Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan is downloaded every time Internet Explorer is used


  • This topic is locked This topic is locked
22 replies to this topic

#1 Rick115

Rick115

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 14 June 2010 - 05:29 PM

Hello. Approximately a week and a half ago, I started to notice that when I was using IE, my computer would bog down to 100% CUP usage. Approximately 50% would be allocated to IE (50% divided by the number of pages open, so if two IE browsers open at once, 25% usage to each), and the other 50% is used by explorer.exe. I also noticed this problem once when I was having a conversation over MSN. MSN used 50% of the CPU, explorer the other 50%. Though I have not noticed the MSN problem since.

Though every time I open IE, it is very slow. It is painful to go to any page. I have also noticed that if I have IE open for a minute or so and longer, I will get a pop up from AVG saying that a trojan has been detected upon opening. I have had 3 different ones over the past 10 days. Generic18.CJW.dropper, Backdoor.Generic12.BSBY.dropper (both of which were detected in the Content.IE5 folder under the file of dl[1].jpg), and today I got a new one, Downloader.Generic9.CCLC which was located in WINDOWS\msvideo.dll. It seems that If I quarantine and delete them upon detection, they are gone. Though if I open IE again, it will download something new. I have no other symptoms that I have noticed. I am currently using Google Chrome as my browser and am having no issues ie. trojans being downloaded as in IE.

I have tried to create a GMER and DDS file to attach to this post, but was unsuccesful. Every time I run DDS it says that it cannot be run in a DOS environment. Every time I try to run GMER, it eventually freezes and I have to restart my computer.

I have run AVG, Ad-Aware, and Malwarebytes Anti-Malware, and neither of them can pick anything up. Though I know something is still there as everytime I use IE, a new trojan is downloaded.

Any help would be GREATLY appreciated.

Thanks for your time,
Rick

BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:14 AM

Posted 19 June 2010 - 01:46 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


==================================


1. Please try using a different version of DDS, download it from the links below:

DDS.com => http://download.bleepingcomputer.com/sUBs/dds.com
DDS.pif => http://www.forospyware.com/sUBs/dds



2. Please try to run GMER in safe mode. How to boot in safe mode => http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Unchecked the following checkboxes:
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
  • Post the contents of that report when you reply.



~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Rick115

Rick115
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 22 June 2010 - 11:05 AM

Thank you for your reply sempai.

I was able to download DDS from one of the sites you recommended, and run it. Attached is the output file named DDS.

I was also able to run gmer in safe mode. I did not realize the scan would take approximately 5 hours to complete. Attached is the output file from it as well, named ark. There is not much in that file. I hope I did everything correctly.

I have also had no other issues since my last post. I have been using chrome the entire time, and did not open IE once. I have not noticed any trojans being downloaded, or my computer running slower than usual. So I am still assuming IE is the culprit.

Attached Files

  • Attached File  DDS.txt   13.06KB   3 downloads
  • Attached File  ark.log   730bytes   2 downloads


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:14 AM

Posted 23 June 2010 - 05:23 AM

Hi Rick115,


Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.
Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:
  1. Leave your computer alone while ComboFix is running.
  2. ComboFix will restart your computer if malware is found; allow it to do so.
  3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  4. Please do not mouseclick combofix's window while its running because it may call it to stall.
  5. ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Rick115

Rick115
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 24 June 2010 - 08:09 PM

Hey sempai,

I did as you said, and you can find the log attached to the post.

Thanks again for everything!!

Attached Files


Edited by Rick115, 24 June 2010 - 08:10 PM.


#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:14 AM

Posted 25 June 2010 - 06:36 AM

Hi Rick115,

Please do not attach logs unless instructed, thanks. smile.gif


==============================


1. Please go to http://virscan.org/
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    c:\program files\Uninstall_CDS.exe
    c:\windows\system32\drivers\npf.sys
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.



2. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
File::
c:\docume~1\rick\locals~1\temp\gel90xne.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-

RegLock::
[HKEY_USERS\S-1-5-21-1640585479-3863577675-661235464-1006\Software\Microsoft\SystemCertificates\AddressBook*]

Driver::
gel90xne


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:14 AM

Posted 30 June 2010 - 04:05 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:14 AM

Posted 01 July 2010 - 06:04 AM

Topic reopened by user request.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 Rick115

Rick115
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 01 July 2010 - 01:37 PM

Thank you very much sempai for re-opening this topic!

You should find the content you requested below. Once again, I will not be back until Monday. Thanks for all your help so far!

Viruscan.org Reports:

VirSCAN.org Scanned Report :
Scanned time : 2010/06/28 04:31:54 (CST)
Scanner results: Scanners did not find malware!
File Name : Uninstall_CDS.exe
File Size : 40960 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : ab485c92592a3ee01572910e3cb26243
SHA1 : e745ce993bc829e045ff84fb61a2cf34221ccc9b
Online report : http://virscan.org/report/58a299da53f439e2...fd1c0173e3.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.11 20100626080606 2010-06-26 6.51 -
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 1.18 -
AntiVir 8.2.4.2 7.10.8.190 2010-06-25 0.26 -
Antiy 2.0.18 20100628.4796407 2010-06-28 0.02 -
Arcavir 2009 201006270216 2010-06-27 0.04 -
Authentium 5.1.1 201006271203 2010-06-27 1.36 -
AVAST! 4.7.4 100627-1 2010-06-27 0.01 -
AVG 8.5.793 271.1.1/2966 2010-06-27 0.25 -
BitDefender 7.90123.6327162 7.32445 2010-06-28 3.78 -
ClamAV 0.96.1 11263 2010-06-27 0.02 -
Comodo 3.13.579 5237 2010-06-27 0.91 -
CP Secure 1.3.0.5 2010.06.26 2010-06-26 0.00 -
Dr.Web 5.0.2.3300 2010.06.28 2010-06-28 8.28 -
F-Prot 4.4.4.56 20100627 2010-06-27 1.36 -
F-Secure 7.02.73807 2010.06.27.01 2010-06-27 10.71 -
Fortinet 4.1.133 12.88 2010-06-27 0.19 -
GData 21.420/21.155 20100627 2010-06-27 7.33 -
ViRobot 20100626 2010.06.26 2010-06-26 0.38 -
Ikarus T3.1.01.84 2010.06.27.76149 2010-06-27 6.99 -
JiangMin 13.0.900 2010.06.27 2010-06-27 1.24 -
Kaspersky 5.5.10 2010.06.27 2010-06-27 0.14 -
KingSoft 2009.2.5.15 2010.6.27.18 2010-06-27 0.62 -
McAfee 5400.1158 6026 2010-06-27 16.46 -
Microsoft 1.5902 2010.06.27 2010-06-27 6.73 -
Norman 6.05.10 6.05.00 2010-06-27 6.01 -
Panda 9.05.01 2010.06.27 2010-06-27 1.81 -
Trend Micro 9.120-1004 7.270.04 2010-06-27 0.04 -
Quick Heal 10.00 2010.06.26 2010-06-26 1.53 -
Rising 20.0 22.53.04.05 2010-06-25 1.26 -
Sophos 3.07.1 4.54 2010-06-28 7.48 -
Sunbelt 3.9.2426.2 6508 2010-06-25 7.60 -
Symantec 1.3.0.24 20100615.005 2010-06-15 0.05 -
nProtect 20100627.02 8805752 2010-06-27 7.79 -
The Hacker 6.5.2.0 v00304 2010-06-25 0.35 -
VBA32 3.12.12.5 20100625.0804 2010-06-25 2.88 -
VirusBuster 4.5.11.10 10.126.105/20405772010-06-27 2.38 -




VirSCAN.org Scanned Report :
Scanned time : 2010/06/28 04:37:14 (CST)
Scanner results: Scanners did not find malware!
File Name : npf.sys
File Size : 50704 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : c5f0202a00227aecb69e722c52385ffc
SHA1 : c29688c86736a7300586086153feb85399d804a6
Online report : http://virscan.org/report/3bb0220e723ab544...1d1252a6ec.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.11 20100626080606 2010-06-26 4.98 -
AhnLab V3 2010.06.18.01 2010.06.18 2010-06-18 1.26 -
AntiVir 8.2.4.2 7.10.8.190 2010-06-25 0.26 -
Antiy 2.0.18 20100628.4796407 2010-06-28 0.02 -
Arcavir 2009 201006270216 2010-06-27 0.03 -
Authentium 5.1.1 201006271203 2010-06-27 1.36 -
AVAST! 4.7.4 100627-1 2010-06-27 0.01 -
AVG 8.5.793 271.1.1/2966 2010-06-27 0.25 -
BitDefender 7.90123.6327162 7.32445 2010-06-28 3.80 -
ClamAV 0.96.1 11263 2010-06-27 0.02 -
Comodo 3.13.579 5237 2010-06-27 0.85 -
CP Secure 1.3.0.5 2010.06.26 2010-06-26 0.00 -
Dr.Web 5.0.2.3300 2010.06.28 2010-06-28 8.34 -
F-Prot 4.4.4.56 20100627 2010-06-27 1.35 -
F-Secure 7.02.73807 2010.06.27.01 2010-06-27 9.93 -
Fortinet 4.1.133 12.88 2010-06-27 0.17 -
GData 21.420/21.155 20100627 2010-06-27 7.15 -
ViRobot 20100626 2010.06.26 2010-06-26 0.37 -
Ikarus T3.1.01.84 2010.06.27.76149 2010-06-27 6.90 -
JiangMin 13.0.900 2010.06.27 2010-06-27 1.25 -
Kaspersky 5.5.10 2010.06.27 2010-06-27 0.09 -
KingSoft 2009.2.5.15 2010.6.27.18 2010-06-27 0.66 -
McAfee 5400.1158 6026 2010-06-27 16.38 -
Microsoft 1.5902 2010.06.27 2010-06-27 7.01 -
Norman 6.05.10 6.05.00 2010-06-27 6.01 -
Panda 9.05.01 2010.06.27 2010-06-27 1.62 -
Trend Micro 9.120-1004 7.270.04 2010-06-27 0.03 -
Quick Heal 10.00 2010.06.26 2010-06-26 1.56 -
Rising 20.0 22.53.04.05 2010-06-25 1.21 -
Sophos 3.07.1 4.54 2010-06-28 3.60 -
Sunbelt 3.9.2426.2 6508 2010-06-25 8.55 -
Symantec 1.3.0.24 20100615.005 2010-06-15 0.32 -
nProtect 20100627.02 8805752 2010-06-27 7.88 -
The Hacker 6.5.2.0 v00304 2010-06-25 0.32 -
VBA32 3.12.12.5 20100625.0804 2010-06-25 2.75 -
VirusBuster 4.5.11.10 10.126.105/20405772010-06-27 2.38 -




ComboFix Log:




ComboFix 10-07-01.02 - Rick 07/01/2010 13:45:07.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2943.2331 [GMT -4:00]
Running from: c:\documents and settings\Rick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rick\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"c:\docume~1\rick\locals~1\temp\gel90xne.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GEL90XNE
-------\Service_gel90xne


((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
.

2010-06-28 05:25 . 2010-06-28 05:25 337424 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-25 23:10 . 2010-06-25 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-06-25 23:10 . 2010-06-25 23:20 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-06-25 23:10 . 2010-06-27 23:35 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-06-25 23:10 . 2010-06-27 23:35 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-06-25 23:10 . 2010-06-25 23:11 -------- d-----w- c:\program files\NVIDIA Corporation
2010-06-25 23:09 . 2010-06-07 23:57 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-06-25 23:09 . 2010-06-07 23:57 2632296 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-06-25 23:09 . 2010-06-07 23:57 2186342 ----a-w- c:\windows\system32\nvdata.bin
2010-06-25 23:09 . 2010-06-07 23:57 2165352 ----a-w- c:\windows\system32\nvcuvid.dll
2010-06-25 23:09 . 2010-06-07 23:57 10256384 ----a-w- c:\windows\system32\nvcompiler.dll
2010-06-21 17:44 . 2010-06-21 17:44 -------- d-----w- c:\program files\Bonjour
2010-06-14 20:59 . 2010-06-14 20:59 -------- d-----w- c:\program files\TrendMicro
2010-06-09 02:06 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-07 21:34 . 2010-06-07 21:34 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-06-07 21:34 . 2010-06-07 21:34 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-06-07 21:34 . 2010-06-07 21:34 13902440 ----a-w- c:\windows\system32\nvcpl.dll
2010-06-07 21:34 . 2010-06-07 21:34 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-06-07 21:34 . 2010-06-07 21:34 154728 ----a-w- c:\windows\system32\nvsvc32.exe
2010-06-07 21:34 . 2010-06-07 21:34 145000 ----a-w- c:\windows\system32\nvcolor.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-21 17:49 . 2008-11-24 22:18 -------- d-----w- c:\program files\iTunes
2010-06-21 17:48 . 2006-07-01 01:32 -------- d-----w- c:\program files\iPod
2010-06-21 17:48 . 2007-07-07 01:03 -------- d-----w- c:\program files\Common Files\Apple
2010-06-09 03:29 . 2007-06-16 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-07 23:57 . 2008-10-07 18:33 4554752 ----a-w- c:\windows\system32\nvcuda.dll
2010-06-07 23:57 . 2008-01-05 16:02 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-06-07 23:57 . 2008-01-05 16:01 15192064 ----a-w- c:\windows\system32\nvoglnt.dll
2010-06-07 23:57 . 2008-01-05 16:00 232040 ----a-w- c:\windows\system32\nvcodins.dll
2010-06-07 23:57 . 2008-01-05 16:00 232040 ----a-w- c:\windows\system32\nvcod.dll
2010-06-07 23:57 . 2008-01-05 16:00 1359872 ----a-w- c:\windows\system32\nvapi.dll
2010-06-07 23:57 . 2004-10-28 17:10 10531200 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-06-07 23:57 . 2004-10-28 17:10 6300544 ----a-w- c:\windows\system32\nv4_disp.dll
2010-06-06 16:38 . 2009-02-07 01:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-05 21:03 . 2009-02-25 20:35 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-02 18:03 . 2009-03-20 18:15 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-02 18:03 . 2008-05-04 15:48 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-28 16:58 . 2008-12-26 23:56 600680 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-05-24 18:55 . 2009-11-08 19:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-24 18:55 . 2009-03-15 23:21 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-24 18:54 . 2008-04-10 20:05 -------- d-----w- c:\program files\Lavasoft
2010-05-24 18:54 . 2010-05-24 18:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-18 22:49 . 2008-04-08 22:42 -------- d-----w- c:\documents and settings\Rick\Application Data\Download Manager
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2004-10-28 18:47 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-10-28 18:47 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2009-02-07 01:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-02-07 01:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:30 . 2004-10-28 18:46 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 00:47 . 2008-09-10 21:12 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-20 00:47 . 2007-11-12 16:22 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 00:00 . 2007-12-25 19:07 138328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-04-16 00:00 . 2007-12-25 19:07 214816 ----a-w- c:\windows\system32\PnkBstrB.exe
2004-03-11 17:27 . 2005-09-19 21:29 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2007-11-06 21:22 . 2006-07-31 01:31 88 --sh--r- c:\windows\system32\138CF50FC0.sys
2007-11-06 21:22 . 2006-07-31 01:31 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Google Update"="c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-27 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMSnap1"="c:\windows\VMSnap1.exe" [2006-07-17 49152]
"SoundMan"="SOUNDMAN.EXE" [2006-07-21 86016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"domino"="c:\windows\domino.exe" [2006-07-04 49152]
"BigDogPath"="c:\windows\VM_STI.EXE" [2008-05-29 40960]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"AlcWzrd"="ALCWZRD.EXE" [2006-05-04 2808832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-02-27 570664]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2008-02-18 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2008-02-18 1057064]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-06-18 864112]
"ipTray.exe"="c:\program files\Intel\IDU\iptray.exe" [2005-12-02 1687552]
"awTray.exe"="c:\program files\Intel\IDU\awtray.exe" [2005-12-01 1305600]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-02 2065248]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-29 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-07 13902440]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-07 110696]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-06-03 1753192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-17 22:44 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA Games\\Nightfire\\Bond.exe"=
"c:\\Program Files\\Airlink101\\ANAS350\\Configure.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Activision\\Quantum of Solace™\\JB_LiveEngine_s.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\ASUS\\Printer Utilities\\UsbService.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\Real\\realplayer\\realplay.exe"=
"c:\\Program Files\\ETC\\SmartSoft\\Binaries\\SmartSoft.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"86:TCP"= 86:TCP:BroadCam Web Server
"9999:UDP"= 9999:UDP:IDU Service UDP Port
"2804:TCP"= 2804:TCP:IDU Service TCP Port

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/25/2009 4:35 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/4/2008 11:48 AM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/20/2009 2:15 PM 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/17/2010 6:44 PM 308064]
R2 EBIOS32;EBIOS32 - NT Driver;c:\windows\system32\drivers\EBIOS32.SYS [12/22/2008 1:08 PM 13922]
R2 UsbService;Eltima Usb to Ethernet Connector;c:\program files\ASUS\Printer Utilities\UsbService.exe [12/16/2009 11:16 PM 217088]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/11/2004 3:34 PM 32640]
R3 vuhub;Virtual Usb Hub;c:\windows\system32\drivers\vuhub.sys [12/16/2009 11:16 PM 66432]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]
S3 ETCHSP;ETCHSP;c:\windows\system32\drivers\etchsp.sys [2/18/2005 4:58 PM 10240]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [12/23/2008 11:35 AM 50704]
.
Contents of the 'Scheduled Tasks' folder

2010-07-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:17]

2010-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1640585479-3863577675-661235464-1006Core.job
- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-27 01:15]

2010-07-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1640585479-3863577675-661235464-1006UA.job
- c:\documents and settings\Rick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-27 01:15]

2010-07-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1640585479-3863577675-661235464-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-07-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1640585479-3863577675-661235464-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-07-01 c:\windows\Tasks\User_Feed_Synchronization-{3797ADAB-1D6C-47BA-88CC-FCE1050CECC6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 14:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1640585479-3863577675-661235464-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1640585479-3863577675-661235464-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:d6,69,29,09,5a,1a,42,69,fb,fa,5b,55,b2,38,f0,c5,b5,6b,51,a8,bf,f1,f0,
6b,bf,7b,3f,28,73,b4,49,7a,d1,af,f4,2c,88,83,68,32,67,aa,5e,dd,a7,30,57,08,\
"??"=hex:d7,ad,cf,2c,bd,41,7a,2e,ea,5e,78,7c,63,05,8d,5b

[HKEY_USERS\S-1-5-21-1640585479-3863577675-661235464-1006\Software\SecuROM\License information*]
"datasecu"=hex:56,e8,60,22,b3,3e,6f,93,5c,d0,7b,8d,8e,dc,9b,7a,f0,2e,d8,a3,49,
23,7e,22,33,a2,92,08,3c,bf,78,09,6b,1b,bb,4f,0b,f0,3a,39,cc,d3,4d,ab,55,63,\
"rkeysecu"=hex:7c,d9,12,ab,81,cc,73,1c,b6,d7,9d,fc,38,2a,4f,23
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2140)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\brss01a.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Intel\IDU\awServ.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-01 14:29:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-01 18:29
ComboFix2.txt 2010-06-24 16:38
ComboFix3.txt 2008-12-22 20:07

Pre-Run: 54,781,317,120 bytes free
Post-Run: 54,675,570,688 bytes free

- - End Of File - - 1F64125127DEF4C455C3113583B70DEE


#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:14 AM

Posted 04 July 2010 - 06:41 AM

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 Rick115

Rick115
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 06 July 2010 - 09:08 PM

Sempai,

I completed the scan as you requested. I do not have a log to post as there was no infected file found. My only question is that when the scan started there was the option of choosing to scan archives which I left unchecked. I hope you have not run into a dead end yet with my situation :S

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:14 AM

Posted 07 July 2010 - 04:13 AM

Hi,

Let's use another scanner.

1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Control Panel > Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.



2. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .
Note: Kaspersky online scan may take time to complete, please be patient.



3. Please run another DDS scan and post the latest report. Do not attach the logs please. Thanks.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 Rick115

Rick115
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 08 July 2010 - 03:36 PM

I tried to run the kaspersky online scan today though it wants either IE 6 or 7, Opera 9, or Firefox 2 as an internet browser. I am using Google Chrome which is not supported. I really don't want to use IE (I have version 8) because I may get another virus. I guess I have to download one of the other supported browsers then?

#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:14 AM

Posted 09 July 2010 - 05:37 AM

You can try it with Firefox. Thanks.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 Rick115

Rick115
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 14 July 2010 - 07:56 AM

I completed the Kaspersky scan and it did find one infected item. I will run another DDS scan this evening and post its results. Here is the Kaspersky results:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, July 14, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, July 13, 2010 20:20:54
Records in database: 4226357
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: no

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 197777
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 03:53:18


File name / Threat / Threats count
C:\Documents and Settings\Rick\Application Data\Sun\Java\Deployment\cache\6.0\44\5473416c-190488d9 Infected: Exploit.Java.Agent.f 1

Selected area has been scanned.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users