TR\Dldr.Gadja.A.2 Trojan and SVCHOST Bad Image

Hi,
My machine has been infected with TR\Dldr.Gadja.A.2 Trojan in C:\Documents and Settings\user\Local Settings\Temp\in3.temp.

Also my system flashes the following messages when I boot it -
SVCHOST - Bad Image
C:\Windows\System32\digeste.dll not a valid Windows Image
C:\Windows\System32\mcenspc.dll not a valid Windows Image

I am attaching the DDS files and latest HJT.
Please help me clean the machine.

Best regards,
Yps

There is one more warning:
c:\Windows\system32\amstreamm.dll - TR/Wundo.Gen

Regards,
Yps

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.com
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K

Hi,
I have attached the DDS and Attach files as required.
Please advice further course of action.
Best regards,
Yps

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3

• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
• Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
• If you did not have it installed, you will see the prompt below. Choose YES.
  
  
  
• When the Recovery Console has been installed, you will see the prompt below. Choose YES.
  
• When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2

• Right click on GMER.zip and select "Extract All".
• Close all other open programs as there is a slight chance your computer will crash.
• Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
• You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
• Leaving the settings at default, click Scan.
• When the scan is complete, click Save and save the log onto your desktop.

Please include the log in your next reply.

---

In your next reply include:
-the ComboFix log
-the GMER scan log


With Regards,
The Panda

Hi,
I have attached the GMER and Combofix Logs as directed.
Regards,
Yps

ComboFix 09-03-23.01 - User 2009-03-24 17:01:25.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.460 [GMT 5.5:30]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\system32\pthreadGC2.dll
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://vestepau.cn
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RPCLOCATORTHEMES
-------\Service_RpcLocatorThemes


((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-24 12:49 . 2009-03-24 12:49 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-24 12:49 . 2009-03-24 12:49 1,409 --a------ c:\windows\QTFont.for
2009-03-11 21:14 . 2009-03-11 21:14 <DIR> d-------- c:\program files\Cucusoft
2009-03-11 21:14 . 2009-03-11 21:37 <DIR> d-------- C:\ConverterOutput
2009-03-11 21:14 . 2006-07-08 04:07 114,688 --a------ c:\windows\system32\PropListCtrl.ocx
2009-03-11 21:14 . 2008-08-31 11:59 92,102 --a------ c:\windows\system32\HKCU_GNU.reg
2009-03-11 21:14 . 2006-07-17 21:42 14,909 --a------ c:\windows\system32\A_reg.reg
2009-03-11 21:14 . 2008-06-15 21:13 7,680 --a------ c:\windows\system32\ff_vfw.dll
2009-03-11 21:14 . 2008-06-17 10:57 6,700 --a------ c:\windows\system32\HKLM_GNU.reg
2009-03-11 21:14 . 2008-06-15 21:13 6,144 --a------ c:\windows\system32\ff_acm.acm
2009-03-11 21:14 . 2008-06-15 10:01 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-03-08 22:05 . 2009-03-11 11:45 88 --a-s---- c:\windows\system32\336962256.dat
2009-03-08 22:04 . 2004-08-04 00:56 24,576 --a------ c:\windows\system32\stu2.exe
2009-02-24 10:27 . 2009-02-24 10:27 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-24 10:27 . 2009-02-24 10:27 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-24 10:23 . 2009-03-20 09:58 <DIR> d-------- c:\program files\SpywareGuard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 11:34 --------- d-----w c:\documents and settings\User\Application Data\OpenOffice.org2
2009-03-07 10:11 --------- d-----w c:\documents and settings\User\Application Data\dvdcss
2009-02-24 05:14 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-24 05:12 --------- d-----w c:\program files\SpywareBlaster
2009-02-24 04:57 --------- d-----w c:\program files\Java
2009-02-18 16:44 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-16 17:25 71,215 ----a-w c:\program files\IMG_2287.JPG
2009-02-16 13:50 --------- d-----w c:\program files\PCFriendly
2009-02-11 04:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 04:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-01 14:34 --------- d-----w c:\program files\Mozilla Sunbird
2009-01-31 10:21 --------- d-----w c:\program files\Zoom Player
2009-01-30 07:28 --------- d-----w c:\program files\Google
2009-01-24 08:26 --------- d-----w c:\program files\Audible
2009-01-24 08:10 --------- d--h--w c:\program files\Creative Installation Information
2009-01-24 08:10 --------- d-----w c:\program files\Creative
2009-01-24 08:04 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Creative
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-12-28 07:51 1,202,136 ----a-w c:\program files\IMG_2226.JPG
.

------- Sigcheck -------

2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 c:\windows\system32\dllcache\tcpip.sys
2004-08-03 23:14 359040 1745b00fc1141404b28f4b94f69a8871 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-02-16_19.29.31.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-13 05:27:10 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
+ 2005-10-20 14:32:28 163,328 ----a-w c:\windows\erdnt\subs\ERDNT.EXE
- 2007-09-24 17:00:28 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-02-24 04:57:23 144,792 ----a-w c:\windows\system32\java.exe
- 2007-09-24 17:00:30 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-02-24 04:57:23 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-09-24 18:01:42 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-02-24 04:57:23 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-10-31 11:17:18 1,536 ----a-w c:\windows\system32\TrueSoft.dat
+ 2009-03-12 14:20:13 1,536 ----a-w c:\windows\system32\TrueSoft.dat
- 2006-04-18 22:30:22 245,408 ----a-w c:\windows\system32\unicows.dll
+ 2008-06-15 04:31:00 258,352 ----a-w c:\windows\system32\unicows.dll
- 2009-02-14 18:21:15 22,528 ----a-w c:\windows\system32\userinit.exe
+ 2004-08-03 19:26:58 24,576 ----a-w c:\windows\system32\userinit.exe
+ 2009-03-24 11:34:15 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-06-20 4538368]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-03-26 413775]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 692224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-12 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-18 279912]
"VX1000"="c:\windows\vVX1000.exe" [2007-04-11 709992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-24 148888]
"nwiz"="nwiz.exe" [2005-10-10 c:\windows\system32\nwiz.exe]

c:\documents and settings\Ipbleepa\Start Menu\Programs\Startup\
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-08-09 18944]

c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-08-29 360448]
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2006-08-09 18944]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Nokia Device Manager.lnk - c:\program files\Nokia\PC Suite for the Nokia 6708\Device Manager\audevicemgr.exe [2006-03-20 802304]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-08-09 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Intuwave Ltd\\Shared\\mRouterRunTime\\mRouterRuntime.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

R2 VenturiClient;Venturi Client;c:\program files\Speed+\Client\VentC.exe [2007-10-23 2475360]
R3 komiceb;Nokia 6708 Cable Emulation Bus (WDM);c:\windows\system32\drivers\komiceb.sys [2007-11-13 41792]
R3 sit_bus;SIT_1x_usbmodem Device;c:\windows\system32\drivers\sit_bus.sys [2007-04-17 22144]
R3 sit_flt;SUNGIL USB Filter Service;c:\windows\system32\drivers\sit_flt.sys [2007-04-18 4352]
R3 sit_mdm;SIT_1x_usbmodem ;c:\windows\system32\drivers\sit_mdm.sys [2007-04-17 39680]
R3 sit_prt;SIT_1x_usbmodem Port;c:\windows\system32\drivers\sit_prt.sys [2007-04-17 38656]
R3 vwinter;Venturi Wireless Intercepter;c:\windows\system32\drivers\vwinter.sys [2007-10-23 47392]
R3 vwredir;Venturi Wireless Redirector;c:\windows\system32\drivers\vwredir.sys [2007-10-23 85792]
S3 komibus;Nokia 6708 Composite Device driver (WDM);c:\windows\system32\drivers\komibus.sys [2007-11-13 52384]
S3 komimdfl;Nokia 6708 VSC Modem (WDM) (Filter);c:\windows\system32\drivers\komimdfl.sys [2007-11-13 6000]
S3 komimdmc;Nokia 6708 mRouter Port (WDM);c:\windows\system32\drivers\komimdmc.sys [2007-11-13 85184]
S3 komisce;Nokia 6708 VSC Modem (WDM);c:\windows\system32\drivers\komisce.sys [2007-11-13 68112]
.
Contents of the 'Scheduled Tasks' folder

2009-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-18 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX1000_exe.job
- c:\windows\vVX1000.exe [2007-04-11 03:16]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\ax3abblf.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\SiteAdvisor\6253\FF\components\FFHook.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.00.19); user_pref(general.useragent.extra.zencast, Creative ZENcast v1.00.19.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 17:04:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\SiteAdvisor\6253\SAService.exe
c:\program files\RealVNC\VNC4\winvnc4.exe
c:\program files\Speed+\squid\ventcsquid.exe
c:\program files\Speed+\squid\ventcdnsserver.exe
c:\program files\Speed+\squid\ventcdnsserver.exe
c:\program files\Speed+\squid\ventcdnsserver.exe
c:\program files\Speed+\squid\ventcdnsserver.exe
c:\program files\Speed+\squid\ventcdnsserver.exe
c:\program files\Speed+\squid\ventcdnsserver.exe
c:\program files\Speed+\squid\ventcunlinkd.exe
c:\windows\system32\rundll32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\OpenOffice.org 2.1\program\soffice.exe
c:\program files\Nokia\PC Suite for the Nokia 6708\Connectivity Pack\ConnMngmntBox.exe
c:\program files\OpenOffice.org 2.1\program\soffice.bin
c:\program files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\program files\Nokia\PC Suite for the Nokia 6708\Sync ML Desktop Server\SyncController.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-24 17:06:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-24 11:36:20
ComboFix2.txt 2009-02-18 13:37:33
ComboFix3.txt 2009-02-16 14:00:16
ComboFix4.txt 2008-06-30 06:57:45
ComboFix5.txt 2009-03-24 11:30:43

Pre-Run: 27,311,845,376 bytes free
Post-Run: 27,348,955,136 bytes free

215

Edited by PropagandaPanda, 24 March 2009 - 10:38 AM.

Hello.

Those logs look clean.

Are the detections still occuring?

Let's see if an online scan can find anything.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

• Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
• Open the Kaspersky Scanner page.
• Click on Accept and install any components it needs.
• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

---

With Regards,
The Panda

Hi
Here is the Kaspersky log.
Regards,
Yps

Hello.

Are there any issues at the moment?

With Regards,
The Panda

Dear PP,
None at the moment. The problem is that when we visit random blog sites suddenly some virus, trojan pops in. How do I stop that from happening? I have Spyguard installed in my machine.
Best regards,
Yps

Hello.

What blog sites in particular?

Do you have your antiviruses protection turned on?

With Regards,
The Panda

Any blog site nothing in particular. General discussion sites. I use Avira Antiv. Spyguard.
Regards,
Yps

Hello.

Please take some time to look at the following links, giving some advice and suggestions for preventing future infections:

• So How did I get infected?
• Microsoft - 'Security at home'

With Regards,
The Panda

Thanks. I will read it and revert back to you incase I have more queries. Do you recommend any specific browser to surf the net? Thanks for your time and patience.
Best regards,
Yps

Hello.

I personally use plain old Internet Explorer.

However, it is the most unsafe since malware authors writes exploits for the most common browser.

I would consider using FireFox.

With Regards,
The Panda