Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan horse Crypt.AWQL


  • This topic is locked This topic is locked
11 replies to this topic

#1 simt

simt

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 17 March 2012 - 11:01 PM

Hi there,
In the last few days I have picked up a virus, Trojan horse Crypt.AQLW, it just won't go away.
Fortress 2012 and popped up yesterday but with Malwarebytes it seems to have gone, for now.
Also Trojan horse Agent_r.BDJ has come up.
Win XP Pro Sp2 + AVG
I have gone through the preparation before posting and it has gone OK until I try to get the logs from DDS.
The machine just hangs/locks up . . . it starts OK, then the #'es start to grow in the dos window.
After, 6 minutes, nothing more happens and have to press the power button for restart :(
Tried this 3 times, then in safe mode but the same happens.
Attached is the AVG Vault, you can see the Trojan files like to destroy the win/Sys32 files
Help needed please

Thanks

Simon

Edited by simt, 18 March 2012 - 08:17 AM.


BC AdBot (Login to Remove)

 


#2 simt

simt
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 18 March 2012 - 08:16 AM

Hi,
after reading through a few more posts I have run a scan with OTL.
When double clicking on OTL the error message says that "framedyn.dll is missing"
but OTL is able to run after clicking message.

Thanks
Si

#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:19 AM

Posted 21 March 2012 - 09:57 AM

Hi,

Please download and run this. Check "attach.txt" and uncheck mbr option. Let the other settings be as default and run. Post back the logs it creates.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#4 simt

simt
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 21 March 2012 - 05:10 PM

Hi Blade81,
Thanks for looking into my trojan problem.

DDS file as requested with MBR unchecked and others left as default.
Sy


DDS (Ver_2011-09-30.01) - NTFS_x86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_31
Run by Si at 21:58:11 on 2012-03-21
#Option MBR scan is disabled.
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.984 [GMT 0:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: FDMIECookiesBHO Class: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - c:\program files\free download manager\iefdmcks.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {E5A1691B-D188-4419-AD02-90002030B8EE} - c:\program files\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Media Codec Update Service] c:\program files\essentials codec pack\update.exe -silent
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [SoundMax] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\si\startm~1\programs\startup\_uninst_.lnk - c:\documents and settings\si\local settings\temp\_uninst_.bat
StartupFolder: c:\docume~1\si\startm~1\programs\startup\_unins~1.lnk - c:\documents and settings\si\local settings\temp\_uninst_51364701.bat
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: HideSCAHealth = dword:1
IE: Download all with Free Download Manager - c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - c:\program files\free download manager\dlselected.htm
IE: Download with Free Download Manager - c:\program files\free download manager\dllink.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {40BF816B-D862-41B9-9445-ECA36D5F67F9} - hxxp://www.flatcast.info/objects/NpFv412.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.23.231.4/activex/AMC.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{5E891AA8-6991-4AB9-9754-2A926B55C225} : DHCPNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\si\application data\mozilla\firefox\profiles\0sw267r6.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\free download manager\firefox\extension\components\component.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NpFv412.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-11-2 38448]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2012-3-18 64512]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-3-17 331880]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-3-17 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-3-17 909728]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-12 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-5-28 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-12 108552]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2012-3-17 185560]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2010-5-7 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2010-5-7 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-12-23 2152152]
R3 gfvknt;GoFlight Virtual HID Keyboard;c:\windows\system32\drivers\gfvknt.sys [2007-11-14 11265]
S0 uuxg;uuxg;c:\windows\system32\drivers\uivbjg.sys --> c:\windows\system32\drivers\uivbjg.sys [?]
S3 GPU-Z;GPU-Z; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-12-23 15232]
S3 PCTSFileEnum;PCTSFileEnum;c:\program files\pc tools\dmscanning\PCTSFiles.exe [2012-3-17 89016]
S3 SaiH0255;SaiH0255;c:\windows\system32\drivers\SaiH0255.sys [2007-5-1 132232]
.
=============== Created Last 30 ================
.
2012-03-18 20:49:37 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-03-18 20:45:29 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-03-18 19:10:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-03-18 19:10:49 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-03-18 02:14:13 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-18 02:14:13 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-17 02:55:37 -------- d-----w- c:\documents and settings\all users\application data\F4D56268000435DB00012E252830AC72
2012-03-17 02:54:46 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-03-17 02:54:46 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-03-17 02:54:41 331880 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-03-17 02:54:41 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-03-17 02:54:39 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-03-17 02:54:39 -------- d-----w- c:\program files\PC Tools
2012-03-17 02:54:39 -------- d-----w- c:\program files\common files\PC Tools
2012-03-17 02:54:05 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-03-17 02:54:04 -------- d-----w- c:\documents and settings\si\application data\TestApp
2012-03-15 01:13:27 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-07 22:09:51 610 ----a-w- c:\windows\system32\wun32.dll
2012-03-07 02:09:49 -------- d-----w- c:\program files\Wake up News
2012-02-26 23:31:11 -------- d-----w- c:\windows\system32\quicktime
2012-02-26 23:31:10 -------- d-----w- c:\program files\AVI Movie Player
2012-02-21 19:11:53 -------- d-----w- c:\program files\DiskTrix
2012-02-21 19:01:06 -------- d-----w- c:\documents and settings\si\local settings\application data\Logitech
2012-02-21 18:57:22 -------- d-----w- c:\program files\common files\Logitech
.
==================== Find3M ====================
.
2012-03-10 17:08:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-10 17:08:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-26 19:36:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-19 18:25:39 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2012-02-19 18:25:39 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2012-02-18 23:58:11 61 --sh--w- c:\windows\cnerolf.bin
.
============= FINISH: 22:00:34.31 ===============

#5 simt

simt
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 22 March 2012 - 11:21 AM

Hi Blade81,

I thought this list would be helpful aswell, it was going through the /system32 file like wildfire....

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:19 AM

Posted 22 March 2012 - 11:47 AM

Hi,

Was attach.txt file generated by DDS? If not please check that related option is enabled in DDS settings and then run the tool again.

Upload these files to http://www.virustotal.com and post back the results/links to the results:
C:\WINDOWS\system32\sisnic.dll
C:\WINDOWS\system32\messenger.dll

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 simt

simt
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 22 March 2012 - 05:15 PM

Hi Blade81,
I have run the DDS again with the attach checked, and the file is now attached.
Posted below is the accompanying dds report.
Second thing,
These two files are not in the /system32 folder .....
C:\WINDOWS\system32\sisnic.dll
C:\WINDOWS\system32\messenger.dll
I ran a quick windows search aswell to make sure I could not see them alphabetically, but nothing there.
They are listed in the virus vault . . see the previously attached jpeg.
OK
Thanks

Si

DDS (Ver_2011-09-30.01) - NTFS_x86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_31
Run by Si at 21:57:11 on 2012-03-22
#Option MBR scan is disabled.
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1003 [GMT 0:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: FDMIECookiesBHO Class: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - c:\program files\free download manager\iefdmcks.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {E5A1691B-D188-4419-AD02-90002030B8EE} - c:\program files\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Media Codec Update Service] c:\program files\essentials codec pack\update.exe -silent
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [SoundMax] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\si\startm~1\programs\startup\_uninst_.lnk - c:\documents and settings\si\local settings\temp\_uninst_.bat
StartupFolder: c:\docume~1\si\startm~1\programs\startup\_unins~1.lnk - c:\documents and settings\si\local settings\temp\_uninst_51364701.bat
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: HideSCAHealth = dword:1
IE: Download all with Free Download Manager - c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - c:\program files\free download manager\dlselected.htm
IE: Download with Free Download Manager - c:\program files\free download manager\dllink.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {40BF816B-D862-41B9-9445-ECA36D5F67F9} - hxxp://www.flatcast.info/objects/NpFv412.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://217.23.231.4/activex/AMC.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{5E891AA8-6991-4AB9-9754-2A926B55C225} : DHCPNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\si\application data\mozilla\firefox\profiles\0sw267r6.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\free download manager\firefox\extension\components\component.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NpFv412.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-11-2 38448]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2012-3-18 64512]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-3-17 331880]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-3-17 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-3-17 909728]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-12 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-5-28 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-12 108552]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2012-3-17 185560]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2010-5-7 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2010-5-7 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-12-23 2152152]
R3 gfvknt;GoFlight Virtual HID Keyboard;c:\windows\system32\drivers\gfvknt.sys [2007-11-14 11265]
S0 uuxg;uuxg;c:\windows\system32\drivers\uivbjg.sys --> c:\windows\system32\drivers\uivbjg.sys [?]
S3 GPU-Z;GPU-Z; [x]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-12-23 15232]
S3 PCTSFileEnum;PCTSFileEnum;c:\program files\pc tools\dmscanning\PCTSFiles.exe [2012-3-17 89016]
S3 SaiH0255;SaiH0255;c:\windows\system32\drivers\SaiH0255.sys [2007-5-1 132232]
.
=============== Created Last 30 ================
.
2012-03-18 20:49:37 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-03-18 20:45:29 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-03-18 19:10:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-03-18 19:10:49 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-03-18 02:14:13 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-18 02:14:13 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-17 02:55:37 -------- d-----w- c:\documents and settings\all users\application data\F4D56268000435DB00012E252830AC72
2012-03-17 02:54:46 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-03-17 02:54:46 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-03-17 02:54:41 331880 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-03-17 02:54:41 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-03-17 02:54:39 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-03-17 02:54:39 -------- d-----w- c:\program files\PC Tools
2012-03-17 02:54:39 -------- d-----w- c:\program files\common files\PC Tools
2012-03-17 02:54:05 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-03-17 02:54:04 -------- d-----w- c:\documents and settings\si\application data\TestApp
2012-03-15 01:13:27 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-07 22:09:51 610 ----a-w- c:\windows\system32\wun32.dll
2012-03-07 02:09:49 -------- d-----w- c:\program files\Wake up News
2012-02-26 23:31:11 -------- d-----w- c:\windows\system32\quicktime
2012-02-26 23:31:10 -------- d-----w- c:\program files\AVI Movie Player
.
==================== Find3M ====================
.
2012-03-10 17:08:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-10 17:08:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-26 19:36:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-19 18:25:39 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2012-02-19 18:25:39 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2012-02-18 23:58:11 61 --sh--w- c:\windows\cnerolf.bin
.
============= FINISH: 21:59:36.85 ===============

Attached Files


Edited by simt, 22 March 2012 - 05:34 PM.


#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:19 AM

Posted 23 March 2012 - 09:41 AM

Hi,

Please release the files back from the virus vault and after that submit them to Virustotal.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 simt

simt
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 28 March 2012 - 05:39 PM

Hi Blade81,
hopefull you can hold on..
I am trying to get the connect working at home,
something with the ISP billing.
Thanks
Si

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:19 AM

Posted 29 March 2012 - 08:41 AM

Ok. Thanks for the heads up!

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 simt

simt
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 04 April 2012 - 10:16 AM

Blade81,
Same problem here at the moment.
I cannot wait for the weekend.
With all going to plan my connection should be back on at home.
Thanks
Simon

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:19 AM

Posted 11 April 2012 - 05:30 AM

Hi,

How's the status here?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users