Trojan Horse SHeur2.ADCY

View previous topic View next topic Go down

Trojan Horse SHeur2.ADCY

Post by rewilson777usa on 30th April 2009, 4:33 am

Can anyone assist in removing this threat? AVG keeps identifying, but not containing.

rewilson777usa
Novice
Novice

Posts Posts : 5
Joined Joined : 2009-04-30
OS OS : XP
Points Points : 27797
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse SHeur2.ADCY

Post by Belahzur on 30th April 2009, 8:26 am


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

DDS

Post by rewilson777usa on 1st May 2009, 2:29 am

DDS (Ver_09-03-16.01) - NTFSx86
Run by Roger Wilson at 19:02:34.37 on Thu 04/30/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.253 [GMT -5:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\X3watch\x3watch.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Roger Wilson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Bluetooth Connection Assistant] c:\program files\logitech\setpoint\LBTWiz.exe -silent
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [x3watch] c:\program files\x3watch\x3watch.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus g dwl-g120 wireless usb\120UTIL.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - [You must be registered and logged in to see this link.]
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - [You must be registered and logged in to see this link.]
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - [You must be registered and logged in to see this link.]
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - [You must be registered and logged in to see this link.]
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rogerw~1\applic~1\mozilla\firefox\profiles\ehf4q7qx.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\java\jre1.5.0_14\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_14\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_14\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_14\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_14\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_14\bin\NPJPI150_14.dll
FF - plugin: c:\program files\java\jre1.5.0_14\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-3-29 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-29 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-29 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-29 108552]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2008-2-18 13696]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-29 298776]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-25 991232]
S2 .norton2009Reset;Norton 2009 Reset;c:\documents and settings\all users\application data\norton\Norton2009Reset.exe [2008-12-9 280833]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-1-3 18560]
S4 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\roxio creator 2009\digital home 11\roxioupnprenderer11.exe" --> c:\program files\roxio creator 2009\digital home 11\RoxioUPnPRenderer11.exe [?]
S4 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-04-30 16:33 23,668 a------- c:\windows\system32\lmppcsetup.exe
2009-04-29 23:30 --d----- c:\docume~1\rogerw~1\applic~1\Malwarebytes
2009-04-29 23:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-29 23:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 23:30 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-29 23:30 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-29 23:23 --d----- c:\program files\Trend Micro
2009-04-28 21:40 14,336 a------- c:\windows\system32\SSF1D0.tmp
2009-04-26 20:46 --dsh--- c:\documents and settings\roger wilson\IECompatCache
2009-04-26 20:45 --dsh--- c:\documents and settings\roger wilson\PrivacIE
2009-04-26 20:36 --dsh--- c:\documents and settings\roger wilson\IETldCache
2009-04-26 20:05 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-26 20:05 78,336 a------- c:\windows\system32\dllcache\ieencode.dll
2009-04-25 23:09 --d----- c:\program files\Spybot - Search & Destroy
2009-04-25 23:09 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-24 23:02 1,360 a------- C:\xcrashdump.dat
2009-04-18 21:18 --d----- c:\program files\ColorByNumbers
2009-04-18 21:04 --d----- c:\docume~1\alluse~1\applic~1\Nova Development
2009-04-18 14:25 794,624 a------- c:\windows\system32\spr32d35.dll
2009-04-18 14:21 --d----- c:\program files\Punch! Home Design - AS4000
2009-04-18 09:49 160,640 a------- c:\windows\system32\drivers\a347bus.sys
2009-04-18 09:49 5,248 a------- c:\windows\system32\drivers\a347scsi.sys
2009-04-18 09:49 --d----- c:\program files\Alcohol Soft
2009-04-18 00:02 --d----- c:\program files\MagicISO
2009-04-17 17:38 89,448 a------- c:\windows\system32\drivers\50bfcea4.sys
2009-04-17 06:29 --d----- c:\program files\IMSIDesign
2009-04-17 06:29 --d----- c:\docume~1\alluse~1\applic~1\IMSIDesign
2009-04-17 06:29 0 -------- c:\windows\system32\_r_a_p_.tmp
2009-04-15 17:51 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 17:51 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 17:51 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-09 23:42 202,072 a----r-- c:\windows\cpnprt2.cid
2009-04-09 23:42 202,072 -------- c:\windows\system32\cpnprt2.cid
2009-04-02 17:36 41,024 a------- c:\windows\system\HUDSONB2.TTF
2009-04-02 17:36 39,636 a------- c:\windows\system\HUDSON2.TTF
2009-04-01 12:38 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-31 23:20 --d----- c:\windows\SxsCaPendDel

==================== Find3M ====================

2009-04-29 18:03 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-29 18:03 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-29 18:03 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 18:03 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-03-29 16:37 336 a------- c:\program files\temp995.bat
2009-03-09 05:19 410,984 -------- c:\windows\system32\deploytk.dll
2009-03-06 09:22 284,160 -------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-09 07:10 729,088 -------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 714,752 -------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 -------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 -------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:11 110,592 -------- c:\windows\system32\services.exe
2009-02-06 06:08 2,189,056 -------- c:\windows\system32\ntoskrnl.exe
2009-02-06 05:39 35,328 -------- c:\windows\system32\sc.exe
2009-02-03 14:59 56,832 -------- c:\windows\system32\secur32.dll
2008-12-09 23:56 87,608 a------- c:\docume~1\rogerw~1\applic~1\inst.exe
2008-12-09 23:56 47,360 a------- c:\docume~1\rogerw~1\applic~1\pcouffin.sys
2004-03-11 14:27 40,960 a------- c:\program files\Uninstall_CDS.exe
2008-02-18 20:43 32 a--sh--- c:\windows\{E2A58E1A-4E84-4F54-B7C0-97A60A5B6594}.dat

============= FINISH: 19:03:07.37 ===============

rewilson777usa
Novice
Novice

Posts Posts : 5
Joined Joined : 2009-04-30
OS OS : XP
Points Points : 27797
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse SHeur2.ADCY

Post by Belahzur on 1st May 2009, 2:37 pm


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan Horse SHeur2.ADCY

Post by rewilson777usa on 9th May 2009, 9:05 pm

Each time I try to post results, it tells me the message is too large. Any thoughts?

rewilson777usa
Novice
Novice

Posts Posts : 5
Joined Joined : 2009-04-30
OS OS : XP
Points Points : 27797
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse SHeur2.ADCY

Post by Belahzur on 9th May 2009, 9:07 pm

Break it up into more than one post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan Horse SHeur2.ADCY

Post by rewilson777usa on 9th May 2009, 9:46 pm

Filename regular expressions library is
"Copyright (C)1997-1998 by David R. Tribble, all rights reserved."

The process cannot access the file because it is being used by another process.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ROGERW~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Roger Wilson\Local Settings\Temp\IadHide5.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-04-30 04:30 . 2009-04-30 04:30 -------- d-----w c:\documents and settings\Roger Wilson\Application Data\Malwarebytes
2009-04-30 04:30 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-30 04:30 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 04:30 . 2009-04-30 04:30 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-30 04:30 . 2009-04-30 04:30 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-30 04:23 . 2009-04-30 04:23 -------- d-----w c:\program files\Trend Micro
2009-04-29 00:25 . 2009-04-29 00:25 -------- d-----w c:\documents and settings\Roger Wilson\Local Settings\Application Data\Mozilla
2009-04-27 01:46 . 2009-04-27 01:46 -------- d-sh--w c:\documents and settings\Roger Wilson\IECompatCache
2009-04-27 01:45 . 2009-04-27 01:45 -------- d-sh--w c:\documents and settings\Roger Wilson\PrivacIE
2009-04-27 01:37 . 2009-04-27 01:37 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-27 01:36 . 2009-04-27 01:36 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-27 01:36 . 2009-04-27 01:36 -------- d-sh--w c:\documents and settings\Roger Wilson\IETldCache
2009-04-27 01:05 . 2009-02-20 18:09 78336 ----a-w c:\windows\system32\ieencode.dll
2009-04-27 01:05 . 2009-02-20 18:09 78336 ----a-w c:\windows\system32\dllcache\ieencode.dll
2009-04-26 04:09 . 2009-04-26 04:12 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-26 04:09 . 2009-04-26 04:12 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-19 02:18 . 2009-04-24 03:27 -------- d-----w c:\program files\ColorByNumbers
2009-04-19 02:04 . 2009-04-24 03:31 -------- d-----w c:\documents and settings\All Users\Application Data\Nova Development
2009-04-18 19:25 . 2002-08-18 23:43 794624 ----a-w c:\windows\system32\spr32d35.dll
2009-04-18 19:21 . 2009-04-21 01:19 -------- d-----w c:\program files\Punch! Home Design - AS4000
2009-04-18 14:49 . 2004-04-30 14:33 5248 ----a-w c:\windows\system32\drivers\a347scsi.sys
2009-04-18 14:49 . 2004-04-30 14:37 160640 ----a-w c:\windows\system32\drivers\a347bus.sys
2009-04-18 14:49 . 2009-04-18 14:49 -------- d-----w c:\program files\Alcohol Soft
2009-04-18 05:02 . 2009-04-18 05:02 -------- d-----w c:\program files\MagicISO
2009-04-17 22:38 . 2009-05-06 02:02 89448 ----a-w c:\windows\system32\drivers\50bfcea4.sys
2009-04-17 11:29 . 2009-04-19 00:20 -------- d-----w c:\documents and settings\All Users\Application Data\IMSIDesign
2009-04-17 11:29 . 2009-04-19 00:19 -------- d-----w c:\program files\IMSIDesign
2009-04-15 22:52 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 22:52 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 22:52 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 22:52 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 22:52 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 22:52 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 22:52 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 22:52 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 22:51 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 22:51 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-08 20:23 . 2009-04-08 20:23 157160 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-08 00:51 . 2009-04-08 00:51 -------- d-----w c:\documents and settings\Roger Wilson\Application Data\Sonic
2009-04-08 00:51 . 2009-04-08 00:51 -------- d-----w c:\documents and settings\Roger Wilson\Local Settings\Application Data\Sonic_Solutions

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 02:02 . 2008-02-18 18:27 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 23:59 . 2008-08-06 00:56 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-05-02 15:42 . 2008-02-19 04:43 -------- d-----w c:\program files\Winamp
2009-05-02 13:21 . 2008-02-18 23:30 69704 ----a-w c:\documents and settings\Roger Wilson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-29 23:03 . 2009-03-29 21:44 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-29 23:03 . 2009-03-29 21:44 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-29 23:03 . 2009-03-29 21:44 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-29 23:03 . 2009-03-29 21:44 12552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-04-27 03:39 . 2008-12-06 21:54 -------- d-----w c:\program files\Coupons
2009-04-24 03:31 . 2008-02-18 23:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-18 04:55 . 2008-09-16 11:57 -------- d-----w c:\program files\Roxio Creator 2009
2009-04-18 04:55 . 2008-02-20 04:07 -------- d-----w c:\program files\Common Files\Sonic Shared
2009-04-18 04:54 . 2008-02-20 04:06 -------- d-----w c:\program files\Common Files\Roxio Shared
2009-04-17 11:29 . 2009-04-17 11:29 0 ------w c:\windows\system32\_r_a_p_.tmp
2009-04-12 13:58 . 2009-03-23 00:03 -------- d-----w c:\program files\Scholastic
2009-04-04 01:40 . 2008-07-04 16:58 -------- d-----w c:\program files\Java
2009-03-29 21:53 . 2009-03-29 21:51 -------- d-----w c:\program files\X3watch
2009-03-29 21:44 . 2009-03-29 21:44 -------- d-----w c:\program files\AVG
2009-03-29 21:41 . 2008-09-29 02:02 -------- d-----w c:\program files\EPSON
2009-03-29 21:40 . 2009-01-24 00:42 -------- d-----w c:\program files\TaxCut08
2009-03-29 21:37 . 2009-03-29 21:37 336 ----a-w c:\program files\temp995.bat
2009-03-29 21:37 . 2009-01-24 00:42 -------- d-----w c:\program files\PDF995
2009-03-29 21:34 . 2008-02-19 01:42 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 22:44 . 2009-03-28 22:43 -------- d-----w c:\program files\LimeWire
2009-03-28 14:50 . 2009-03-28 14:49 -------- d-----w c:\program files\iTunes
2009-03-28 14:49 . 2009-03-28 14:49 -------- d-----w c:\program files\iPod
2009-03-28 14:49 . 2008-11-15 13:38 -------- d-----w c:\program files\Common Files\Apple
2009-03-28 14:48 . 2008-02-29 03:33 -------- d-----w c:\program files\Bonjour
2009-03-28 14:48 . 2009-03-28 14:47 -------- d-----w c:\program files\QuickTime
2009-03-28 05:03 . 2008-02-19 05:40 -------- d-----w c:\program files\CalorieKing.com Desktop Diet Diary for Windows
2009-03-09 10:19 . 2008-12-14 01:26 410984 ------w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2001-08-18 12:00 284160 ------w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2001-08-18 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-09 12:10 . 2001-08-18 12:00 729088 ------w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2008-02-19 00:06 401408 ------w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2001-08-18 12:00 714752 ------w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2001-08-18 12:00 617472 ------w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2001-08-18 12:00 1846784 ------w c:\windows\system32\win32k.sys
2009-02-08 00:02 . 2001-08-17 13:48 2066048 ------w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2001-08-18 12:00 110592 ------w c:\windows\system32\services.exe
2009-02-06 11:08 . 2001-08-18 12:00 2189056 ------w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-18 12:00 35328 ------w c:\windows\system32\sc.exe
2004-03-11 19:27 . 2008-02-18 23:57 40960 ----a-w c:\program files\Uninstall_CDS.exe
2008-03-02 17:17 . 2008-03-02 17:16 24 --sh--w c:\windows\SC22DB006.tmp
2008-02-19 01:43 . 2008-02-19 01:43 32 --sha-w c:\windows\{E2A58E1A-4E84-4F54-B7C0-97A60A5B6594}.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-06 02:02 . 2009-05-06 02:02 16384 c:\windows\Temp\Perflib_Perfdata_b8.dat
+ 2001-08-18 12:00 . 2009-05-06 01:18 72108 c:\windows\system32\perfc009.dat
- 2001-08-18 12:00 . 2009-05-01 22:56 72108 c:\windows\system32\perfc009.dat
+ 2001-08-18 12:00 . 2009-05-06 01:18 444358 c:\windows\system32\perfh009.dat
- 2001-08-18 12:00 . 2009-05-01 22:56 444358 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

rewilson777usa
Novice
Novice

Posts Posts : 5
Joined Joined : 2009-04-30
OS OS : XP
Points Points : 27797
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse SHeur2.ADCY

Post by rewilson777usa on 9th May 2009, 9:46 pm

.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-02-20 32768]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2007-08-13 8466432]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2007-08-13 81920]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"Bluetooth Connection Assistant"="c:\program files\Logitech\SetPoint\LBTWiz.exe" [2007-11-15 59920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-29 1947928]
"x3watch"="c:\program files\X3watch\x3watch.exe" [2008-06-01 299008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-link AirPlus G DWL-G120 Wireless USB.lnk - c:\program files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe [2008-5-8 241664]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-2-20 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-2-20 784912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 15:10 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-29 23:03 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00db89b]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\Roger Wilson\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 .norton2009Reset;Norton 2009 Reset;c:\documents and settings\All Users\Application Data\Norton\Norton2009Reset.exe [2009-03-27 280833]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2008-11-25 18560]
R4 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11; [x]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-04-29 12552]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-29 325896]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-29 108552]
S1 BIOS;BIOS;c:\windows\System32\drivers\BIOS.sys [2005-03-16 13696]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-29 298776]
S2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2008-11-25 991232]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c93cf60-f54d-11dd-99fd-044b80808003}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54fc8c10-da0d-11dd-99eb-044b80808003}]
\Shell\AutoRun\command - rcaeasyrip_setup.exe
\Shell\install\command - rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - "rcaeasyrip_setup.exe" /pdf_English
\Shell\usermanualFrench\command - "rcaeasyrip_setup.exe" /pdf_French
\Shell\usermanualSpanish\command - "rcaeasyrip_setup.exe" /pdf_Spanish

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7be9735-d930-11dd-99e8-044b80808003}]
\Shell\AutoRun\command - I:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {549f957e-2f89-11d6-8cfe-00c04f52b225}
FF - ProfilePath - c:\documents and settings\Roger Wilson\Application Data\Mozilla\Firefox\Profiles\ehf4q7qx.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJPI150_14.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-05 21:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(1388)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Logitech\Bluetooth\LBTServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-06 21:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-06 02:07
ComboFix2.txt 2009-05-01 23:33

Pre-Run: 48,632,090,624 bytes free
Post-Run: 48,656,621,568 bytes free

rewilson777usa
Novice
Novice

Posts Posts : 5
Joined Joined : 2009-04-30
OS OS : XP
Points Points : 27797
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan Horse SHeur2.ADCY

Post by Belahzur on 9th May 2009, 10:02 pm

Hello.
Please visit this website:
[You must be registered and logged in to see this link.]

Press the "Browse" button and locate the following file:
c:\windows\system32\drivers\50bfcea4.sys

Select that file to be uploaded for a scan.
Copy and paste the result back here.

Next,

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


Don't forget to post BOTH logs. Use more than one post if you need to.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum