Help needed!! Infected with Trojan that I can't get rid of

View previous topic View next topic Go down

Help needed!! Infected with Trojan that I can''t get rid of

Post by brett_814 on 23rd May 2009, 4:30 am

Hi,
Can't seem to get rid of this trojan. AVG refers to it as "Trojan BackDoor.Generic10.AIYR". When it detects it, I press heal, and it goes, "the specified file path was not found". I've run scans with McAfee and AVG and it can't fix my problem. Basically I can't get on to the internet using any web browsers. My net is running fine on my other computers. I snooped around on this forum looking for a solution before posting this, so I tried using MBAM too. It found and cleared a lot of stuff, but I still have the problem. This is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:09 PM, on 5/23/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Users\Brett\Desktop\HiJack(GP)This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {9CB41BE5-0D07-47DC-BB18-7972DB91A6C7} - C:\Windows\system32\geBurOfE.dll (file missing)
O2 - BHO: C:\Windows\system32\aef3fee.dll - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\Windows\system32\aef3fee.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1605357410-2887970040-4068907240-1006\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'poker')
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\system32\__c00B4F91.dat,C:\Windows\system32\rojideze.dll,avgrsstx.dll
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\Windows\system32\aef3fee.dll (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe

--
End of file - 5376 bytes

brett_814
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-23
OS OS : Vista Business
Points Points : 27573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by brett_814 on 23rd May 2009, 4:40 am

Also used The Avenger to find any stuff:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

brett_814
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-23
OS OS : Vista Business
Points Points : 27573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by Origin on 23rd May 2009, 4:30 pm


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
    O2 - BHO: (no name) - {9CB41BE5-0D07-47DC-BB18-7972DB91A6C7} - C:\Windows\system32\geBurOfE.dll (file missing)
    O2 - BHO: C:\Windows\system32\aef3fee.dll - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\Windows\system32\aef3fee.dll (file missing)
    O20 - AppInit_DLLs: C:\Windows\system32\__c00B4F91.dat,C:\Windows\system32\rojideze.dll,avgrsstx.dll



  • Press "Fix Checked"
  • Close Hijack This.




Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by brett_814 on 25th May 2009, 1:35 am

Thanks for replying. Ok. This is the MBAM log:

Malwarebytes' Anti-Malware 1.36
Database version: 2173
Windows 6.0.6001 Service Pack 1

5/24/2009 4:14:48 PM
mbam-log-2009-05-24 (16-14-48).txt

Scan type: Quick Scan
Objects scanned: 87326
Time elapsed: 6 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\it123.it123mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\it123.it123mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ju495.ju495mgr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ju495.ju495mgr.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e7f15ac4-e0a9-43f0-921b-70dfea621220} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{22186aa4-e2a6-45e8-bf4f-5c103c0458b0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\System32\870159 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\790151 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Windows\System32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\f23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

brett_814
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-23
OS OS : Vista Business
Points Points : 27573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by Origin on 25th May 2009, 5:59 pm

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.
See [You must be registered and logged in to see this link.] for how to disable your AV..

  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by brett_814 on 25th May 2009, 6:34 pm

Do I need still need to do this? Everything has been running fine for nearly a day now after those doing those things you mentioned.

brett_814
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-23
OS OS : Vista Business
Points Points : 27573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by Origin on 25th May 2009, 6:38 pm

Yes because there are still some left overs that could cause the infection to come back Wink


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by brett_814 on 26th May 2009, 2:47 am

Ok. Here is the Combofix log (part 1):

ComboFix 09-05-25.05 - Brett 05/26/2009 12:32.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.1789.940 [GMT 10:00]
Running from: c:\users\Brett\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
C:\test.txt
c:\windows\system32\abbjmilq.ini
c:\windows\system32\aeghrkce.ini
c:\windows\system32\agfuwivo.ini
c:\windows\system32\ajupepit.ini
c:\windows\system32\alonosul.ini
c:\windows\system32\asedulin.ini
c:\windows\system32\atayenid.ini
c:\windows\system32\atisuval.ini
c:\windows\system32\awojjgoa.ini
c:\windows\system32\awubofar.ini
c:\windows\system32\axrvljnp.ini
c:\windows\system32\bjabefia.ini
c:\windows\system32\bjulkhhm.ini
c:\windows\system32\bnbnurpy.ini
c:\windows\system32\btbyusfh.ini
c:\windows\system32\caucylgv.ini
c:\windows\system32\chfdcwlq.ini
c:\windows\system32\ckdqxown.ini
c:\windows\system32\cochbder.ini
c:\windows\system32\cpixtcgr.ini
c:\windows\system32\cveuillw.ini
c:\windows\system32\djfvnwdx.ini
c:\windows\system32\dryethis.ini
c:\windows\system32\eassplns.ini
c:\windows\system32\ebcxglcw.ini
c:\windows\system32\ebihopuj.ini
c:\windows\system32\EfOruBeg.ini
c:\windows\system32\EfOruBeg.ini2
c:\windows\system32\ehunivid.ini
c:\windows\system32\ehunolam.ini
c:\windows\system32\ekkbfsaq.ini
c:\windows\system32\empykxmm.ini
c:\windows\system32\epawamol.ini
c:\windows\system32\erifepin.ini
c:\windows\system32\eritekjk.ini
c:\windows\system32\evepukit.ini
c:\windows\system32\ezidayay.ini
c:\windows\system32\finxpram.ini
c:\windows\system32\foutitts.ini
c:\windows\system32\gfutfmwv.ini
c:\windows\system32\gnrtgfne.ini
c:\windows\system32\gsjlxfoi.ini
c:\windows\system32\gylycgvh.ini
c:\windows\system32\hkvljwtg.ini
c:\windows\system32\igijizeb.ini
c:\windows\system32\ilajipid.ini
c:\windows\system32\inerafan.ini
c:\windows\system32\ipilepik.ini
c:\windows\system32\itmlkomo.ini
c:\windows\system32\itoluyej.ini
c:\windows\system32\iuiocanl.ini
c:\windows\system32\ivjvqyxt.ini
c:\windows\system32\iyaleyag.ini
c:\windows\system32\iydfoehf.ini
c:\windows\system32\jdhllynv.ini
c:\windows\system32\jdqgxbcc.ini
c:\windows\system32\jiolrevu.ini
c:\windows\system32\kajqrgok.ini
c:\windows\system32\khbbonvs.ini
c:\windows\system32\krgnjegl.ini
c:\windows\system32\ksukigpw.ini
c:\windows\system32\ktgfqyse.ini
c:\windows\system32\lavxaunx.ini
c:\windows\system32\lessigde.ini
c:\windows\system32\lisxwxms.ini
c:\windows\system32\ljjdfsyw.ini
c:\windows\system32\mfqqhngu.ini
c:\windows\system32\mreuavwp.ini
c:\windows\system32\mronawbe.ini
c:\windows\system32\napkyify.ini
c:\windows\system32\njblrxpn.ini
c:\windows\system32\obugagud.ini
c:\windows\system32\odirowaz.ini
c:\windows\system32\ofwpobap.ini
c:\windows\system32\oghjijyj.ini
c:\windows\system32\ohwtapeg.ini
c:\windows\system32\olysgyhp.ini
c:\windows\system32\omfdxilg.ini
c:\windows\system32\omukivam.ini
c:\windows\system32\oropohak.ini
c:\windows\system32\oruliyof.ini
c:\windows\system32\ostmkmiy.ini
c:\windows\system32\ovrkxneb.ini
c:\windows\system32\oxbxgcel.ini
c:\windows\system32\oyoyaluf.ini
c:\windows\system32\porhqcwf.ini
c:\windows\system32\qsndptav.ini
c:\windows\system32\sgrquprk.ini
c:\windows\system32\svjcyqld.ini
c:\windows\system32\swuehubu.ini
c:\windows\system32\symxsgfk.ini
c:\windows\system32\TDSSwasc.dat
c:\windows\system32\tfstuawn.ini
c:\windows\system32\tysypmgq.ini
c:\windows\system32\uexlpghu.ini
c:\windows\system32\ugijarot.ini
c:\windows\system32\ulspvodx.ini
c:\windows\system32\umatajaj.ini
c:\windows\system32\umedaver.ini
c:\windows\system32\unajabon.ini
c:\windows\system32\uyovuhul.ini
c:\windows\system32\vecbqfvr.ini
c:\windows\system32\vjnngjmq.ini
c:\windows\system32\weurafbv.ini
c:\windows\system32\wnpeitcg.ini
c:\windows\system32\xibvxswp.ini
c:\windows\system32\xokfwfke.ini
c:\windows\system32\xouijkwn.ini
c:\windows\system32\xvjuqomh.ini
c:\windows\system32\yamcjyda.ini
c:\windows\system32\ydawwopr.ini
c:\windows\system32\yefiaoch.ini
c:\windows\system32\yeunxuuh.ini
c:\windows\system32\yiowavfy.ini
c:\windows\system32\yvprgnpm.ini
c:\windows\system32\ywgybnhg.ini
c:\windows\Tasks\ybpqbzbg.job

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-04-26 to 2009-05-26 )))))))))))))))))))))))))))))))
.

2009-05-26 02:35 . 2009-05-26 02:37 -------- d-----w c:\users\Brett\AppData\Local\temp
2009-05-23 03:51 . 2009-05-23 03:51 -------- d-----w c:\users\Brett\AppData\Roaming\Malwarebytes
2009-05-23 03:51 . 2009-04-06 05:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-23 03:51 . 2009-04-06 05:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-23 03:51 . 2009-05-23 03:51 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-23 03:51 . 2009-05-23 03:51 -------- d-----w c:\programdata\Malwarebytes
2009-05-22 10:20 . 2009-05-23 05:36 -------- d--h--w C:\$AVG8.VAULT$
2009-05-22 10:17 . 2009-05-22 10:17 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-22 10:17 . 2009-05-22 10:17 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-22 10:16 . 2009-05-22 10:16 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-22 10:16 . 2009-05-26 02:09 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-22 10:16 . 2009-05-22 10:16 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-22 10:16 . 2009-05-22 15:31 -------- d-----w c:\programdata\avg8
2009-05-22 10:16 . 2009-05-22 10:16 -------- d-----w c:\program files\AVG
2009-05-22 09:03 . 2009-05-22 09:03 -------- d-----w c:\users\Brett\AppData\Roaming\Yahoo!
2009-05-22 09:03 . 2009-05-22 09:03 -------- d-----w c:\program files\Yahoo!
2009-05-22 09:03 . 2009-05-22 09:25 -------- d-----w c:\users\Brett\AppData\Roaming\IObit
2009-05-22 09:03 . 2009-05-22 09:03 -------- d-----w c:\program files\IObit
2009-05-22 06:17 . 2009-05-22 06:17 -------- d-----w c:\users\Brett\AppData\Local\Opera
2009-05-22 06:17 . 2009-05-22 06:17 -------- d-----w c:\program files\Opera
2009-05-22 06:09 . 2009-05-22 06:09 -------- d-----w c:\program files\Avant Browser
2009-05-12 18:38 . 2009-05-12 18:38 -------- d-----w c:\users\Brett\AppData\Local\Xenocode
2009-05-11 02:24 . 2009-05-11 02:24 390664 ----a-w c:\users\Brett\AppData\Roaming\Real\RealPlayer\Update\RealPlayer11.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-26 02:37 . 2008-12-28 07:34 -------- d-----w c:\programdata\VMware
2009-05-25 04:09 . 2008-06-07 09:46 -------- d-----w c:\programdata\McAfee
2009-05-22 09:39 . 2009-03-29 07:05 -------- d-----w c:\users\Brett\AppData\Roaming\DNA
2009-05-22 08:51 . 2009-03-29 07:05 -------- d-----w c:\program files\DNA
2009-05-22 04:29 . 2009-01-14 12:03 -------- d-----w c:\program files\DAP
2009-05-21 19:28 . 2009-01-14 12:03 -------- d-----w c:\programdata\SpeedBit
2009-05-21 05:36 . 2007-12-28 02:41 -------- d-----w c:\users\Brett\AppData\Roaming\BitTorrent
2009-04-02 16:37 . 2009-04-02 16:17 -------- d-----w c:\program files\PostgreSQL
2009-03-29 07:05 . 2009-03-29 07:05 -------- d-----w c:\program files\AskBarDis
2009-01-07 05:28 . 2009-01-07 05:34 248 ----a-w c:\program files\PokerStars
1601-01-01 00:12 . 1601-01-01 00:12 2713 --sh--w c:\windows\System32\hodewafe.exe
1601-01-01 00:12 . 1601-01-01 00:12 68233 --sha-w c:\windows\System32\karezabu.dll.tmp
2008-09-30 23:39 . 2008-09-30 23:39 61560 --sha-w c:\windows\System32\kigukaru.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 68233 --sha-w c:\windows\System32\rojideze.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 68233 --sha-w c:\windows\System32\siteyuwu.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 0 --sh--w c:\windows\System32\yegiwude.exe
.

brett_814
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-23
OS OS : Vista Business
Points Points : 27573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by brett_814 on 26th May 2009, 2:49 am

and part 2:

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-22 1947928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Windows\\trlrm\\RMHSvc.exe"= c:\windows\trlrm\RMHSvc.exe:*:Enabled:RMHSvc.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{E5CD421A-9D50-45B2-9CFD-DAE0A4432F15}c:\\bittorrent\\bittorrent.exe"= UDP:c:\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{F368EE99-5A71-4ED2-A9E4-560577F60B4E}c:\\bittorrent\\bittorrent.exe"= TCP:c:\bittorrent\bittorrent.exe:bittorrent
"TCP Query User{F808C861-6BAB-408A-A778-ACAE37E68090}c:\\emule\\emule.exe"= UDP:c:\emule\emule.exe:eMule Plus
"UDP Query User{EB792CF8-976D-42C8-A933-DDBC560396C4}c:\\emule\\emule.exe"= TCP:c:\emule\emule.exe:eMule Plus
"TCP Query User{24E97C82-81E8-469B-B07E-BA1B7E531ADB}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{FB83DAFA-57CB-4F23-95E6-00E375A9FB22}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{90529498-38CE-4954-A851-C91F4EB2058C}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4429C1D7-F636-4953-BE97-A645F7A4029F}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B26F4811-EFB9-440A-AE95-4F54548EED7F}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A66BC155-52B6-43BA-A906-3B4302FCB896}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E8396A2C-2FA5-46F1-BCB3-2198EB171A31}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7AA05208-0A07-4A41-9FCE-E41C355D2980}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{FD2D05EA-67A7-40D8-B1AC-D8092B2E67D0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{0F95E22D-61E3-4C24-BF40-E1783B42382B}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{EE8134C8-F32F-4BF3-9DAD-172DD8944ECB}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{29BF61D0-0C4E-4594-8980-4460DADF27C8}c:\\master plan 8\\mp8.exe"= UDP:c:\master plan 8\mp8.exe:Application file for MasterPlan 8
"UDP Query User{3F5553B1-1A7A-4157-91EB-686C41679642}c:\\master plan 8\\mp8.exe"= TCP:c:\master plan 8\mp8.exe:Application file for MasterPlan 8
"{628E87D1-C31A-4562-BFC1-825831F63400}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{C2E552E8-32CC-4BE2-B79D-DB5A104A0F45}c:\\users\\brett\\desktop\\tez, open me\\simpleclicker.exe"= UDP:c:\users\brett\desktop\tez, open me\simpleclicker.exe:simpleclicker.exe
"UDP Query User{B2362453-8AE9-4C3C-BE52-8B2F9F619639}c:\\users\\brett\\desktop\\tez, open me\\simpleclicker.exe"= TCP:c:\users\brett\desktop\tez, open me\simpleclicker.exe:simpleclicker.exe
"TCP Query User{24065BCA-3195-4783-BD49-C291D5F8EDE2}e:\\simpleclicker\\simpleclicker\\bin\\debug\\simpleclicker.vshost.exe"= UDP:e:\simpleclicker\simpleclicker\bin\debug\simpleclicker.vshost.exe:vshost.exe
"UDP Query User{32738523-C5A9-47D9-B820-5FA7B8DD94E4}e:\\simpleclicker\\simpleclicker\\bin\\debug\\simpleclicker.vshost.exe"= TCP:e:\simpleclicker\simpleclicker\bin\debug\simpleclicker.vshost.exe:vshost.exe
"{15D3ED12-C3A7-456F-8F74-33A9A0DAE0BD}"= UDP:990:LocalSubnet:LocalSubnet|IF={75CC6176-2661-45DC-A79C-4560E42EA6B5}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"TCP Query User{F6646AC7-9727-4425-AC11-C87BE0E53DCD}e:\\simpleclicker\\simpleclicker\\bin\\release\\simpleclicker.exe"= UDP:e:\simpleclicker\simpleclicker\bin\release\simpleclicker.exe:SimpleClicker
"UDP Query User{E26DA5B5-16DC-453C-B596-70CC14D4B26C}e:\\simpleclicker\\simpleclicker\\bin\\release\\simpleclicker.exe"= TCP:e:\simpleclicker\simpleclicker\bin\release\simpleclicker.exe:SimpleClicker
"TCP Query User{D3F968E1-82F8-400F-88EB-E35589A93E18}e:\\simpleclicker.exe"= UDP:E:\simpleclicker.exe:SimpleClicker
"UDP Query User{A2EBB8D7-C940-4DDB-928F-3C4B70A29E1B}e:\\simpleclicker.exe"= TCP:E:\simpleclicker.exe:SimpleClicker
"TCP Query User{1D04A97F-B5BA-4B11-8AE8-F25DB96BED80}c:\\users\\brett\\appdata\\local\\temp\\temp1_simple[1].zip\\simple.exe"= UDP:c:\users\brett\appdata\local\temp\temp1_simple[1].zip\simple.exe:simple.exe
"UDP Query User{0B2DE60E-CE77-4F78-94B6-26CA4E974C24}c:\\users\\brett\\appdata\\local\\temp\\temp1_simple[1].zip\\simple.exe"= TCP:c:\users\brett\appdata\local\temp\temp1_simple[1].zip\simple.exe:simple.exe
"TCP Query User{D673F2C2-2FDA-40DE-9506-87C69C683E24}c:\\users\\brett\\appdata\\local\\temp\\temp2_simple[1].zip\\simpleclicker.exe"= UDP:c:\users\brett\appdata\local\temp\temp2_simple[1].zip\simpleclicker.exe:simpleclicker.exe
"UDP Query User{38B410BE-0AEA-4EF0-9CB3-F07AEE7C7E4C}c:\\users\\brett\\appdata\\local\\temp\\temp2_simple[1].zip\\simpleclicker.exe"= TCP:c:\users\brett\appdata\local\temp\temp2_simple[1].zip\simpleclicker.exe:simpleclicker.exe
"TCP Query User{9C74F75C-5F9B-433C-8DA2-2DD464517498}c:\\bittorrent\\bittorrent.exe"= UDP:c:\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{D02AAA43-17BF-4817-94F2-738883115165}c:\\bittorrent\\bittorrent.exe"= TCP:c:\bittorrent\bittorrent.exe:bittorrent
"TCP Query User{7C38D625-C8F0-4552-9492-CEE0BE20E9D3}c:\\windows\\lmie4d2.tmp\\lmi_rescue.exe"= UDP:c:\windows\lmie4d2.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{B163BCAF-104C-4749-B8AF-A4B97D3C9CCF}c:\\windows\\lmie4d2.tmp\\lmi_rescue.exe"= TCP:c:\windows\lmie4d2.tmp\lmi_rescue.exe:LogMeIn Rescue
"{A3E6DEEB-56FA-4CC5-BC9A-6CF92B772CF1}"= UDP:990:LocalSubnet:LocalSubnet|IF={75CC6176-2661-45DC-A79C-4560E42EA6B5}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{3FFC5F20-C78B-42A0-A595-3432536048AB}"= UDP:990:LocalSubnet:LocalSubnet|IF={75CC6176-2661-45DC-A79C-4560E42EA6B5}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{34084ABD-743D-4238-BF60-0F90D8F2A79B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{252D2DD4-0C78-4B86-9EEE-B2B1C524C530}"= UDP:4662:EMule
"{531161D5-2D24-4688-B094-4F43D94E831D}"= UDP:c:\program files\VMware\VMware Workstation\vmware-authd.exe:VMware Authd
"{86711B4E-2198-446D-89CA-FE4D1D76FD97}"= TCP:c:\program files\VMware\VMware Workstation\vmware-authd.exe:VMware Authd
"{F6E47679-C3C0-4DEF-B6DA-7C952F5639DD}"= UDP:c:\windows\explorer.exe:explorer
"{47CA3B27-A729-426A-9CD8-88F89735BFD6}"= TCP:c:\windows\explorer.exe:explorer

.

brett_814
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-23
OS OS : Vista Business
Points Points : 27573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by brett_814 on 26th May 2009, 2:50 am

sorry, there needed to be a part 3 as well:

"{5BAB2C10-F90B-4668-9A02-05148C8D9774}"= UDP:c:\windows\System32\rundll32.exe:rundll32
"{08940A59-22E2-46D4-B42D-F79A0E64CADA}"= TCP:c:\windows\System32\rundll32.exe:rundll32
"{7F3D5E8E-2A58-400C-9CF8-8D34494F43F6}"= UDP:c:\windows\System32\WerFault.exe:WerFault
"{F1422890-456C-40A6-9862-DC0987908EDB}"= TCP:c:\windows\System32\WerFault.exe:WerFault
"{A29CC09A-BF11-459A-958F-65C2280A32AC}"= UDP:c:\windows\System32\SearchProtocolHost.exe:SearchProtocolHost
"{7ECC4F70-05EB-4085-B056-57F2B8829064}"= TCP:c:\windows\System32\SearchProtocolHost.exe:SearchProtocolHost
"{795D7EE2-3220-4B65-9A32-6E86A2A20821}"= UDP:c:\windows\System32\mobsync.exe:mobsync
"{7CB9D262-5DFF-4ECB-8BC1-035D3FB6D902}"= TCP:c:\windows\System32\mobsync.exe:mobsync
"{7878E0B8-5CD9-49BB-96C8-5A2A5DC81259}"= UDP:c:\program files\Windows Media Player\wmplayer.exe:wmplayer
"{E9728D1E-C1A6-4C8B-8122-67A24FB1B975}"= TCP:c:\program files\Windows Media Player\wmplayer.exe:wmplayer
"{3584ACE3-D79F-4261-8459-D00B68843274}"= UDP:c:\program files\Common Files\Real\Update_OB\realsched.exe:realsched
"{A4A356CD-01A6-49EA-BF58-E38581FAE2EF}"= UDP:c:\program files\Common Files\Real\Update_OB\realsched.exe:realsched
"{407BF7A5-D5B8-489A-AF0F-C7625E6DE975}"= TCP:c:\program files\Common Files\Real\Update_OB\realsched.exe:realsched
"{2843474F-D905-459F-8269-BFAF40C6A293}"= TCP:c:\program files\Common Files\Real\Update_OB\realsched.exe:realsched
"{E67FAD06-946B-4FDB-B32D-42F8E8033BD4}"= UDP:c:\program files\Windows Media Player\wmpnscfg.exe:wmpnscfg
"{8F352EA5-EF10-4BEF-B9D1-E64E963C7CB5}"= TCP:c:\program files\Windows Media Player\wmpnscfg.exe:wmpnscfg
"TCP Query User{F1CD1745-910E-4E34-B77F-9EAB6C8E0329}c:\\program files\\avant browser\\avant.exe"= UDP:c:\program files\avant browser\avant.exe:avant
"UDP Query User{1A163B63-8504-4FF2-B5B2-6C18CBF6018A}c:\\program files\\avant browser\\avant.exe"= TCP:c:\program files\avant browser\avant.exe:avant
"{EB172712-C64A-402D-9B2A-943816F4FEB4}"= UDP:c:\windows\System32\dwm.exe:Dwm
"{533F4327-7D55-419B-98C6-9AE869FED06B}"= UDP:c:\windows\System32\dwm.exe:Dwm
"{9EB36448-BD7A-434C-8377-87D2ED1971B4}"= TCP:c:\windows\System32\dwm.exe:Dwm
"{F0F8B8C8-255C-4F8E-B3FD-5D60941AAF9F}"= TCP:c:\windows\System32\dwm.exe:Dwm
"{4F878EBA-921E-41FF-B8F1-1A79E5C3A73A}"= UDP:c:\program files\iTunes\iTunesHelper.exe:iTunesHelper
"{C05CD42E-D2CF-4708-8BBC-CE36E3B905BB}"= TCP:c:\program files\iTunes\iTunesHelper.exe:iTunesHelper
"{FE2D3729-E60C-4275-A0B7-CE78E4C2819D}"= UDP:c:\windows\System32\taskeng.exe:taskeng
"{12C9E1E6-AE0E-439D-BFBB-8061017A67C0}"= TCP:c:\windows\System32\taskeng.exe:taskeng
"{3AC36108-A6BE-4769-AD7B-6920D64B00D8}"= UDP:c:\windows\explorer.exe:Explorer
"{5A0F7BAD-2571-4E0E-A881-BEA6EEEA34F3}"= TCP:c:\windows\explorer.exe:Explorer
"{7123220B-EDDB-4F14-9FE7-F4AC78FA7C14}"= UDP:c:\windows\System32\WerFault.exe:WerFault
"{082F2BF0-E951-4E1E-A340-A6164509273D}"= TCP:c:\windows\System32\WerFault.exe:WerFault
"{7A868AF3-2FAC-4F4E-BEB3-14BDE7C44AAC}"= UDP:c:\program files\McAfee.com\Agent\mcagent.exe:mcagent
"{D6516DA7-418B-48AE-ACF0-C93189F46F6F}"= TCP:c:\program files\McAfee.com\Agent\mcagent.exe:mcagent
"{631BA2A3-5BE3-46E9-B869-6F6245DD6C8B}"= UDP:c:\program files\Common Files\Real\Update_OB\realsched.exe:realsched
"{F4BAA742-49AB-4E1A-B1E4-0E7E3B84232C}"= TCP:c:\program files\Common Files\Real\Update_OB\realsched.exe:realsched
"{B40823D7-EE38-4873-9568-3E11B47A7700}"= UDP:c:\windows\System32\rundll32.exe:rundll32
"{59AA6CDD-A01C-4842-8304-67A01640EFF5}"= TCP:c:\windows\System32\rundll32.exe:rundll32
"{044D5DC6-43CE-4DF8-8CBD-2ED7464152DE}"= UDP:c:\program files\DAP\DAP.exe:DAP
"{E8CB687D-8470-4356-8501-4DC6E91ED92D}"= TCP:c:\program files\DAP\DAP.exe:DAP
"{80DA3833-D5DE-478F-9125-265790C4A018}"= UDP:c:\poker\MansionPoker\casino.exe:casino
"{9B34F354-36C2-4F84-86D6-95A4BB42CF4D}"= TCP:c:\poker\MansionPoker\casino.exe:casino
"{25281488-84FB-41BD-8F68-4641115C8B92}"= UDP:c:\program files\Microsoft Office\Office12\GrooveMonitor.exe:GrooveMonitor
"{50CD39A1-3822-4E8B-AC87-DEEDD26075E1}"= UDP:c:\program files\Microsoft Office\Office12\GrooveMonitor.exe:GrooveMonitor
"{C7D2DE5D-9212-46A4-90CA-631192E8D07C}"= TCP:c:\program files\Microsoft Office\Office12\GrooveMonitor.exe:GrooveMonitor
"{BE39B76E-782C-4B15-9A7D-6464E8D24919}"= TCP:c:\program files\Microsoft Office\Office12\GrooveMonitor.exe:GrooveMonitor
"{227F4FC6-C16C-4028-9BBA-E950C6B17062}"= UDP:c:\windows\System32\dwm.exe:Dwm
"{4C3D57EF-FB77-4C90-BF18-F5A0CE73D3CE}"= TCP:c:\windows\System32\dwm.exe:Dwm
"{03F63FD3-4458-47BF-92C5-897637A0B4FA}"= UDP:c:\windows\System32\dllhost.exe:DllHost
"{B9EC8067-A4E7-4F5E-B8DF-6669D8C38582}"= TCP:c:\windows\System32\dllhost.exe:DllHost
"{84771B69-FD43-467A-9994-76C156A681BE}"= UDP:c:\program files\Avant Browser\avant.exe:avant
"{42A6C9E1-1661-44B0-AF3D-D7A6E4E7995E}"= TCP:c:\program files\Avant Browser\avant.exe:avant
"{B3A30E7C-E6A1-44D1-BEF2-FC692E33E7A3}"= UDP:c:\program files\iTunes\iTunesHelper.exe:iTunesHelper
"{6CCECC76-1313-4BFC-9B7B-4E04286FA473}"= UDP:c:\program files\iTunes\iTunesHelper.exe:iTunesHelper
"{D90EB270-650A-4B12-87B1-94F78158D774}"= TCP:c:\program files\iTunes\iTunesHelper.exe:iTunesHelper
"{3165AD27-D509-4EF2-89CD-DCBD45436E51}"= TCP:c:\program files\iTunes\iTunesHelper.exe:iTunesHelper
"{D0EE4D6D-6B8C-4DD9-81EE-3AF0B310DF93}"= UDP:c:\poker\PokerAce Hud\PAHud.exe:PAHud
"{4BBF40A4-A0E5-447A-97A1-AFBF05307D65}"= TCP:c:\poker\PokerAce Hud\PAHud.exe:PAHud
"{A2073882-2761-42BF-913E-CBE2CA723B8F}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{BE4D9097-19FA-42F2-A142-C394816EBDB0}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{ED317998-95C8-40B5-ABA8-EFEA95F4A7D8}"= UDP:c:\bittorrent\bittorrent.exe:BitTorrent (TCP-In)
"{75000691-3DFC-46D1-97E8-066E20AC95A4}"= TCP:c:\bittorrent\bittorrent.exe:BitTorrent (UDP-In)
"TCP Query User{796290A1-D051-45A7-8CF3-1E053EC48ADE}c:\\program files\\dna\\btdna.exe"= UDP:c:\program files\dna\btdna.exe:DNA
"UDP Query User{A6D1FF25-A231-4687-86BF-7CA4185D6632}c:\\program files\\dna\\btdna.exe"= TCP:c:\program files\dna\btdna.exe:DNA
"{9F964F7D-0161-4E51-863B-A899CB1F708E}"= UDP:c:\program files\Internet Explorer\ieuser.exe:ieuser
"{2E5807F0-5DE2-40DD-8876-6EB3B91668D3}"= TCP:c:\program files\Internet Explorer\ieuser.exe:ieuser
"{A068C8D4-318A-423C-A12C-F64FEB849C48}"= UDP:c:\windows\System32\taskeng.exe:taskeng
"{F370B159-208E-4C6B-86E8-79C54F2C1EE3}"= UDP:c:\windows\System32\taskeng.exe:taskeng
"{2A005D3A-C311-4F29-BA99-FB27F55E262D}"= TCP:c:\windows\System32\taskeng.exe:taskeng
"{3DA3D4B4-F4D5-49F4-B9D1-F8AE2E88AF88}"= TCP:c:\windows\System32\taskeng.exe:taskeng
"{518138D7-539E-43F2-B65B-558590704F8D}"= UDP:80:SYS32DLL
"{C109AB73-9DA8-48AA-AD3E-AAD6F699A754}"= UDP:7171:SYS32DLL
"{BC4FC768-C2E6-4C44-BF73-9A20FF6A22DE}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{7EEF40C0-EC45-4E17-A957-7A8D4D39AE3B}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\BitTorrent\\bittorrent.exe"= c:\bittorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [5/22/2009 8:16 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [5/22/2009 8:17 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/22/2009 8:16 PM 298776]
R2 pgsql-8.2;PostgreSQL Database Server 8.2;c:\program files\PostgreSQL\8.2\bin\pg_ctl.exe [1/30/2009 2:32 AM 94376]
R2 vmci;VMware vmci;c:\windows\System32\drivers\vmci.sys [10/28/2008 10:08 PM 54960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2009-05-26 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-05-22 11:22]

brett_814
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-23
OS OS : Vista Business
Points Points : 27573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by Origin on 27th May 2009, 12:39 am

I see that you are running BitTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If BitTorrent is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • BitTorrent




Now open a new notepad file.
Input this into the notepad file:

File::
c:\program files\DNA
c:\users\Brett\AppData\Roaming\BitTorrent
c:\program files\AskBarDis
c:\windows\System32\hodewafe.exe
c:\windows\System32\karezabu.dll.tmp
c:\windows\System32\kigukaru.dll.tmp
c:\windows\System32\rojideze.dll.tmp
c:\windows\System32\siteyuwu.dll.tmp
c:\windows\System32\yegiwude.exe


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by brett_814 on 2nd June 2009, 7:29 am

Ok i've removed BitTorrent and done all that stuff with ComboFix. By the way, can I still run BitTorrent in a VM to isolate any possible bugs?

Here's the log file (part 1):

ComboFix 09-05-31.06 - Brett 06/02/2009 17:22.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.1789.822 [GMT 10:00]
Running from: c:\users\Brett\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Brett\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\program files\AskBarDis"
"c:\program files\DNA"
"c:\users\Brett\AppData\Roaming\BitTorrent"
"c:\windows\System32\hodewafe.exe"
"c:\windows\System32\karezabu.dll.tmp"
"c:\windows\System32\kigukaru.dll.tmp"
"c:\windows\System32\rojideze.dll.tmp"
"c:\windows\System32\siteyuwu.dll.tmp"
"c:\windows\System32\yegiwude.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\hodewafe.exe
c:\windows\System32\karezabu.dll.tmp
c:\windows\System32\kigukaru.dll.tmp
c:\windows\System32\rojideze.dll.tmp
c:\windows\System32\siteyuwu.dll.tmp
c:\windows\System32\yegiwude.exe
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.

2009-06-02 07:15 . 2009-06-02 07:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-02 07:15 . 2009-06-02 07:15 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-02 07:15 . 2009-06-02 07:15 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-02 07:15 . 2009-06-02 07:15 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-02 07:15 . 2009-06-02 07:17 -------- d-----w- c:\windows\system32\drivers\Avg
2009-05-30 07:58 . 2009-05-30 07:58 -------- d-----w- c:\users\Brett\AppData\Local\Adobe
2009-05-28 12:01 . 2009-05-28 12:01 -------- d-----w- c:\program files\Common Files\PCSuite
2009-05-27 13:19 . 2009-05-27 13:17 33642704 ----a-w- c:\programdata\Installations\{58FB2F9A-5F2D-40E8-82DF-4987E60AD8BD}\Nokia_PC_Suite_7_1_18_0_eng_web.exe
2009-05-27 13:19 . 2009-05-27 13:19 8192 ----a-w- c:\programdata\Installations\{58FB2F9A-5F2D-40E8-82DF-4987E60AD8BD}\Installer\CommonCustomActions\UninstCCD.exe
2009-05-27 13:19 . 2009-05-27 13:19 61440 ----a-w- c:\programdata\Installations\{58FB2F9A-5F2D-40E8-82DF-4987E60AD8BD}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-05-27 13:19 . 2009-05-27 13:19 10240 ----a-w- c:\programdata\Installations\{58FB2F9A-5F2D-40E8-82DF-4987E60AD8BD}\Installer\CommonCustomActions\UninstPCS.exe
2009-05-27 13:02 . 2009-05-27 13:02 9624 ----a-w- c:\users\Brett\AppData\Roaming\Microsoft\IdentityCRL\Production\WLIDClientConfig.dll
2009-05-27 13:00 . 2009-05-27 13:46 -------- d-----w- c:\program files\Microsoft Phone Data Manager
2009-05-27 12:16 . 2009-05-27 12:16 -------- d-----w- c:\programdata\Nokia
2009-05-27 12:13 . 2009-02-08 21:37 91136 ----a-w- c:\windows\system32\nmwcdcls.dll
2009-05-27 12:13 . 2009-05-28 12:01 -------- d-----w- c:\program files\Common Files\Nokia
2009-05-27 12:13 . 2009-05-27 13:20 -------- d-----w- c:\program files\Nokia
2009-05-27 12:13 . 2009-05-27 12:10 24376008 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\NokiaSoftwareUpdaterSetup_en.exe
2009-05-27 12:13 . 2009-05-27 12:13 3351812 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\msxml6Exec.exe
2009-05-27 12:13 . 2009-05-27 12:13 36864 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\Sleep.exe
2009-05-27 12:13 . 2009-05-27 12:13 3181612 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\vcredistExec.exe
2009-05-27 12:12 . 2009-05-28 11:56 -------- d-----w- c:\programdata\Installations
2009-05-26 03:30 . 2009-06-01 06:38 -------- d-----w- c:\program files\Bodog Hand Grabber
2009-05-26 02:35 . 2009-06-02 07:24 -------- d-----w- c:\users\Brett\AppData\Local\temp
2009-05-23 03:51 . 2009-05-23 03:51 -------- d-----w- c:\users\Brett\AppData\Roaming\Malwarebytes
2009-05-23 03:51 . 2009-04-06 05:32 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-23 03:51 . 2009-04-06 05:32 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-23 03:51 . 2009-05-23 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-23 03:51 . 2009-05-23 03:51 -------- d-----w- c:\programdata\Malwarebytes
2009-05-22 10:16 . 2009-06-02 07:15 -------- d-----w- c:\programdata\avg8
2009-05-22 10:16 . 2009-05-22 10:16 -------- d-----w- c:\program files\AVG
2009-05-22 09:03 . 2009-05-22 09:03 -------- d-----w- c:\users\Brett\AppData\Roaming\Yahoo!
2009-05-22 09:03 . 2009-05-27 13:47 -------- d-----w- c:\program files\Yahoo!
2009-05-22 09:03 . 2009-05-22 09:25 -------- d-----w- c:\users\Brett\AppData\Roaming\IObit
2009-05-22 09:03 . 2009-05-22 09:03 -------- d-----w- c:\program files\IObit
2009-05-22 06:17 . 2009-05-22 06:17 -------- d-----w- c:\users\Brett\AppData\Local\Opera
2009-05-22 06:17 . 2009-05-30 08:36 -------- d-----w- c:\program files\Opera
2009-05-22 06:09 . 2009-05-22 06:09 -------- d-----w- c:\program files\Avant Browser
2009-05-12 18:38 . 2009-05-12 18:38 -------- d-----w- c:\users\Brett\AppData\Local\Xenocode
2009-05-11 02:24 . 2009-05-11 02:24 390664 ----a-w- c:\users\Brett\AppData\Roaming\Real\RealPlayer\Update\RealPlayer11.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-02 07:18 . 2007-12-28 02:41 -------- d-----w- c:\users\Brett\AppData\Roaming\BitTorrent
2009-06-01 04:17 . 2008-12-28 07:34 -------- d-----w- c:\programdata\VMware
2009-05-30 08:13 . 2008-01-02 01:55 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-28 12:00 . 2009-05-28 12:00 -------- d-----w- c:\program files\PC Connectivity Solution
2009-05-28 12:00 . 2009-05-28 12:00 8192 ----a-w- c:\programdata\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-05-28 12:00 . 2009-05-28 12:00 61440 ----a-w- c:\programdata\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-05-28 12:00 . 2009-05-28 12:00 10240 ----a-w- c:\programdata\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-05-28 11:56 . 2009-05-28 12:00 34396584 ----a-w- c:\programdata\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_eng.exe
2009-05-27 13:48 . 2008-04-15 02:28 -------- d-----w- c:\programdata\Apple Computer
2009-05-27 13:24 . 2009-05-27 13:21 -------- d-----w- c:\users\Brett\AppData\Roaming\Nokia
2009-05-27 13:21 . 2009-05-27 13:21 -------- d-----w- c:\users\Brett\AppData\Roaming\PC Suite
2009-05-27 13:21 . 2009-05-27 13:21 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_05_00.Wdf
2009-05-27 13:21 . 2009-05-27 13:21 -------- d-----w- c:\programdata\PC Suite
2009-05-27 13:19 . 2009-05-27 13:19 -------- d-----w- c:\program files\DIFX
2009-05-27 12:21 . 2009-05-27 12:21 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-05-25 04:09 . 2008-06-07 09:46 -------- d-----w- c:\programdata\McAfee
2009-05-22 09:39 . 2009-03-29 07:05 -------- d-----w- c:\users\Brett\AppData\Roaming\DNA
2009-05-22 08:51 . 2009-03-29 07:05 -------- d-----w- c:\program files\DNA
2009-05-22 04:29 . 2009-01-14 12:03 -------- d-----w- c:\program files\DAP
2009-05-21 19:28 . 2009-01-14 12:03 -------- d-----w- c:\programdata\SpeedBit
2009-01-07 05:28 . 2009-01-07 05:34 248 ----a-w- c:\program files\PokerStars

brett_814
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-23
OS OS : Vista Business
Points Points : 27573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by brett_814 on 2nd June 2009, 7:30 am

part 2:

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-27 12:13 . 2009-05-27 12:13 82432 c:\windows\winsxs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6\msxml4r.dll
+ 2007-12-28 00:15 . 2009-06-01 04:23 40548 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-06-01 04:23 53214 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-12-27 14:42 . 2009-06-01 04:23 13452 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1605357410-2887970040-4068907240-1000_UserData.bin
+ 2003-04-18 06:29 . 2003-04-18 06:29 82432 c:\windows\System32\msxml4r.dll
+ 2009-05-28 12:00 . 2008-08-26 00:26 18816 c:\windows\System32\DRVSTORE\pccsmcfd_A3B3916E5D8138F59EE218321B27B044D3B18294\pccsmcfd.sys
+ 2009-02-08 21:37 . 2009-02-08 21:37 22016 c:\windows\System32\DriverStore\FileRepository\ccdcmbo.inf_2e6733fd\ccdcmbo.sys
+ 2009-02-08 21:37 . 2009-02-08 21:37 91136 c:\windows\System32\DriverStore\FileRepository\ccdcmb.inf_2f2c2f96\nmwcdcls.dll
+ 2009-02-08 21:37 . 2009-02-08 21:37 17664 c:\windows\System32\DriverStore\FileRepository\ccdcmb.inf_2f2c2f96\ccdcmb.sys
+ 2008-05-21 20:36 . 2008-01-19 05:53 28160 c:\windows\System32\drivers\usbser.sys
+ 2009-05-27 13:19 . 2008-08-26 00:26 18816 c:\windows\System32\drivers\pccsmcfd.sys
+ 2009-02-08 21:37 . 2009-02-08 21:37 22016 c:\windows\System32\drivers\ccdcmbo.sys
+ 2009-02-08 21:37 . 2009-02-08 21:37 17664 c:\windows\System32\drivers\ccdcmb.sys
- 2007-12-27 14:39 . 2009-05-25 10:15 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-12-27 14:39 . 2009-06-02 07:16 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-27 14:39 . 2009-05-25 10:15 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-27 14:39 . 2009-06-02 07:16 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-27 14:39 . 2009-05-25 10:15 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-12-27 14:39 . 2009-06-02 07:16 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2003-03-18 09:05 . 2003-03-18 09:05 89088 c:\windows\System32\atl71.dll
+ 2009-05-28 12:00 . 2009-05-28 12:00 10134 c:\windows\Installer\{B7CB0BF3-791E-44D3-9F04-786E36D51C9D}\ARPPRODUCTICON.exe
+ 2009-05-27 12:13 . 2009-05-27 12:13 10134 c:\windows\Installer\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\ARPPRODUCTICON.exe
+ 2009-05-28 12:01 . 2009-05-28 12:01 15086 c:\windows\Installer\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\ARPPRODUCTICON.exe
- 2006-11-02 10:25 . 2008-12-28 07:39 86016 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-05-28 12:01 86016 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-05-28 12:01 86016 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2008-12-28 07:39 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2009-05-28 12:01 51200 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2008-12-28 07:39 51200 c:\windows\inf\infpub.dat
+ 2007-12-28 00:41 . 2009-05-31 15:46 2784 c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2007-12-28 00:41 . 2009-05-25 04:08 2784 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-03-19 03:48 . 2009-03-19 03:48 8320 c:\windows\System32\DriverStore\FileRepository\nmwcdnsuc.inf_775ee8ae\nmwcdnsuc.sys
+ 2009-02-08 21:37 . 2009-02-08 21:37 7808 c:\windows\System32\DriverStore\FileRepository\ccdcmbm.inf_8833b7fb\usbser_lowerflt.sys
+ 2009-02-08 21:37 . 2009-02-08 21:37 7808 c:\windows\System32\DriverStore\FileRepository\ccdcmbcj.inf_92c2785d\usbser_lowerfltj.sys
+ 2009-02-08 21:37 . 2009-02-08 21:37 7808 c:\windows\System32\drivers\usbser_lowerfltj.sys
+ 2009-02-08 21:37 . 2009-02-08 21:37 7808 c:\windows\System32\drivers\usbser_lowerflt.sys
+ 2009-06-01 04:16 . 2009-06-01 04:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-06-01 04:16 . 2009-06-01 04:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-27 12:13 . 2009-05-27 12:13 8854 c:\windows\Installer\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Uninstall_QA_OTI_H_FE5D756F71E147C4972AD6775344B40B.exe
+ 2009-05-27 12:13 . 2009-05-27 12:13 8854 c:\windows\Installer\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\NewShortcut3_F30B5B541F7D4207BF3032ED8CAF6640.exe
+ 2009-05-27 12:13 . 2009-05-27 12:13 8854 c:\windows\Installer\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\NewShortcut2_1C7B7089989A424FB39D41A32581C775.exe
+ 2009-05-27 12:14 . 2009-05-27 12:14 3262 c:\windows\Installer\{82427977-8776-4087-90CA-9F65174D3C4D}\ARPPRODUCTICON.exe
+ 2009-05-27 13:00 . 2009-05-27 13:00 655872 c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada\msvcr90.dll
+ 2009-05-27 13:00 . 2009-05-27 13:00 572928 c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada\msvcp90.dll
+ 2009-05-27 13:00 . 2009-05-27 13:00 225280 c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.1_none_e163563597edeada\msvcm90.dll
+ 2009-05-27 13:00 . 2009-05-27 13:00 161784 c:\windows\winsxs\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.1_none_e29d1181971ae11e\ATL90.dll
+ 2007-12-28 06:26 . 2009-06-02 02:59 220126 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2009-05-25 18:27 601034 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-05-30 08:05 601034 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-05-25 18:27 103198 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-05-30 08:05 103198 c:\windows\System32\perfc009.dat
+ 2009-02-08 21:37 . 2009-02-08 21:37 659968 c:\windows\System32\nmwcdcocls.dll
+ 2008-10-29 02:24 . 2008-10-29 02:24 831048 c:\windows\System32\DriverStore\FileRepository\pccswpddriver.inf_c3b6da58\WudfUpdate_01005.dll
+ 2008-10-29 02:29 . 2008-10-29 02:29 531968 c:\windows\System32\DriverStore\FileRepository\pccswpddriver.inf_c3b6da58\PCCSWpdDriver.dll
+ 2009-03-19 03:48 . 2009-03-19 03:48 136704 c:\windows\System32\DriverStore\FileRepository\nmwcdnsu.inf_d0db9399\nmwcdnsu.sys
+ 2009-02-08 21:37 . 2009-02-08 21:37 659968 c:\windows\System32\DriverStore\FileRepository\ccdcmb.inf_2f2c2f96\nmwcdcocls.dll
+ 2009-05-27 13:58 . 2009-05-27 13:58 210952 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-05-30 08:14 . 2009-05-30 08:14 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
+ 2009-05-27 12:13 . 2009-05-27 12:13 458752 c:\windows\Installer\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\NewShortcut20_F7578A24A4B240E4BA057EF931EB25B5.exe
+ 2009-05-27 12:13 . 2009-05-27 12:13 458752 c:\windows\Installer\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\NewShortcut16_F7578A24A4B240E4BA057EF931EB25B5.exe
+ 2009-05-27 12:13 . 2009-05-27 12:13 1233920 c:\windows\winsxs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d\msxml4.dll
+ 2009-02-08 21:32 . 2009-02-08 21:32 1112288 c:\windows\System32\wdfcoinstaller01007.dll
- 2006-11-02 10:22 . 2009-05-22 10:16 6291456 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 10:22 . 2009-05-27 13:58 6291456 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2003-04-18 06:46 . 2003-04-18 06:46 1233920 c:\windows\System32\msxml4.dll
+ 2009-02-08 21:32 . 2009-02-08 21:32 1112288 c:\windows\System32\DriverStore\FileRepository\ccdcmb.inf_2f2c2f96\wdfcoinstaller01007.dll
+ 2008-04-15 02:32 . 2009-05-27 13:00 145809489 c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-03-20 1312256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-02 1947928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Windows\\trlrm\\RMHSvc.exe"= c:\windows\trlrm\RMHSvc.exe:*:Enabled:RMHSvc.exe

brett_814
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-23
OS OS : Vista Business
Points Points : 27573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by brett_814 on 2nd June 2009, 7:31 am

part 3:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{E5CD421A-9D50-45B2-9CFD-DAE0A4432F15}c:\\bittorrent\\bittorrent.exe"= UDP:c:\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{F368EE99-5A71-4ED2-A9E4-560577F60B4E}c:\\bittorrent\\bittorrent.exe"= TCP:c:\bittorrent\bittorrent.exe:bittorrent
"TCP Query User{F808C861-6BAB-408A-A778-ACAE37E68090}c:\\emule\\emule.exe"= UDP:c:\emule\emule.exe:eMule Plus
"UDP Query User{EB792CF8-976D-42C8-A933-DDBC560396C4}c:\\emule\\emule.exe"= TCP:c:\emule\emule.exe:eMule Plus
"TCP Query User{24E97C82-81E8-469B-B07E-BA1B7E531ADB}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{FB83DAFA-57CB-4F23-95E6-00E375A9FB22}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{90529498-38CE-4954-A851-C91F4EB2058C}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4429C1D7-F636-4953-BE97-A645F7A4029F}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B26F4811-EFB9-440A-AE95-4F54548EED7F}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A66BC155-52B6-43BA-A906-3B4302FCB896}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E8396A2C-2FA5-46F1-BCB3-2198EB171A31}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7AA05208-0A07-4A41-9FCE-E41C355D2980}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{FD2D05EA-67A7-40D8-B1AC-D8092B2E67D0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{29BF61D0-0C4E-4594-8980-4460DADF27C8}c:\\master plan 8\\mp8.exe"= UDP:c:\master plan 8\mp8.exe:Application file for MasterPlan 8
"UDP Query User{3F5553B1-1A7A-4157-91EB-686C41679642}c:\\master plan 8\\mp8.exe"= TCP:c:\master plan 8\mp8.exe:Application file for MasterPlan 8
"{628E87D1-C31A-4562-BFC1-825831F63400}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{C2E552E8-32CC-4BE2-B79D-DB5A104A0F45}c:\\users\\brett\\desktop\\tez, open me\\simpleclicker.exe"= UDP:c:\users\brett\desktop\tez, open me\simpleclicker.exe:simpleclicker.exe
"UDP Query User{B2362453-8AE9-4C3C-BE52-8B2F9F619639}c:\\users\\brett\\desktop\\tez, open me\\simpleclicker.exe"= TCP:c:\users\brett\desktop\tez, open me\simpleclicker.exe:simpleclicker.exe
"TCP Query User{24065BCA-3195-4783-BD49-C291D5F8EDE2}e:\\simpleclicker\\simpleclicker\\bin\\debug\\simpleclicker.vshost.exe"= UDP:e:\simpleclicker\simpleclicker\bin\debug\simpleclicker.vshost.exe:vshost.exe
"UDP Query User{32738523-C5A9-47D9-B820-5FA7B8DD94E4}e:\\simpleclicker\\simpleclicker\\bin\\debug\\simpleclicker.vshost.exe"= TCP:e:\simpleclicker\simpleclicker\bin\debug\simpleclicker.vshost.exe:vshost.exe
"{15D3ED12-C3A7-456F-8F74-33A9A0DAE0BD}"= UDP:990:LocalSubnet:LocalSubnet|IF={75CC6176-2661-45DC-A79C-4560E42EA6B5}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"TCP Query User{F6646AC7-9727-4425-AC11-C87BE0E53DCD}e:\\simpleclicker\\simpleclicker\\bin\\release\\simpleclicker.exe"= UDP:e:\simpleclicker\simpleclicker\bin\release\simpleclicker.exe:SimpleClicker
"UDP Query User{E26DA5B5-16DC-453C-B596-70CC14D4B26C}e:\\simpleclicker\\simpleclicker\\bin\\release\\simpleclicker.exe"= TCP:e:\simpleclicker\simpleclicker\bin\release\simpleclicker.exe:SimpleClicker
"TCP Query User{D3F968E1-82F8-400F-88EB-E35589A93E18}e:\\simpleclicker.exe"= UDP:E:\simpleclicker.exe:SimpleClicker
"UDP Query User{A2EBB8D7-C940-4DDB-928F-3C4B70A29E1B}e:\\simpleclicker.exe"= TCP:E:\simpleclicker.exe:SimpleClicker
"TCP Query User{1D04A97F-B5BA-4B11-8AE8-F25DB96BED80}c:\\users\\brett\\appdata\\local\\temp\\temp1_simple[1].zip\\simple.exe"= UDP:c:\users\brett\appdata\local\temp\temp1_simple[1].zip\simple.exe:simple.exe
"UDP Query User{0B2DE60E-CE77-4F78-94B6-26CA4E974C24}c:\\users\\brett\\appdata\\local\\temp\\temp1_simple[1].zip\\simple.exe"= TCP:c:\users\brett\appdata\local\temp\temp1_simple[1].zip\simple.exe:simple.exe
"TCP Query User{D673F2C2-2FDA-40DE-9506-87C69C683E24}c:\\users\\brett\\appdata\\local\\temp\\temp2_simple[1].zip\\simpleclicker.exe"= UDP:c:\users\brett\appdata\local\temp\temp2_simple[1].zip\simpleclicker.exe:simpleclicker.exe
"UDP Query User{38B410BE-0AEA-4EF0-9CB3-F07AEE7C7E4C}c:\\users\\brett\\appdata\\local\\temp\\temp2_simple[1].zip\\simpleclicker.exe"= TCP:c:\users\brett\appdata\local\temp\temp2_simple[1].zip\simpleclicker.exe:simpleclicker.exe
"TCP Query User{9C74F75C-5F9B-433C-8DA2-2DD464517498}c:\\bittorrent\\bittorrent.exe"= UDP:c:\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{D02AAA43-17BF-4817-94F2-738883115165}c:\\bittorrent\\bittorrent.exe"= TCP:c:\bittorrent\bittorrent.exe:bittorrent
"TCP Query User{7C38D625-C8F0-4552-9492-CEE0BE20E9D3}c:\\windows\\lmie4d2.tmp\\lmi_rescue.exe"= UDP:c:\windows\lmie4d2.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{B163BCAF-104C-4749-B8AF-A4B97D3C9CCF}c:\\windows\\lmie4d2.tmp\\lmi_rescue.exe"= TCP:c:\windows\lmie4d2.tmp\lmi_rescue.exe:LogMeIn Rescue
"{A3E6DEEB-56FA-4CC5-BC9A-6CF92B772CF1}"= UDP:990:LocalSubnet:LocalSubnet|IF={75CC6176-2661-45DC-A79C-4560E42EA6B5}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{3FFC5F20-C78B-42A0-A595-3432536048AB}"= UDP:990:LocalSubnet:LocalSubnet|IF={75CC6176-2661-45DC-A79C-4560E42EA6B5}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:@%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{34084ABD-743D-4238-BF60-0F90D8F2A79B}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{252D2DD4-0C78-4B86-9EEE-B2B1C524C530}"= UDP:4662:EMule
"{531161D5-2D24-4688-B094-4F43D94E831D}"= UDP:c:\program files\VMware\VMware Workstation\vmware-authd.exe:VMware Authd
"{86711B4E-2198-446D-89CA-FE4D1D76FD97}"= TCP:c:\program files\VMware\VMware Workstation\vmware-authd.exe:VMware Authd
"{F6E47679-C3C0-4DEF-B6DA-7C952F5639DD}"= UDP:c:\windows\explorer.exe:explorer
"{47CA3B27-A729-426A-9CD8-88F89735BFD6}"= TCP:c:\windows\explorer.exe:explorer
"{5BAB2C10-F90B-4668-9A02-05148C8D9774}"= UDP:c:\windows\System32\rundll32.exe:rundll32
"{08940A59-22E2-46D4-B42D-F79A0E64CADA}"= TCP:c:\windows\System32\rundll32.exe:rundll32
"{7F3D5E8E-2A58-400C-9CF8-8D34494F43F6}"= UDP:c:\windows\System32\WerFault.exe:WerFault
"{F1422890-456C-40A6-9862-DC0987908EDB}"= TCP:c:\windows\System32\WerFault.exe:WerFault
"{A29CC09A-BF11-459A-958F-65C2280A32AC}"= UDP:c:\windows\System32\SearchProtocolHost.exe:SearchProtocolHost
"{7ECC4F70-05EB-4085-B056-57F2B8829064}"= TCP:c:\windows\System32\SearchProtocolHost.exe:SearchProtocolHost
"{795D7EE2-3220-4B65-9A32-6E86A2A20821}"= UDP:c:\windows\System32\mobsync.exe:mobsync
"{7CB9D262-5DFF-4ECB-8BC1-035D3FB6D902}"= TCP:c:\windows\System32\mobsync.exe:mobsync
"{7878E0B8-5CD9-49BB-96C8-5A2A5DC81259}"= UDP:c:\program files\Windows Media Player\wmplayer.exe:wmplayer
"{E9728D1E-C1A6-4C8B-8122-67A24FB1B975}"= TCP:c:\program files\Windows Media Player\wmplayer.exe:wmplayer
"{3584ACE3-D79F-4261-8459-D00B68843274}"= UDP:c:\program files\Common Files\Real\Update_OB\realsched.exe:realsched
"{A4A356CD-01A6-49EA-BF58-E38581FAE2EF}"= UDP:c:\program files\Common Files\Real\Update_OB\realsched.exe:realsched
"{407BF7A5-D5B8-489A-AF0F-C7625E6DE975}"= TCP:c:\program files\Common Files\Real\Update_OB\realsched.exe:realsched
"{2843474F-D905-459F-8269-BFAF40C6A293}"= TCP:c:\program files\Common Files\Real\Update_OB\realsched.exe:realsched
"{E67FAD06-946B-4FDB-B32D-42F8E8033BD4}"= UDP:c:\program files\Windows Media Player\wmpnscfg.exe:wmpnscfg
"{8F352EA5-EF10-4BEF-B9D1-E64E963C7CB5}"= TCP:c:\program files\Windows Media Player\wmpnscfg.exe:wmpnscfg
"TCP Query User{F1CD1745-910E-4E34-B77F-9EAB6C8E0329}c:\\program files\\avant browser\\avant.exe"= UDP:c:\program files\avant browser\avant.exe:avant
"UDP Query User{1A163B63-8504-4FF2-B5B2-6C18CBF6018A}c:\\program files\\avant browser\\avant.exe"= TCP:c:\program files\avant browser\avant.exe:avant
"{EB172712-C64A-402D-9B2A-943816F4FEB4}"= UDP:c:\windows\System32\dwm.exe:Dwm
"{533F4327-7D55-419B-98C6-9AE869FED06B}"= UDP:c:\windows\System32\dwm.exe:Dwm
"{9EB36448-BD7A-434C-8377-87D2ED1971B4}"= TCP:c:\windows\System32\dwm.exe:Dwm
"{F0F8B8C8-255C-4F8E-B3FD-5D60941AAF9F}"= TCP:c:\windows\System32\dwm.exe:Dwm
"{4F878EBA-921E-41FF-B8F1-1A79E5C3A73A}"= UDP:c:\program files\iTunes\iTunesHelper.exe:iTunesHelper
"{C05CD42E-D2CF-4708-8BBC-CE36E3B905BB}"= TCP:c:\program files\iTunes\iTunesHelper.exe:iTunesHelper
"{FE2D3729-E60C-4275-A0B7-CE78E4C2819D}"= UDP:c:\windows\System32\taskeng.exe:taskeng
"{12C9E1E6-AE0E-439D-BFBB-8061017A67C0}"= TCP:c:\windows\System32\taskeng.exe:taskeng
"{3AC36108-A6BE-4769-AD7B-6920D64B00D8}"= UDP:c:\windows\explorer.exe:Explorer
"{5A0F7BAD-2571-4E0E-A881-BEA6EEEA34F3}"= TCP:c:\windows\explorer.exe:Explorer
"{7123220B-EDDB-4F14-9FE7-F4AC78FA7C14}"= UDP:c:\windows\System32\WerFault.exe:WerFault
"{082F2BF0-E951-4E1E-A340-A6164509273D}"= TCP:c:\windows\System32\WerFault.exe:WerFault
"{7A868AF3-2FAC-4F4E-BEB3-14BDE7C44AAC}"= UDP:c:\program files\McAfee.com\Agent\mcagent.exe:mcagent
"{D6516DA7-418B-48AE-ACF0-C93189F46F6F}"= TCP:c:\program files\McAfee.com\Agent\mcagent.exe:mcagent
"{631BA2A3-5BE3-46E9-B869-6F6245DD6C8B}"= UDP:c:\program files\Common Files\Real\Update_OB\realsched.exe:realsched
"{F4BAA742-49AB-4E1A-B1E4-0E7E3B84232C}"= TCP:c:\program files\Common Files\Real\Update_OB\realsched.exe:realsched
"{B40823D7-EE38-4873-9568-3E11B47A7700}"= UDP:c:\windows\System32\rundll32.exe:rundll32
"{59AA6CDD-A01C-4842-8304-67A01640EFF5}"= TCP:c:\windows\System32\rundll32.exe:rundll32
"{044D5DC6-43CE-4DF8-8CBD-2ED7464152DE}"= UDP:c:\program files\DAP\DAP.exe:DAP
"{E8CB687D-8470-4356-8501-4DC6E91ED92D}"= TCP:c:\program files\DAP\DAP.exe:DAP
"{80DA3833-D5DE-478F-9125-265790C4A018}"= UDP:c:\poker\MansionPoker\casino.exe:casino
"{9B34F354-36C2-4F84-86D6-95A4BB42CF4D}"= TCP:c:\poker\MansionPoker\casino.exe:casino
"{25281488-84FB-41BD-8F68-4641115C8B92}"= UDP:c:\program files\Microsoft Office\Office12\GrooveMonitor.exe:GrooveMonitor
"{50CD39A1-3822-4E8B-AC87-DEEDD26075E1}"= UDP:c:\program files\Microsoft Office\Office12\GrooveMonitor.exe:GrooveMonitor
"{C7D2DE5D-9212-46A4-90CA-631192E8D07C}"= TCP:c:\program files\Microsoft Office\Office12\GrooveMonitor.exe:GrooveMonitor
"{BE39B76E-782C-4B15-9A7D-6464E8D24919}"= TCP:c:\program files\Microsoft Office\Office12\GrooveMonitor.exe:GrooveMonitor
"{227F4FC6-C16C-4028-9BBA-E950C6B17062}"= UDP:c:\windows\System32\dwm.exe:Dwm
"{4C3D57EF-FB77-4C90-BF18-F5A0CE73D3CE}"= TCP:c:\windows\System32\dwm.exe:Dwm
"{03F63FD3-4458-47BF-92C5-897637A0B4FA}"= UDP:c:\windows\System32\dllhost.exe:DllHost
"{B9EC8067-A4E7-4F5E-B8DF-6669D8C38582}"= TCP:c:\windows\System32\dllhost.exe:DllHost
"{84771B69-FD43-467A-9994-76C156A681BE}"= UDP:c:\program files\Avant Browser\avant.exe:avant
"{42A6C9E1-1661-44B0-AF3D-D7A6E4E7995E}"= TCP:c:\program files\Avant Browser\avant.exe:avant
"{B3A30E7C-E6A1-44D1-BEF2-FC692E33E7A3}"= UDP:c:\program files\iTunes\iTunesHelper.exe:iTunesHelper
"{6CCECC76-1313-4BFC-9B7B-4E04286FA473}"= UDP:c:\program files\iTunes\iTunesHelper.exe:iTunesHelper
"{D90EB270-650A-4B12-87B1-94F78158D774}"= TCP:c:\program files\iTunes\iTunesHelper.exe:iTunesHelper
"{3165AD27-D509-4EF2-89CD-DCBD45436E51}"= TCP:c:\program files\iTunes\iTunesHelper.exe:iTunesHelper
"{D0EE4D6D-6B8C-4DD9-81EE-3AF0B310DF93}"= UDP:c:\poker\PokerAce Hud\PAHud.exe:PAHud
"{4BBF40A4-A0E5-447A-97A1-AFBF05307D65}"= TCP:c:\poker\PokerAce Hud\PAHud.exe:PAHud
"{A2073882-2761-42BF-913E-CBE2CA723B8F}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{BE4D9097-19FA-42F2-A142-C394816EBDB0}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{ED317998-95C8-40B5-ABA8-EFEA95F4A7D8}"= UDP:c:\bittorrent\bittorrent.exe:BitTorrent (TCP-In)
"{75000691-3DFC-46D1-97E8-066E20AC95A4}"= TCP:c:\bittorrent\bittorrent.exe:BitTorrent (UDP-In)
"TCP Query User{796290A1-D051-45A7-8CF3-1E053EC48ADE}c:\\program files\\dna\\btdna.exe"= UDP:c:\program files\dna\btdna.exe:DNA
"UDP Query User{A6D1FF25-A231-4687-86BF-7CA4185D6632}c:\\program files\\dna\\btdna.exe"= TCP:c:\program files\dna\btdna.exe:DNA
"{9F964F7D-0161-4E51-863B-A899CB1F708E}"= UDP:c:\program files\Internet Explorer\ieuser.exe:ieuser
"{2E5807F0-5DE2-40DD-8876-6EB3B91668D3}"= TCP:c:\program files\Internet Explorer\ieuser.exe:ieuser
"{A068C8D4-318A-423C-A12C-F64FEB849C48}"= UDP:c:\windows\System32\taskeng.exe:taskeng
"{F370B159-208E-4C6B-86E8-79C54F2C1EE3}"= UDP:c:\windows\System32\taskeng.exe:taskeng
"{2A005D3A-C311-4F29-BA99-FB27F55E262D}"= TCP:c:\windows\System32\taskeng.exe:taskeng
"{3DA3D4B4-F4D5-49F4-B9D1-F8AE2E88AF88}"= TCP:c:\windows\System32\taskeng.exe:taskeng
"{518138D7-539E-43F2-B65B-558590704F8D}"= UDP:80:SYS32DLL
"{C109AB73-9DA8-48AA-AD3E-AAD6F699A754}"= UDP:7171:SYS32DLL
"TCP Query User{8EA4DA28-97A8-4C7A-AEF9-9AE96E5D2A15}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{B244FFA6-87F7-4CBC-9852-4D40A1EA4017}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"TCP Query User{9348FBBC-D07F-46B3-B9D5-E49B7AE0F769}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{31E8B6CC-04DC-4C6F-8537-6BE637B21E4D}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"{F05F19E8-EACC-4274-B4C8-B76F97358E1E}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{5FC77CA0-0253-4A67-B257-D6413EF9A86D}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

brett_814
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-23
OS OS : Vista Business
Points Points : 27573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by brett_814 on 2nd June 2009, 7:31 am

and part 4:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\BitTorrent\\bittorrent.exe"= c:\bittorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [6/2/2009 5:15 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [6/2/2009 5:15 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/2/2009 5:15 PM 298776]
R2 pgsql-8.2;PostgreSQL Database Server 8.2;c:\program files\PostgreSQL\8.2\bin\pg_ctl.exe [1/30/2009 2:32 AM 94376]
R2 vmci;VMware vmci;c:\windows\System32\drivers\vmci.sys [10/28/2008 10:08 PM 54960]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVGLDX86

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2009-06-01 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-05-22 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-02 17:24
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-02 17:25
ComboFix-quarantined-files.txt 2009-06-02 07:25
ComboFix2.txt 2009-05-26 02:43

Pre-Run: 105,192,091,648 bytes free
Post-Run: 105,246,867,456 bytes free

357 --- E O F --- 2008-11-26 16:00

brett_814
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-23
OS OS : Vista Business
Points Points : 27573
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help needed!! Infected with Trojan that I can't get rid of

Post by Belahzur on 2nd June 2009, 4:16 pm

Hello.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum