 PM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

"Trojan horse SHeur2.MHI";"C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP206\A0015339.dll";"Moved to Virus Vault";"1/21/2009, 1:22:45 AM";"file";"C:\WINDOWS\System32\svchost.exe"

"Virus identified Win32/Cryptor";"C:\Documents and Settings\Aaron\Local Settings\Temporary Internet Files\Content.IE5\HL2PMA5M\sie[1].jpg";"Moved to Virus Vault";"1/21/2009, 6:57:40 AM";"file";"C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"

"Trojan horse Vundo.DP";"C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP206\A0015347.dll";"Moved to Virus Vault";"1/21/2009, 7:19:24 AM";"file";"C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"

"Virus identified Win32/Cryptor";"C:\System Volume Information\_restore{A8393674-085C-4723-B63E-39928C5F4C89}\RP206\A0015348.exe";"Moved to Virus Vault";"1/21/2009, 7:19:24 AM";"file";"C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"

**********

Note that I did just ugrade to the Ad-Aware Anniversary Free edition after I thought my system was clean. So both Ad-Aware and mbam were installed after the initial infections were discovered by AVG.


Last edited by kk_oop on Wed Jan 21, 2009 2:09 pm; edited 1 time in total (Reason for editing : Clarified information)

kk_oop
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-01-20
OS OS : XP SP 3
Points Points : 28770
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by Belahzur on Wed Jan 21, 2009 3:04 pm

Hello.
Alot it found was just restore points and temp files.
We won't clean restore points just yet, we may need them.

We'll clean temp files first.

Download [You must be registered and logged in to see this link.]

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please post a new DDS scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by kk_oop on Wed Jan 21, 2009 10:25 pm

Hi. I ran atf-cleaner. Here's the resulting DDS output:

*********
DDS (Ver_09-01-18.01) - NTFSx86
Run by Aaron at 17:22:17.81 on Wed 01/21/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.213 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\PROGRA~1\THINKV~1\AMSG\amsg.exe
C:\Program Files\Lenovo\Password Manager\password_manager.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Documents and Settings\Aaron\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\password manager\tvtpwm_ie_com.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [LPManager] c:\progra~1\lenovo\lenovo~2\LPMGR.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [AMSG] c:\progra~1\thinkv~1\amsg\amsg.exe
mRun: []
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Password Manager] "c:\program files\lenovo\password manager\password_manager.exe"
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\aaron\applic~1\mozilla\firefox\profiles\tf5wadj2.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\lenovo\password manager\pwm firefox extension\components\tvtpwm_moz_xpcom.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-20 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-3 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-12-1 26824]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2006-9-13 35264]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-6 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-6 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-3 76040]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 942416]
R4 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-9-29 991232]
R4 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-5-22 569344]

=============== Created Last 30 ================


==================== Find3M ====================

2008-12-13 01:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-07 09:53 182,660 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2007-12-16 21:12 88 ---shr-- c:\windows\system32\6EE8EF455A.sys
2007-12-16 21:12 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-11-24 07:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-21 15:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092120080922\index.dat

============= FINISH: 17:22:59.85 ===============

kk_oop
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-01-20
OS OS : XP SP 3
Points Points : 28770
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by Belahzur on Wed Jan 21, 2009 10:29 pm

Looks good.
We'll clean restore points now.


To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by kk_oop on Thu Jan 22, 2009 12:47 am

All is well!!! The Trojans appear to have been defeated!!!! Hooray!

The only thing I am seeing now is that Ad-Aware is seeing a suspicious file described this way:

C:\WINDOWS\system32\vidccleaner.exe Family Name: Suspicious Object Clean status: Success Item ID: 0 Family ID: 0

Should I care about this?

Thanks,

Ken

kk_oop
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-01-20
OS OS : XP SP 3
Points Points : 28770
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by Belahzur on Thu Jan 22, 2009 12:52 am

As Adaware says, "Suspicious Object" - means it looks/thinks it's malware, but it may not be.

Please upload this file in bold:
C:\WINDOWS\system32\vidccleaner.exe
To this site below for a scan.
[You must be registered and logged in to see this link.]

Copy and paste the results back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by kk_oop on Thu Jan 22, 2009 1:03 am

Looks like it's nothing--so I believe this case is closed!!!

Thanks so much!!! Thank You!

Scan taken on 22 Jan 2009 00:57:01 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

kk_oop
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-01-20
OS OS : XP SP 3
Points Points : 28770
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by Belahzur on Thu Jan 22, 2009 1:07 am

Yep, looks like a false positive in adaware, but don't delete the file, I'm not sure what it's used by.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by kk_oop on Thu Jan 22, 2009 12:05 pm

Hi. I have Ad-Aware (the free "anniversary" edition). I also have AVG.

Regarding the other programs, Spybot-Search & Destroy, SpywareBlaster, and SpywareGuard, do you recommend installing all of them? I'm just wondering why I would need all--does each do something different? Or is the idea if I have all installed, perhaps one will catch something the others miss?

Thanks for any info,

Ken

kk_oop
Novice
Novice

Posts Posts : 14
Joined Joined : 2009-01-20
OS OS : XP SP 3
Points Points : 28770
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by Belahzur on Thu Jan 22, 2009 2:28 pm

No, don't install them all, just one or two and you should be fine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Infected with SHeur2, Cryptor, Vundo, Generic12

Post by Doctor Inferno on Sat May 02, 2009 6:45 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum