Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.agent infection


  • This topic is locked This topic is locked
31 replies to this topic

#1 dolphin6476

dolphin6476

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:34 AM

Posted 01 April 2010 - 12:09 PM

Hi.

I picked up a trojan.agent registry key on a mbam scan, but Im not sure I've resolved the issue fully

Malwarebytes requested I reboot to remove, which I did, and the problem may now be gone:

here is the MBAM logfile from that point:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3934

Windows 5.0.2195 Service Pack 4
Internet Explorer 6.0.2800.1106

01/04/2010 05:19:31
mbam-log-2010-04-01 (05-19-31).txt

Scan type: Quick scan
Objects scanned: 82133
Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{8ecc055d-047f-11d1-a537-0000f8753ed1} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





BUT researching trojan.agent I realised that may be a little too simple and it may need more work to track down.

mbam is now running clean

I tried running Trend's RUbotted, which suggested "Detected DNS Query of Malicious Domain" but research shows me this MAY be a false positive.

Looking through system folders I notice there is a file titled "square symbol" sorry cant make the symbol this may be it"诐", with a size of zero which makes me suspicious, sitting in WINNT, and with a modified time and date of yesterday when I picked up the infection. Does this need to be removed, and with what? Is it likely to be malicious?

I have tied running SDFix in safe mode (I havent tried ComboFix, and will wait for advice before I do), and here is a log for SDFix. Within Files with Hidden Attributes there are two dll's listed which look potentially suspicious to me,

Mon 16 Apr 2007 16 ...H. --- "C:\WINNT\system32\futxtir.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINNT\system32\kkqgmet.dll"

full log below:

SDFix: Version 1.240
Run by Administrator on Thu 01/04/2010 at 17:07

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-01 17:17:21
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :



Files with Hidden Attributes :

Wed 4 Nov 2009 1,168,216 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 16 Apr 2007 16 ...H. --- "C:\WINNT\system32\futxtir.dll"
Mon 16 Apr 2007 16 ...H. --- "C:\WINNT\system32\kkqgmet.dll"
Wed 17 Mar 2010 108,544 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL0407.tmp"
Tue 12 May 2009 20,480 A..H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL1930.tmp"
Tue 12 May 2009 20,480 A..H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3070.tmp"
Tue 12 May 2009 20,992 A..H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3631.tmp"
Tue 12 Jan 2010 67,584 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3721.tmp"
Tue 12 May 2009 19,968 A..H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3951.tmp"
Wed 17 Mar 2010 169,984 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL4011.tmp"
Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe"
Thu 1 Apr 2010 10,485,760 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\HCBackup\iCRCReserve.tmp"
Thu 1 Apr 2010 10,485,760 A..H. --- "C:\Documents and Settings\Administrator\Local Settings\Temp\HouseCall\iCRCReserve.tmp"

Finished!




Is there anything else on this log which suggests other issues? Do I need to run more tools?



I have also run avg in safe mode, comes up clean now, superantispyware comes up clean, and MBAM no longer gives any alerts on a scan (all are updated with latest updates) - but whether anything could be sneaky enough to interfere with these I am not sure.


I look forward appreceatively to the help of a kind person on here, Thanks in advance!

Sorry, I forgot to include the Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:10:37, on 01/04/2010
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\GMTService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\NMSSvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\PROMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImage\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImage\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [InstantTray] C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\PCLETray.exe
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /dropdisc
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1222815401531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1222822668328
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{806C1B9B-5CCE-44EB-9033-6FFEB3CABF2E}: NameServer = 10.0.0.1
O18 - Protocol: bw+0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: offline-8876480 - {DF141BC2-4143-4786-9574-4621C9F6DA0E} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: GMT-Service - Unknown owner - C:\WINNT\system32\GMTService.exe
O23 - Service: Google Update Service (gupdate1c9a17c51e50530) (gupdate1c9a17c51e50530) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lmab_device - Lexmark International, Inc. - C:\WINNT\system32\LMabcoms.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\system32\NMSSvc.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 22934 bytes

Having seen the instructions for posters asking for help, I include attachments for dds and gmer, apologies for not including them before

Thanks

Merged 3 posts. ~ OB

Attached Files


Edited by Orange Blossom, 01 April 2010 - 07:46 PM.


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:34 PM

Posted 05 April 2010 - 11:57 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 dolphin6476

dolphin6476
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:34 AM

Posted 05 April 2010 - 04:42 PM

Since my first post, I (probably inadvisedly) ran combofix, not realising there wouldnt be a report only mode

I post the combofix log

It came up with some warnings/deletions, some may be false positives, some not.

I ran it again in safe mode, and again post the second log


Both times combofix was run, the system tray icon for AVG disappeared on reboot. so I did a repair installation of AVG both times

Anyway, that takes me to when I got your reply today.

I have now just run DDS and GMER again, and post the logs in the attachment.

Thanks again, I anxiously look forward to your assistance

Attached Files

  • Attached File  logs.zip   22.28KB   4 downloads


#4 dolphin6476

dolphin6476
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:34 AM

Posted 05 April 2010 - 05:01 PM

Also, I just tried to scan the mstask.exe file by uploading to virus total:

the files uploaded was:
C:\WINNT\system32\MSTask.exe

(is this the rijght file? the ark.txt file has a ? after the file name, does this denote something like streaming)

Here is the result:

MD5: b00529eae5d0ce97010b69cc677128c8
First received: 2009.02.26 02:44:29 UTC
Date: 2010.04.05 21:54:51 UTC [<1D]
Results: 0/39
Permalink:

http://www.virustotal.com/analisis/79f8a8f...7800-1270504491

I went into folder options on windows explorer, and this may be confusion on my part between win2k and xp, but the options to show hidden files were between:

NOHIDDEN
SHOWALL


and a few boxes below was a tick box filled for "Superhidden"

I dont remember this being the format for showing hidden files, but that may be my imagination that these descriptions are non standard?

#5 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:34 AM

Posted 07 April 2010 - 03:38 AM

Hi dolphin6476,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.



Step1.

How to show hidden files in Windows

Please go to Virus Total for scanning one suspicious file.
Copy /paste the below files path into the blank box next to the Browse button one at a time.

CODE
C:\WINNT\system32\futxtir.dll
C:\WINNT\system32\kkqgmet.dll


Click the Send File button and copy "Scanner results", If the file is analyzed before click Reanalyse file now button. Then paste the contents into your next reply.

Step2

We need to create an OTL Report
  1. Please OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the OTL icon on your desktop.
  4. Click the "Scan All Users" checkbox. .
  5. Push the Run Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


In your next reply, please post back:


1.Virus Total Scanner results
2.OTListIt.txt and Extra.txt Thanks.

#6 dolphin6476

dolphin6476
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:34 AM

Posted 07 April 2010 - 09:56 AM

Thanks very much for your help

files attached in zip file

plus a couple of others which may be relevant, screen shots of rootkit revealer and gmer

I have anonymised a few files names in logs and the system name with asterisks to protect personal info

I look forward to hearing from you.

Attached Files



#7 dolphin6476

dolphin6476
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:34 AM

Posted 07 April 2010 - 10:40 AM

Sundavis, I cant tell you how much of a relief it is to have someone helping me on this :-)

A quick additional comment:

I note the OTL file reports a few files with alternate data streams

Most of these (but NOT all) have the text Joudres within the name.

Googling this brought up the following link

http://www.velocityreviews.com/forums/t496...te-streams.html

"The Joudres virus exploits this and hides in the alternate stream/
fork. It attaches itself to every image file on your machine. You
can then unwittingly pass it on embedded in image files. "


I look forward to your advice.


#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:34 AM

Posted 07 April 2010 - 11:00 AM

Hi dolphin6476,



QUOTE
I note the OTL file reports a few files with alternate data streams...

Not all ADS files are bad. For more info: Go to This Thread or This Thread .
I also notice your system have run ComboFix. CF will take out any malicious ADS effectively. Let's scan the remnants with Kas Online Scanner. It will take some time to run the full course. Please be patient and do the following:

Step1

Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  2. Look for "JDK 6 Update 19 (JDK or JRE)".
  3. Click the "Download JRE" button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Click on the link to download Windows Offline Installation and save the file to your desktop.
  9. Close any programs you may have running - especially your web browser.
  10. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  11. Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:

    Java™ 6 Update 17
    Java™ 6 Update 4


  12. Click the Remove or Change/Remove button.
  13. Repeat as many times as necessary to remove each Java versions.
  14. Reboot your computer once all Java components are removed.
  15. Then from your desktop double-click on jre-6u19-windows-i586.exe to install the newest version.
  16. After that, please clear your java cache as instructed in this thread .


Step2

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3

Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  1. Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  2. Click Accept button on the "Requirements and limitations".
  3. When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  4. It will be Downloading and installing the program and Updating the database.
  5. When Updating the database have finished, click on Settings.
  6. Make sure all boxes are checked. then click on the Save button.
  7. Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  8. Once the scan is completed, Click on View Scan Report.
  9. You may see a list of infected items over there. Click on Save Report As.
  10. Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  11. Please post the contents in your next reply.
  12. You can refer to this animation

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


I will give you another one, just in case. wink.gif

Please run the ESET Online Scanner
Note: You will need to use Internet explorer for this scan.
  1. Turn off the real time scanner of any existing antivirus program while performing the online scan
  2. Tick the box next to YES, I accept the Terms of Use.
  3. Click Start
  4. When asked, allow the activeX control to install
  5. Click Start
  6. Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  7. Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  8. Click Scan
  9. Wait for the scan to finish
  10. Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt .
  11. Copy and paste that log as a reply to this topic and also let me know how things are now.



Please post back the log in your next reply.


1.KAS Scan Report

Tell me if you have any remaining issues on your pc.


#9 dolphin6476

dolphin6476
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:34 AM

Posted 07 April 2010 - 11:50 AM

Thanks, have installed Java updates

Just running scanner

FYI for kasperksy "The application digital signature has been verified. Do you want to run the application" doesnt come up, it says the digital signature has expired, but running anyway....

will post back results of scans as soon as they are complete

Thanks again for your help :-)

#10 dolphin6476

dolphin6476
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:34 AM

Posted 07 April 2010 - 01:05 PM

Trying to run Kaspersky online scanner:

ran it twice, and fairly early on it triggered a reboot (first time it was just scanning critical areas)

ran it third time on my computer, and just as it got to floppy 0 in terms of what it was scanning, it have a blue screen of death (didnt note the error message)

havent tried running ESET yet

#11 dolphin6476

dolphin6476
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:34 AM

Posted 07 April 2010 - 03:13 PM

ESET is running very slowly.....

Is this why Kaspersky was causes reboots and BSOD? I googled kaspersky online scan crashes......

http://forum.kaspersky.com/lofiversion/ind...hp/t121694.html
My online scan runs for few minutes then freezes or crashes my PC

"After that, you need to install the current build of Kaspersky Version 7 with Windows 2000, because Kaspersky 2009 and 2010 do not support Win 2000. Link is in the indicated important topic near top of this forum section. "


????

Any other suggestions other than kaspersky and ESET? I reckon ESET could take another 20hrs to run at this rate.....

Thanks, looking forward to your assistance :-)

#12 dolphin6476

dolphin6476
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:34 AM

Posted 07 April 2010 - 03:33 PM

ESET scan timer was still running, but halted it, as seemed to be stuck scanning one pdf for a VERY long time.

Nothing found by ESET in first 10000 odd files scanned, but considering it was 1:40 mins, and had been around 30 min on one file, and 200,000 on the system I guess, ESET online scan was so slow as to be virtually functionless.

What are your suggestions from here please?

Thanks :-)

#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:34 AM

Posted 07 April 2010 - 04:30 PM

Hi dolphin6476,



Take the following instead. thumbup2.gif

Step1

Please run the F-Secure Online Scanner
  1. Follow the on screen prompts to download activeX. Once that has completed, you'll be presented with types of scans.
  2. Tick 'My Scan' and click 'Show Options'
  3. Under Select File Types, tick All File Types
  4. Under Select Folders for Scanning, tick 'Scan a Folder' and click Select
  5. Select the C:\ drive, otherwise it will scan all drives.
  6. Click OK
  7. Click Start
  8. After it has completed, save the log and copy/paste the results in your next reply.

I will give you another one, just in case. wink.gif

Please run a BitDefender Online Scan
  1. Click I Agree to agree to the EULA.
  2. Allow the ActiveX control to install when prompted.
  3. Click Click here to scan to begin the scan.
  4. Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  5. When the scan is finished, click on Click here to export the scan results.
  6. Save the report to your desktop so you can post it in your next reply.


#14 dolphin6476

dolphin6476
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:34 AM

Posted 08 April 2010 - 07:54 AM

Hi,

Here are the two results for the f-secure online scanner and bitdefender online scanner

Have pasted a virustotal result for file flagged as infected

Havent yet removed, will await your advice on next steps

Thanks again for your help :-)


-----------


File mp4toavi.exe received on 2010.04.08 12:49:40 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/39 (2.57%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 46 and 66 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.04.08 -
AhnLab-V3 5.0.0.2 2010.04.07 -
AntiVir 7.10.6.48 2010.04.08 -
Antiy-AVL 2.0.3.7 2010.04.08 -
Authentium 5.2.0.5 2010.04.08 -
Avast 4.8.1351.0 2010.04.08 -
Avast5 5.0.332.0 2010.04.08 -
AVG 9.0.0.787 2010.04.08 -
BitDefender 7.2 2010.04.08 -
CAT-QuickHeal 10.00 2010.04.08 -
ClamAV 0.96.0.3-git 2010.04.08 -
Comodo 4538 2010.04.08 -
DrWeb 5.0.2.03300 2010.04.08 -
eSafe 7.0.17.0 2010.04.07 -
eTrust-Vet 35.2.7414 2010.04.08 -
F-Prot 4.5.1.85 2010.04.07 -
F-Secure 9.0.15370.0 2010.04.08 Suspicious:W32/Malware!Gemini
Fortinet 4.0.14.0 2010.04.08 -
GData 19 2010.04.08 -
Ikarus T3.1.1.80.0 2010.04.08 -
Jiangmin 13.0.900 2010.04.08 -
Kaspersky 7.0.0.125 2010.04.08 -
McAfee-GW-Edition 6.8.5 2010.04.08 -
Microsoft 1.5605 2010.04.08 -
NOD32 5009 2010.04.08 -
Norman 6.04.11 2010.04.08 -
nProtect 2009.1.8.0 2010.04.06 -
Panda 10.0.2.2 2010.04.07 -
PCTools 7.0.3.5 2010.04.08 -
Prevx 3.0 2010.04.08 -
Rising 22.42.03.03 2010.04.08 -
Sophos 4.52.0 2010.04.08 -
Sunbelt 6151 2010.04.08 -
Symantec 20091.2.0.41 2010.04.08 -
TheHacker 6.5.2.0.257 2010.04.08 -
TrendMicro 9.120.0.1004 2010.04.08 -
VBA32 3.12.12.4 2010.04.05 -
ViRobot 2010.4.8.2267 2010.04.08 -
VirusBuster 5.0.27.0 2010.04.07 -
Additional information
File size: 387584 bytes
MD5...: 25af1d351877ea59097690017147c58e
SHA1..: 481ab8da34fb223688a8e2911f1f833ac74792e4
SHA256: fcbe9c1e64d0c453d061845a69aab622ad6e5ccb8cf7c0d7dd068bf8eb955e81
ssdeep: 6144:v743fcII0sN5oeC0eLzZHN0bqimLlwWbnsDd0AQ56yK2m:v7qfvI0sN5oeC
HHN0miolwWDmdi56yB
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xee890
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0xa4000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0xa5000 0x4a000 0x49c00 7.92 5bcccfe687ed5ac5b0cf8e72873314bc
.rsrc 0xef000 0x15000 0x14a00 5.03 5e75d567a4b855e545a3cd3fa6c1f3cd

( 11 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> advapi32.dll: RegFlushKey
> comctl32.dll: ImageList_Add
> comdlg32.dll: GetSaveFileNameA
> gdi32.dll: SaveDC
> msimg32.dll: GradientFill
> ole32.dll: CoInitialize
> oleaut32.dll: VariantCopy
> shell32.dll: ShellExecuteA
> user32.dll: GetDC
> version.dll: VerQueryValueA

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: UPX compressed Win32 Executable (42.6%)
Win32 EXE Yoda's Crypter (37.0%)
Win32 Executable Generic (11.8%)
Win16/32 Executable Delphi generic (2.8%)
Generic Win/DOS Executable (2.7%)
packers (Kaspersky): PE_Patch.UPX, UPX
sigcheck:
publisher....: Jacek Pazera
copyright....: Jacek Pazera
product......: Pazera Free MP4 to AVI Converter
description..: Pazera Free MP4 to AVI Converter
original name: mp4toavi.exe
internal name: Pazera Free MP4 to AVI Converter
file version.: 1.3.0.0
comments.....: http://www.pazera-software.com
signers......: -
signing date.: -
verified.....: Unsigned
packers (F-Prot): UPX

Attached Files



#15 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:34 AM

Posted 08 April 2010 - 08:07 AM

Hi dolphin6476,



Please navigate to the following file path and delete the bolded file manually.

C:\Documents and Settings\Administrator\My Documents\downloads\pazera mp4 to avi\mp4toavi.exe

Other than that, you system appears to be clean now. thumbup.gif If you have no remaining issues on your pc, let's do some tidy up and we can send you on your way.


Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the x and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2

Start OTL from your desktop.
  1. Double click OTL and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all these programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users