 Trojan.Agent.ALCE, A few other trojans as well that I cant seem to rid myself of |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Dec 3 2008, 05:52 PM
Post
#16
|
|
 Look buddy -- I'm an Engineer  Group: HJT Team Coach Posts: 8,509 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215  |
 Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.
Have I helped you? If so, please consider a donation (by clicking this link). And that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall under the purview of your conundrums of philosophy.... |
 |
 
|
|
Dec 3 2008, 09:38 PM
Post
#17
|
|
|
Member Group: Members Posts: 18 Joined: 13-October 05 Member No.: 37,137 |
Ok here is the Combofix log. I did notice that just before combo fix rebooted the machine in the little window it was working in. The message about the sort.exe came up once. Then after it rebooted it can up several times while it was producing the log. So after a long and eagerly anticipated viewing here ya go.
ComboFix 08-11-29.03 - Courtney 2008-12-03 20:37:03.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.86 [GMT -5:00] Running from: c:\documents and settings\Courtney.HOME-R1DHX7MSQF\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_Psyche -------\Legacy_PsycheEnqueue -------\Legacy_RESTORE ((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-20 19:52 314 --sha-w c:\windows\system32\HhjTwGgh.ini2 2008-02-16 11:05 183,865 --sha-w c:\windows\system32\wybay.ini2 . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-11-02 36864] "Logitech Desktop Messenger"="c:\program files\Logitech\Desktop Messenger\8876480\Users\Courtney\NewVersion\setup-8876480.exe" [2006-07-11 467827] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LVCOMSX"="c:\windows\System32\LVCOMSX.EXE" [2008-11-02 221184] "LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-01-18 217088] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2008-11-02 155648] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-14 1234712] "C-Media Mixer"="Mixer.exe" [2001-09-13 c:\windows\mixer.exe] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7hnxx.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= . - - - - ORPHANS REMOVED - - - - HKLM-Run-kczrgvgeyxuagqwip - c:\windows\system32\xzxffwzmof.dll ShellExecuteHooks-{AEA4DE5E-37ED-4A91-A883-6D8953A84614} - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.youtube.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1033 uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Search Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd c:\windows\Downloaded Program Files\xpreload.ocx - O16 -: {17DF9D0D-036E-424B-98D7-A41E4CE783EF} ms-its:mhtml:file://c:\\nores.mht!hxxp://adxcnet.net/code/chm/xpre.chm::/xpreload.ocx . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-03 20:43:12 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\progra~1\AVG\AVG8\avgwdsvc.exe c:\windows\system32\snmp.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgemc.exe c:\windows\system32\wscntfy.exe c:\windows\system32\wpabaln.exe . ************************************************************************** . Completion time: 2008-12-03 20:46:43 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-04 01:46:38 Pre-Run: 11,218,112,512 bytes free Post-Run: 11,238,584,320 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 100 --- E O F --- 2008-11-19 01:20:08 |
|
|
|
|
Dec 6 2008, 05:01 PM
Post
#18
|
|
|
Look buddy -- I'm an Engineer Group: HJT Team Coach Posts: 8,509 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215 |
Before running a new scan let's clean out the temporoary folders.
Download ATF Cleaner to your Desktop.
Now download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop. Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
-------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.
Have I helped you? If so, please consider a donation (by clicking this link). And that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall under the purview of your conundrums of philosophy.... |
|
|
|
|
Dec 6 2008, 10:16 PM
Post
#19
|
|
|
Member Group: Members Posts: 18 Joined: 13-October 05 Member No.: 37,137 |
Hey Billy,
Thanks so far and here is that file ya asked for. WarBlade.
Attached File(s)
|
|
|
|
|
Dec 6 2008, 10:59 PM
Post
#20
|
|
|
Look buddy -- I'm an Engineer Group: HJT Team Coach Posts: 8,509 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215 |
Hello
 I'm sorry for all the running around... I'm still trying to figure out what's happening the sort.exe on this system  Please do an online scan with Kaspersky WebScanner.
Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.
Have I helped you? If so, please consider a donation (by clicking this link). And that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall under the purview of your conundrums of philosophy.... |
|
|
|
|
Dec 8 2008, 06:53 AM
Post
#21
|
|
|
Member Group: Members Posts: 18 Joined: 13-October 05 Member No.: 37,137 |
Billy,
Here's the requested log. http://www.kaspersky.com/kos/eng/partner/u...n=1228703434480 WarBlade |
|
|
|
|
Dec 8 2008, 04:40 PM
Post
#22
|
|
|
Member Group: Members Posts: 18 Joined: 13-October 05 Member No.: 37,137 |
Billy,
I see that link doenst give you a report. I will rerun and see if I can find a different way to copy it for you. Sorry about that. The format that it came up in didnt allow me to copy and paste. WarBlade |
|
|
|
|
Dec 8 2008, 09:18 PM
Post
#23
|
|
|
Member Group: Members Posts: 18 Joined: 13-October 05 Member No.: 37,137 |
ok here we go
-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Monday, December 8, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Monday, December 08, 2008 19:30:54 Records in database: 1444449 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ Scan statistics: Files scanned: 49582 Threat name: 1 Infected objects: 0 Suspicious objects: 4 Duration of the scan: 02:02:18 File name / Threat name / Threats count C:\ComboFix.txt Suspicious: Exploit.HTML.Mht 1 C:\Documents and Settings\Courtney.HOME-R1DHX7MSQF\Desktop\Bleeping Computer 11-12-08\combofix.txt Suspicious: Exploit.HTML.Mht 1 C:\Documents and Settings\Courtney.HOME-R1DHX7MSQF\Desktop\New Text Document.txt Suspicious: Exploit.HTML.Mht 1 C:\Program Files\Trend Micro\HijackThis\hijackthis.log Suspicious: Exploit.HTML.Mht 1 The selected area was scanned. |
|
|
|
|
Dec 8 2008, 09:56 PM
Post
#24
|
|
|
Look buddy -- I'm an Engineer Group: HJT Team Coach Posts: 8,509 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215 |
Alright... that scan's clean. How are things running?
Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.
Have I helped you? If so, please consider a donation (by clicking this link). And that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall under the purview of your conundrums of philosophy.... |
|
|
|
|
Dec 8 2008, 10:14 PM
Post
#25
|
|
|
Member Group: Members Posts: 18 Joined: 13-October 05 Member No.: 37,137 |
all things considered (size of the proc and small amount of ram) not too bad.
Thanks so much WarBlade |
|
|
|
|
Dec 9 2008, 05:27 PM
Post
#26
|
|
|
Look buddy -- I'm an Engineer Group: HJT Team Coach Posts: 8,509 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215 |
Hello, WarBlade
Congratulations! You now appear clean!  Are things running okay? Do you have any more questions? System Still Slow? You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance. If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware We Need to Remove ComboFix
We Need to Clean Up Our Mess
Recommendations Below are some recommendations to lower your chances of (re)infection.
Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.
Have I helped you? If so, please consider a donation (by clicking this link). And that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall under the purview of your conundrums of philosophy.... |
|
|
|
icon.|
Dec 12 2008, 08:40 PM
Post
#27
|
|
|
Look buddy -- I'm an Engineer Group: HJT Team Coach Posts: 8,509 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215 |
Hello, WarBlade
Since this issue appears resolved, this topic has been closed. If you need this topic reopened, please send me or another moderator a PM. Everyone else please begin a new topic. BillyIII -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.
Have I helped you? If so, please consider a donation (by clicking this link). And that means I solve problems. Not problems like "What is beauty?" .. 'cause that would fall under the purview of your conundrums of philosophy.... |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 8th November 2009 - 07:10 AM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.