Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think there's a trojan downloader & exe files can't run


  • This topic is locked This topic is locked
5 replies to this topic

#1 mtry

mtry

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 28 April 2010 - 05:33 AM

I started posting here http://www.bleepingcomputer.com/forums/t/303824/professionally-cleaned-but-still-generic16vundopakespatchedch/ and I was advised to come on this board instead.
An important job came up where I could only use this computer (it has lightroom on it). Everytime I thought I'd finished they'd ask me to do something else. Finally I have a window in which I can try and sort this now. Last time I tried to remove malware it ended up not being able to even boot up so I was scared of trying to fix it (yes everything is backed up but my knackered old laptop can't run lightroom).
So I sent it to the PC shop, they gave back still infected! They told me I must have caught something from my router (my week old router). I turned it on fresh from being cleaned to be greeted with google redirection. avg residential shiled seems to say there was something lurking in system restore (vundo and generic 16). I think it's downloading things without me doing anything. My broadband usage is double what it normally is. Firefox has a mind of it's own, opening up dodgy sites willy nilly.

Now it's so bad I cannot open exe files. I get application not found. I can get malwarebytes to run off a disc 9it's a hiren disc, has all sorts on it..the computer shop left it in the drive. I did try making a new mbam disc, an updated copy but it won't run) but only an out of date one and it's found nothing, it won't let me update it and work. DDR worked but gmer won't run, even off a disc.
Oh if it helps when I try to run gmer it says "Createfile "C:\pxtdqpow.sys": access is denied"

tia

Attached File  Attach.txt   8.26KB   7 downloads



edit to add: somehow got gmer open and working (asked what program it should open with and I chose itself). So I'm scanning now, wil be back when done.

Ok..gmer won't scan beyond c:\\windows\system32\drivers\atapi.sys I've tried many times and in safe mode too. It just hangs and the computer totally freezes. Only way of turning it off is pulling the plug!

The hardest thing is I can't export photos from Lightroom...I get
Win32 API error -2147221003 ("Application not found") when calling ShellExecuteExW from AgWorkspace.shellExecute


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 10:51:36.01 on 28/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3583.2896 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.USER-173C2FDF26\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\sandisk\sandisk transfermate\SD Monitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-8 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-8 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-8 242896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-17 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-17 308064]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2010-2-22 44800]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-04-28 07:22:21 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-28 07:22:21 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 07:44:01 0 d-----w- c:\docume~1\alluse~1\applic~1\YoYoGames
2010-04-24 07:04:05 87552 ----a-w- c:\windows\system32\trltmpct.dll
2010-04-16 06:02:14 204 ----a-w- c:\windows\system32\MRT.INI
2010-04-04 23:37:09 113 ----a-w- c:\documents and settings\owner.user-173c2fdf26\default.pls

==================== Find3M ====================

2010-04-26 22:09:46 45032 ----a-w- c:\windows\fonts\Old-Typewriter-Skimpy.ttf
2010-04-26 22:09:20 50000 ----a-w- c:\windows\fonts\StacysHand-Regular.ttf
2010-04-26 22:08:30 69716 ----a-w- c:\windows\fonts\TopSecret-Regular.ttf
2010-04-26 22:05:26 50832 ----a-w- c:\windows\fonts\SashasHand-Regular.ttf
2010-04-26 22:04:40 97932 ----a-w- c:\windows\fonts\Franz-Narrow-Bold.ttf
2010-04-26 22:04:40 54268 ----a-w- c:\windows\fonts\Franz-Narrow-Regular.ttf
2010-04-26 22:04:24 66052 ----a-w- c:\windows\fonts\News-Gothic-MT-Regular.ttf
2010-04-26 22:04:24 61280 ----a-w- c:\windows\fonts\News-Gothic-MT-Italic.ttf
2010-04-26 22:04:18 66512 ----a-w- c:\windows\fonts\News-Gothic-MT-Bold.ttf
2010-04-26 22:02:21 125564 ----a-w- c:\windows\fonts\TypewriterRough-Regular.ttf
2010-04-26 22:01:23 121556 ----a-w- c:\windows\fonts\TypewriterRough-Italic.ttf
2010-04-23 22:07:24 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-21 09:08:18 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-12 16:49:45 83384 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-17 09:27:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-17 09:26:41 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-15 12:19:50 26740 ----a-w- c:\windows\fonts\VH2TRIAL.otf
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 22:20:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 00:54:56 62836 ----a-w- c:\windows\fonts\OldSansBlackUnderline.ttf
2010-02-28 00:54:56 41652 ----a-w- c:\windows\fonts\OldSansBlack.ttf
2010-02-25 19:38:46 42440 ----a-w- c:\windows\fonts\heliol.TTF
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 10:53:59.82 ===============

Edited by mtry, 28 April 2010 - 01:03 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:29 AM

Posted 03 May 2010 - 12:56 AM

Hi,

uTorrent


Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 mtry

mtry
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 04 May 2010 - 07:39 AM

Thank you! Once we havd our first attack we stopped using utorrent anyway!
Unfortunately combofix won't run...to run an exe on this computer now it asks me what I wish to open it with. I then have to say with that same program I've tried to run...this method doesn't work on combofix though!
I tried it off a disc but it just says lots of files are missing/spelt wrong, comes up with a pop up about rootkit and an abort button.

Edited by mtry, 04 May 2010 - 07:40 AM.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:29 AM

Posted 04 May 2010 - 11:29 AM

Hi,

If you still haven't got ComboFix running then do this and try to run ComboFix again:
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says Error deleting file, please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:29 AM

Posted 14 May 2010 - 05:07 AM

Do you still need help?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:29 AM

Posted 21 May 2010 - 04:18 PM

Due to inactivity, this thread will now be closed. Should you have same or a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users