Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic8.yaf (c:\windows\system32\compstu.dll)


  • This topic is locked This topic is locked
31 replies to this topic

#1 SPUNKY3174

SPUNKY3174

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:15 AM

Posted 02 June 2008 - 12:34 AM

Hey there... I am utilizing AVG antivirus as my main AV. I also am currently running Spyware Terminator as well as occasionally running the AVG rootkit program. The problem is that AVG keeps locating a virus and lists the following: OBJECT: C:\Windows\System32\compstu.dll RESULT: Trojan horse Generic8.YAF STATUS: Infected. I downloaded MBAM and utilized it. This did clean out the "house" however, it did not see the compstu.dll and as a matter of fact I don't even recall having seen it scan the file as I observed the entire process. Also of note, I started Windows in safe mode and ran MBAM as well as my AV program but I am still getting the box popping up telling my there is virus warning giving me the same info I gave above. When I try to heal it or move it to the vault the computer says it needs to be rebooted to complete the operation. The only problem is, that no matter how many times I reboot the system the file is always there when I come back. Can anyone PLEASE help me out with this problem? It seems to be the last barrier to a nice clean computer home!!!

Thanks in advance for any and all help!

Buggy in Florida :thumbsup:

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:15 AM

Posted 02 June 2008 - 01:16 AM

Try a scan with SuperAntiSpyware in Safe Mode. You'll have to download, install it and update the definitions in Normal Mode first.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Blast12345

Blast12345

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 02 June 2008 - 01:20 AM

If it won't go away 2 things could also be causing it.

1. Really bad, it may have rooted into your registry and regenerates itself when missing.

2. What you are using isn't powerful enough. Try http://fileforum.betanews.com/detail/Spybo...oy/1043809773/1 and when installed use the file shredder (drag and drop) and move the overwrite tab to the right.


If you still have problems i may know somebody who can help. Add me to your windows live or whatever xxx@xxx if it persists.

Edited by usasma, 02 June 2008 - 05:16 AM.
Edited email address out

Posted Image

Apocalypse Productions Graphics (not on google)


#4 SPUNKY3174

SPUNKY3174
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:15 AM

Posted 02 June 2008 - 01:31 AM

Ok... I just downloaded it so now I am going to do as you suggested and update. and then a reboot to safe mode to try and use it... Wish me luck :thumbsup:

#5 Blast12345

Blast12345

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:15 AM

Posted 02 June 2008 - 02:11 AM

yep, hope it helps.

Posted Image

Apocalypse Productions Graphics (not on google)


#6 SPUNKY3174

SPUNKY3174
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:15 AM

Posted 02 June 2008 - 11:51 AM

As recommended, I downloaded SAS, installed, and ran. The program found the problems, however, they are still present even after the reboot to get rid of them. Also, it identified the pest differently. This time it was recognized as Trojan.Download-GEN/N_BHO. This thing is driving me nutz!!


Try a scan with SuperAntiSpyware in Safe Mode. You'll have to download, install it and update the definitions in Normal Mode first.



#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,403 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:15 AM

Posted 02 June 2008 - 04:11 PM

Hello you didn't mention your Operating system, is it XP?
Please also do this,IF XP or 2000,run a scan with SDFix.
How to use SDFix

When using this tool, you must use the Administrator's account or an account with "Administrative rights"
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 SPUNKY3174

SPUNKY3174
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:15 AM

Posted 02 June 2008 - 05:56 PM

Hi! Oops, forgot to mention that one... I'm running XP with sp2. Thanks, I will try that as soon as I get home tonight. Also, of side note... I just wanted to mention that I DL'ed Hijack this in case it is eventually needed. No I have not used it.

Thanks,

da buggy one

Hello you didn't mention your Operating system, is it XP?



#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,403 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:15 AM

Posted 02 June 2008 - 09:12 PM

OK that's good do not run or post HJT unless requested,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 SPUNKY3174

SPUNKY3174
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:15 AM

Posted 03 June 2008 - 01:06 AM

Well... Doesn't look good. Ran SDFix and it found a file it claimed to be Trojan related, but it left all other virus related stuff and it is still driving me batty... :thumbsup: In the mean time I guess I will sit back and observe my computers viral tennants as I await the next possible eviction possibility... I only wish that I had a way of collecting rent... :flowers:

Hello you didn't mention your Operating system, is it XP?
Please also do this,IF XP or 2000,run a scan with SDFix.
How to use SDFix

When using this tool, you must use the Administrator's account or an account with "Administrative rights"



#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,403 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:15 AM

Posted 03 June 2008 - 10:01 AM

Would you kindlt post the SDFix report. It could be found.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 SPUNKY3174

SPUNKY3174
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:15 AM

Posted 03 June 2008 - 10:52 AM

Ok here's the log...


SDFix: Version 1.187
Run by Toni too on Tue 06/03/2008 at 12:09 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Temp\removalfile.bat - Deleted




Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 00:26:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Firefly Studios\\CivCity Rome\\CivCity Rome.exe"="C:\\Program Files\\Firefly Studios\\CivCity Rome\\CivCity Rome.exe:*:Enabled:CivCity Rome"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Documents and Settings\\toni\\Application Data\\U3\\0000151C476068D1\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe"="C:\\Documents and Settings\\toni\\Application Data\\U3\\0000151C476068D1\\0DE4F643-C398-46ec-9339-2362F2311932\\Exec\\Skype.exe:*:Enabled:Skype"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\WINDOWS\\system32\\dxdiag.exe"="C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\Program Files\\Selectsoft\\Mahjongg Platinum 2\\mahjongg.exe"="C:\\Program Files\\Selectsoft\\Mahjongg Platinum 2\\mahjongg.exe:*:Enabled:mahjongg"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE:*:Enabled:SAgent4"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\DOCUME~1\\toni\\LOCALS~1\\Temp\\win9A4.tmp.exe"="C:\\DOCUME~1\\toni\\LOCALS~1\\Temp\\win9A4.tmp.exe:*:Enabled:win9A4.tmp"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\WINDOWS\\system32\\vwpvqebk.exe"="C:\\WINDOWS\\system32\\vwp"
"C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"="C:\\Program Files\\Dell\\MediaDirect\\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\system32\\crwuhhqy.exe"="C:\\WINDOWS\\system32\\crw"
"C:\\WINDOWS\\system32\\qphkkgnw.exe"="C:\\WINDOWS\\system32\\qph"
"C:\\WINDOWS\\system32\\dwuyyoli.exe"="C:\\WINDOWS\\system32\\dwu"
"C:\\WINDOWS\\system32\\ppemslbl.exe"="C:\\WINDOWS\\system32\\ppe"
"C:\\WINDOWS\\system32\\rtmjfppb.exe"="C:\\WINDOWS\\system32\\rtm"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Pure Networks\\Network Magic\\nmsrvc.exe"="C:\\Program Files\\Pure Networks\\Network Magic\\nmsrvc.exe:LocalSubNet:Enabled:Pure Networks Network Magic Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 4 Jan 2007 88 A.SHR --- "C:\i386\B313F36A30.sys"
Thu 4 Jan 2007 2,828 A.SH. --- "C:\i386\KGyGaAvL.sys"
Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Fri 29 Feb 2008 625,664 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Sun 11 May 2008 88 ..SHR --- "C:\WINDOWS\system32\B313F36A30.sys"
Sun 11 May 2008 2,828 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 8 Jul 2007 1,850,241 A.SH. --- "C:\WINDOWS\system32\oqtwa.tmp"
Tue 16 Oct 2007 436,790 A.SH. --- "C:\WINDOWS\system32\oqtwa.bak2"
Wed 16 May 2007 629 A.SH. --- "C:\WINDOWS\system32\utstv.tmp"
Fri 19 Jan 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 14 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 29 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Fri 29 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Fri 29 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Fri 29 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Fri 29 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Fri 29 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"
Sat 13 Jan 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch7\lock.tmp"

Finished!

#13 SPUNKY3174

SPUNKY3174
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:15 AM

Posted 03 June 2008 - 08:30 PM

ok... I guess you are as stumped as I am about this... :thumbsup:

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:15 AM

Posted 03 June 2008 - 09:14 PM

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

download the atf cleaner

update SAS and MBAM

disconnect from the internet(physically pull the cable or disable wireless)

Use MBAM, then reboot into safe mode run the ATF cleaner and SAS

stay out of limewire

post both logs

Edited by DaChew, 03 June 2008 - 09:15 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#15 SPUNKY3174

SPUNKY3174
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:15 AM

Posted 04 June 2008 - 11:44 AM

Ok ran everything you said, but I can't find a SAS log from me running it last night. The last one I can find is from the night before. Here is the MBAM log:

Malwarebytes' Anti-Malware 1.14
Database version: 820

1:14:20 AM 6/4/2008
mbam-log-6-4-2008 (01-14-20).txt

Scan type: Quick Scan
Objects scanned: 46863
Time elapsed: 9 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Unfortuneatly, I can tell you my system is still buggy as the Compstu.dll file is still in my Windows/system32/ directory... As for Limewire, that hasn't been messed with since some time last year(Had I been the only one using my laptop it NEVER would have been used). Anyhow, on the MBAM, I only ran a quick scan. I was planning on running a complete scan, but quite honestly, I am VERY confused on why the programs either can't see the file or they can't get rid of the file... Argh!!! Ok... I think I will go and try to figure out where my log for SAS went. Does me logging in as Admin in safe mode have anything to do with why the log is MIA?

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

download the atf cleaner

update SAS and MBAM

disconnect from the internet(physically pull the cable or disable wireless)

Use MBAM, then reboot into safe mode run the ATF cleaner and SAS

stay out of limewire

post both logs






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users