Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Patched_c.KAI Patched.GB Generic3_c.AERQ


  • This topic is locked This topic is locked
2 replies to this topic

#1 RichardC74

RichardC74

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 02 January 2011 - 05:31 PM

Trying to fix my father-in-laws computer - dont'ya just love the holidays?
Getting 3 warnings from AVG Resident Shield
1. c:\WINDOWS\system32\winlogon.exe Trojan Horse Patched_c.KAI
2. c:\WINDOWS\system32\ms.dll Trojan Horse Generic3_c.AERQ
3. c:\WINDOWS\explorer.exe Virus Win32/Patched.GB

Thanks very very much in advance:

GMER log to follow as it's taking ages and I reckon based on the other threads on this one you're going to ask me to run Combofix but I've been a good boy and not done it yet....

DDS log


DDS (Ver_10-12-12.02) - NTFSx86
Run by Mike at 19:44:26.26 on 02/01/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\PROGRA~1\GFI\GFIBAC~1\GFIHInst.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\GFI\GFIBAC~1\GFIHSC~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
\??\C:\Program Files\AVG\AVG10\avgrsx.exe
\??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
\??\C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgscanx.exe
\??\C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Java\jre6\bin\javaws.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mike Boag\Desktop\Defogger.exe
C:\Documents and Settings\Mike Boag\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://home.bt.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SmartBackup] "c:\program files\jam software\smartbackup\SmartBackup.exe" /WINSTART
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe" /Startup
uRun: [GFI Backup 2009 - Home Edition] "c:\progra~1\gfi\gfibac~1\GFIAgent.exe"
uRun: [EPSON Stylus DX9400F Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticfe.exe /fu "c:\docume~1\mikebo~1\locals~1\temp\E_S3C.tmp" /EF "HKCU"
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "c:\program files\cyberlink\powerbackup\PBKScheduler.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SecuUFD] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [PCMService] "c:\program files\cyberlink\powercinema\PCMService.exe"
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTIzODc0NjA2LVQxLUJBKzEtS1YzKzctWEwrMS1VQ0FMTCsxLUJBUjhHKzEtVUNBTEwyKzItVEI4KzItRkwrOC1GOE05QSsz"&"prod=90"&"ver=10.0.1187
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: sch.uk\folders.hgs.n-yorks
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
Notify: LMIinit - LMIinit.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mikebo~1\applic~1\mozilla\firefox\profiles\9azqspk4.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.source8.com/exchange/
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R? gupdate;Google Update Service (gupdate)
R? LMIRfsClientNP;LMIRfsClientNP
R? m5287;m5287
R? m5289;m5289
S? AVGIDSAgent;AVGIDSAgent
S? AVGIDSDriver;AVGIDSDriver
S? AVGIDSEH;AVGIDSEH
S? AVGIDSFilter;AVGIDSFilter
S? AVGIDSShim;AVGIDSShim
S? Avgldx86;AVG AVI Loader Driver
S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
S? Avgrkx86;AVG Anti-Rootkit Driver
S? Avgtdix;AVG TDI Driver
S? avgwd;AVG WatchDog
S? ddnt;ddnt
S? GFIBckHAtt;GFI Backup 2009 - Home Edition Attendant Service
S? GFIBckHSched;GFI Backup 2009 - Home Edition Scheduler Service
S? LMIGuardianSvc;LMIGuardianSvc
S? LMIInfo;LogMeIn Kernel Information Provider
S? LMIRfsDriver;LogMeIn Remote File System Driver
S? vnccom;vnccom

=============== Created Last 30 ================

2011-01-02 19:44:05 3584 ----a-w- c:\windows\system32\ms.dll
2011-01-02 19:41:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-02 19:41:34 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-01-02 19:39:08 -------- d--h--w- C:\$AVG
2011-01-02 19:28:01 -------- d-----w- c:\windows\system32\drivers\AVG
2011-01-02 13:46:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2011-01-02 13:41:29 -------- d-----w- c:\program files\VS Revo Group
2011-01-02 13:28:32 -------- d-----w- c:\program files\CCleaner
2010-12-30 22:43:39 -------- d-----w- c:\docume~1\mikebo~1\applic~1\AVG10
2010-12-30 22:41:02 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-12-30 22:37:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-12-30 10:08:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-30 10:08:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-12-30 09:49:24 -------- d-----w- c:\docume~1\mikebo~1\applic~1\Malwarebytes
2010-12-30 09:49:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-30 09:49:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-30 09:49:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-30 09:49:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-27 19:07:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-12-16 19:06:32 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 19:01:11 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-08 04:12:38 251728 ----a-w- c:\windows\system32\drivers\avgldx86.sys

==================== Find3M ====================

2010-12-08 13:12:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-12-08 13:11:52 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2010-12-08 13:11:46 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-12-08 13:11:44 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-12-02 20:38:12 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-12 16:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 19:48:55.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RichardC74

RichardC74
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 05 January 2011 - 04:26 AM

Scratch this - ran out of time at family's house so computer has gone into shop no doubt for a re-install. Luckily data safe. Thanks, Richard

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:19 PM

Posted 07 January 2011 - 03:30 PM

Thanks for letting me know :thumbup2:

-----------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users