Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Agent3.CPCF


  • Please log in to reply
33 replies to this topic

#1 johnbenett

johnbenett

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 09 January 2013 - 04:20 PM

Trojan horse Agent3.CPCF recently appeared as a warning by AVG. Cannot remove it.
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16457 BrowserJavaVersion: 10.9.2
Run by New John Benett at 7:07:43 on 2013-01-10
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
C:\Program Files\AVG\AVG2013\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2013\avgidsagent.exe
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\AVG\AVG2013\avgnsx.exe
C:\Program Files\AVG\AVG2013\avgemcx.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\SmartLogon\sensorsrv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\EPSON Software\FAX Utility\FUFAXRCV.exe
C:\Program Files\EPSON Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\EPSON Software\Event Manager\EEventManager.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_TATIHVP.EXE
C:\Windows\Sun\Java\bin\javaw.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\system32\DllHost.exe
C:\Program Files\AVG\AVG2013\avgcsrvx.exe
C:\Windows\Sun\Java\bin\javaw.exe
C:\Program Files\Microsoft\BingBar\7.1.391.0\SeaPort.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=2cf5f6e4f4f143ffa8b49fe2dafef351&tu=10G90005z2B000c&sku=&tstsId=&ver=&
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - LocalServer32 - <no file>
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\microsoft\bingbar\7.1.391.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Easy Photo Print: {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [EPLTarget\P0000000000000000] c:\windows\system32\spool\drivers\w32x86\3\e_tatihvp.exe /ept "epltarget\P0000000000000000" /M "WorkForce 645"
uRun: [Java Updater Module] c:\windows\sun\java\bin\javaw.exe -jar c:\windows\config\systemprofile\appdata\local\google\update\manifest\initial\1e611a00
mRun: [FUFAXRCV] "c:\program files\epson software\fax utility\FUFAXRCV.exe"
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [EEventManager] "c:\program files\epson software\event manager\EEventManager.exe"
mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{15DCB6BC-E416-40FD-B174-700906BB40E7} : NameServer = 211.29.132.12 61.88.88.88
TCP: Interfaces\{397A9C0E-FCD0-40B3-A852-77FCE8F62F9E} : NameServer = 211.29.132.12 61.88.88.88
TCP: Interfaces\{3CB82609-D97F-43B4-AB78-C4E62C8403ED} : NameServer = 211.29.132.12 61.88.88.88
TCP: Interfaces\{56633A96-C160-436A-8B71-0E5EFC0725F0} : NameServer = 211.29.132.12 61.88.88.88
TCP: Interfaces\{E44E11B6-5351-4E6C-9309-3B2994435C57} : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{E44E11B6-5351-4E6C-9309-3B2994435C57}\2456C6B696E60A2456E65647470213 : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{E44E11B6-5351-4E6C-9309-3B2994435C57}\24967605F6E646435393136303 : DHCPNameServer = 10.0.0.138
TCP: Interfaces\{E44E11B6-5351-4E6C-9309-3B2994435C57}\A496160235861686 : DHCPNameServer = 10.1.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs= c:\progra~1\wi3c8a~1\datamngr\datamngr.dll c:\progra~1\wi3c8a~1\datamngr\IEBHO.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\new john benett\appdata\roaming\mozilla\firefox\profiles\dlvxx8c9.default\
FF - prefs.js: browser.search.selectedEngine - Search By ZoneAlarm
FF - prefs.js: browser.startup.homepage - hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=2cf5f6e4f4f143ffa8b49fe2dafef351&tu=10G90005z2B000c&sku=&tstsId=&ver=&
FF - ExtSQL: 2013-01-07 11:07; ffxtlbr@zonealarm.com; c:\users\new john benett\appdata\roaming\mozilla\firefox\profiles\dlvxx8c9.default\extensions\ffxtlbr@zonealarm.com
FF - ExtSQL: 2013-01-07 11:07; donottrack@checkpoint.com; c:\users\new john benett\appdata\roaming\mozilla\firefox\profiles\dlvxx8c9.default\extensions\donottrack@checkpoint.com
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.zonealarm.autoRvrt - false
FF - user.js: extensions.zonealarm_i.hmpg - true
FF - user.js: extensions.zonealarm.hmpgUrl - hxxp://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=2cf5f6e4f4f143ffa8b49fe2dafef351&tu=10G90005z2B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm.dfltSrch - true
FF - user.js: extensions.zonealarm.srchPrvdr - Search By ZoneAlarm
FF - user.js: extensions.zonealarm.keyWordUrl - hxxp://search.zonealarm.com/search?src=sp&tbid=base2013&Lan=en&q={searchTerms}&gu=2cf5f6e4f4f143ffa8b49fe2dafef351&tu=10G90005z2B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm_i.dnsErr - true
FF - user.js: extensions.zonealarm_i.newTab - true
FF - user.js: extensions.zonealarm.newTabUrl - hxxp://search.zonealarm.com/?src=nt&tbid=base2013&Lan=en&gu=2cf5f6e4f4f143ffa8b49fe2dafef351&tu=10G90005z2B000c&sku=&tstsId=&ver=&
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?src=tb&tbid=base2013&Lan={dfltLng}&gu=2cf5f6e4f4f143ffa8b49fe2dafef351&tu=10G90005z2B000c&sku=&tstsId=&ver=&&q=
FF - user.js: extensions.zonealarm.id - 8ec45e5800000000000000215d99c358
FF - user.js: extensions.zonealarm.appId - {C56C48A0-DA4E-46F6-9859-1553DC865F84}
FF - user.js: extensions.zonealarm.instlDay - 15712
FF - user.js: extensions.zonealarm.vrsn - 1.8.3.16
FF - user.js: extensions.zonealarm.vrsni - 1.8.3.16
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.8.3.1611:05:48
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1001
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base2013
FF - user.js: extensions.zonealarm.instlRef - ZLN116288149658742-1001
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - false
FF - user.js: extensions.zonealarm.admin - false
.
============= SERVICES / DRIVERS ===============
.
R? androidusb;SAMSUNG Android Composite ADB Interface Driver
R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
R? BBSvc;BingBar Service
R? btusbflt;Bluetooth USB Filter
R? btwl2cap;Bluetooth L2CAP Service
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? esgiguard;esgiguard
R? ewusbnet;HUAWEI USB-NDIS miniport
R? FNETURPX;FNETURPX
R? LMIRfsClientNP;LMIRfsClientNP
R? RTL2832U_IRHID;HID Infrared Remote Receiver
R? RTL2832UBDA;REALTEK 2832U BDA Driver
R? RTL2832UUSB;REALTEK 2832U USB Driver
R? SkypeUpdate;Skype Updater
R? ssadbus;SAMSUNG Android USB Composite Device driver (WDM)
R? ssadmdfl;SAMSUNG Android USB Modem (Filter)
R? ssadmdm;SAMSUNG Android USB Modem Drivers
R? ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM)
R? TsUsbFlt;TsUsbFlt
R? WatAdminSvc;Windows Activation Technologies Service
R? WSDScan;WSD Scan Support via UMB
S? ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service
S? AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8
S? AVGIDSAgent;AVGIDSAgent
S? AVGIDSDriver;AVGIDSDriver
S? AVGIDSHX;AVGIDSHX
S? AVGIDSShim;AVGIDSShim
S? Avgldx86;AVG AVI Loader Driver
S? Avglogx;AVG Logging Driver
S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
S? Avgrkx86;AVG Anti-Rootkit Driver
S? Avgtdix;AVG TDI Driver
S? avgwd;AVG WatchDog
S? BBUpdate;BBUpdate
S? LMIGuardianSvc;LMIGuardianSvc
S? LMIInfo;LogMeIn Kernel Information Provider
S? LMIRfsDriver;LogMeIn Remote File System Driver
S? netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit
S? RTL8167;Realtek 8167 NT Driver
S? TeamViewer5;TeamViewer 5
.
=============== Created Last 30 ================
.
2013-01-09 05:40:59 55296 ----a-w- c:\windows\system32\cero.rs
2013-01-09 05:40:59 51712 ----a-w- c:\windows\system32\esrb.rs
2013-01-09 05:40:59 23552 ----a-w- c:\windows\system32\oflc.rs
2013-01-09 05:40:59 20480 ----a-w- c:\windows\system32\pegi-fi.rs
2013-01-09 05:40:45 49152 ----a-w- c:\windows\system32\taskhost.exe
2013-01-09 05:40:45 220160 ----a-w- c:\windows\system32\ncrypt.dll
2013-01-09 05:30:12 -------- d-sh--w- C:\$RECYCLE.BIN
2013-01-09 05:30:11 -------- d-----w- c:\users\new john benett\appdata\local\temp
2013-01-09 02:25:40 98816 ----a-w- c:\windows\sed.exe
2013-01-09 02:25:40 256000 ----a-w- c:\windows\PEV.exe
2013-01-09 02:25:40 208896 ----a-w- c:\windows\MBR.exe
2013-01-09 02:01:03 53319 ----a-w- c:\windows\system32\lssasr.exe
2013-01-08 22:13:12 -------- d-----w- c:\users\new john benett\appdata\roaming\Malwarebytes
2013-01-08 22:12:55 -------- d-----w- c:\programdata\Malwarebytes
2013-01-08 22:12:54 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-08 22:12:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-08 22:12:33 -------- d-----w- c:\users\new john benett\appdata\local\Programs
2013-01-08 21:04:01 -------- d-----w- c:\users\new john benett\appdata\roaming\SpeedyPC Software
2013-01-08 21:03:47 -------- d-----w- c:\program files\common files\SpeedyPC Software
2013-01-08 21:03:44 -------- d-----w- c:\programdata\SpeedyPC Software
2013-01-08 21:03:44 -------- d-----w- c:\program files\SpeedyPC Software
2013-01-08 05:50:50 -------- d-----w- c:\program files\common files\PC Tools
2013-01-08 05:49:28 -------- d-----w- c:\programdata\PC Tools
2013-01-08 05:49:27 -------- d-----w- c:\users\new john benett\appdata\roaming\TestApp
2013-01-07 22:40:31 -------- d-----w- c:\users\new john benett\appdata\roaming\DriverCure
2013-01-07 22:40:30 -------- d-----w- c:\users\new john benett\appdata\roaming\SparkTrust
2013-01-07 22:40:10 -------- d-----w- c:\programdata\SparkTrust
2013-01-07 22:20:56 75096 ----a-w- c:\windows\system32\drivers\klflt.sys
2013-01-07 22:08:11 -------- d-----w- c:\windows\DDABC66756B3412282B02F5782EA2F9A.TMP
2013-01-07 21:27:10 -------- d-----w- c:\program files\Enigma Software Group
2013-01-07 21:26:16 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2013-01-07 01:07:17 -------- d-----w- c:\users\new john benett\appdata\roaming\CheckPoint
2013-01-07 01:05:29 -------- d-----w- c:\programdata\CheckPoint
2013-01-06 20:54:56 -------- d-----w- c:\windows\config
2013-01-02 01:09:05 -------- dc----w- c:\users\new john benett\appdata\local\MigWiz
2012-12-24 02:07:31 -------- d-----w- c:\program files\iPod
2012-12-24 02:07:30 -------- d-----w- c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2012-12-24 02:07:30 -------- d-----w- c:\program files\iTunes
2012-12-23 11:08:24 -------- d-----w- c:\users\new john benett\appdata\roaming\Unity
2012-12-23 11:06:16 -------- d-----w- c:\users\new john benett\appdata\local\Unity
2012-12-21 17:00:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-21 17:00:37 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 23:26:11 -------- d-----w- c:\users\new john benett\appdata\roaming\AVG2013
2012-12-14 23:23:54 -------- d-----w- c:\users\new john benett\appdata\roaming\TuneUp Software
2012-12-14 23:21:40 -------- d-----w- c:\programdata\AVG2013
2012-12-14 23:18:02 -------- d-----w- c:\users\new john benett\appdata\local\MFAData
2012-12-14 23:18:02 -------- d-----w- c:\users\new john benett\appdata\local\Avg2013
2012-12-12 21:05:37 376832 ----a-w- c:\windows\system32\dpnet.dll
2012-12-12 20:21:37 2048 ----a-w- c:\windows\system32\tzres.dll
.
==================== Find3M ====================
.
2013-01-08 22:24:28 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-08 22:24:28 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-07 12:26:17 308736 ----a-w- c:\windows\system32\Wpc.dll
2012-12-07 12:20:43 2576384 ----a-w- c:\windows\system32\gameux.dll
2012-12-07 10:46:42 43520 ----a-w- c:\windows\system32\csrr.rs
2012-12-07 10:46:42 30720 ----a-w- c:\windows\system32\usk.rs
2012-12-07 10:46:41 45568 ----a-w- c:\windows\system32\oflc-nz.rs
2012-12-07 10:46:41 44544 ----a-w- c:\windows\system32\pegibbfc.rs
2012-12-07 10:46:41 20480 ----a-w- c:\windows\system32\pegi-pt.rs
2012-12-07 10:46:39 46592 ----a-w- c:\windows\system32\fpb.rs
2012-12-07 10:46:39 20480 ----a-w- c:\windows\system32\pegi.rs
2012-12-07 10:46:38 21504 ----a-w- c:\windows\system32\grb.rs
2012-12-07 10:46:37 40960 ----a-w- c:\windows\system32\cob-au.rs
2012-12-07 10:46:37 15360 ----a-w- c:\windows\system32\djctq.rs
2012-11-30 04:53:34 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-11-30 04:47:45 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-11-30 02:55:25 271360 ----a-w- c:\windows\system32\conhost.exe
2012-11-30 02:38:59 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:38:59 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:38:59 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:38:59 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-11-23 02:56:23 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-11-22 04:45:03 626688 ----a-w- c:\windows\system32\usp10.dll
2012-11-14 02:09:22 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-11-14 01:58:15 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-14 01:57:37 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-11-14 01:49:25 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-11-14 01:48:27 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-11-14 01:44:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-11-12 06:42:52 8192 ----a-w- c:\windows\system32\E_DCINST.DLL
2012-11-12 06:42:51 81408 ----a-w- c:\windows\system32\E_TD4BHVP.DLL
2012-11-12 06:42:50 95232 ----a-w- c:\windows\system32\E_TLBHVP.DLL
2012-11-09 04:43:04 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-11-07 21:58:43 83912 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-11-07 21:58:43 52648 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2012-11-07 21:58:42 92072 ----a-w- c:\windows\system32\LMIinit.dll
2012-11-07 21:58:42 31144 ----a-w- c:\windows\system32\LMIport.dll
2012-11-01 04:47:54 1389568 ----a-w- c:\windows\system32\msxml6.dll
2012-10-24 17:12:26 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-10-24 17:12:26 69632 ----a-w- c:\windows\system32\QuickTime.qts
2012-10-22 03:02:46 179936 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2012-10-16 07:39:52 561664 ----a-w- c:\windows\apppatch\AcLayers.dll
2012-10-14 17:48:52 55776 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2010-11-04 22:37:18 729464 ----a-w- c:\program files\autoruns.exe
2010-11-04 22:37:18 594296 ----a-w- c:\program files\autorunsc.exe
.
============= FINISH: 7:09:12.77 ===============

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:57 PM

Posted 10 January 2013 - 02:09 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

Please let me know what operating system is presently installed on this computer and if it's a 32 or 64 bit system.

#3 johnbenett

johnbenett
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 10 January 2013 - 07:03 PM

Hello nasdaq

Thanks for helping to resolve my Trojan Virus issue.

Attached are the report/log files requested.

Operating system is 32 bit.
Windows 7 Home Premium Service Pack 1 (build 7601)
Install Language: English (United States)
System Locale: English (Australia)
Enclosure Type: Notebook



John Benett

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:57 PM

Posted 11 January 2013 - 10:11 AM

The bad process has been identified.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs for my review and wait for further instructions.

#5 johnbenett

johnbenett
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 11 January 2013 - 05:53 PM

Thanks again....

Completed tasks as requested.

Attached are the files

John




Results of screen317's Security Check version 0.99.56
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
AVG Anti-Virus Free Edition 2013
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.70.0.1100
Java™ 6 Update 31
Java 7 Update 9
Adobe Flash Player 11.5.502.146
Adobe Reader 10.1.4 Adobe Reader out of Date!
Google Chrome 23.0.1271.64
Google Chrome 23.0.1271.91
Google Chrome 23.0.1271.95
Google Chrome 23.0.1271.97
````````Process Check: objlist.exe by Laurent````````
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
CheckPoint ZoneAlarm vsmon.exe
CheckPoint ZoneAlarm zatray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

Edited by nasdaq, 12 January 2013 - 09:48 AM.
log posted.


#6 johnbenett

johnbenett
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 11 January 2013 - 06:03 PM

Upon re-setting my AVG Anti Virus, the attached warning popped up?

I moved it to the virus vault, but it will no doubt re-appear upon re-booting?
Can you advise?

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:57 PM

Posted 12 January 2013 - 09:56 AM

Upon re-setting my AVG Anti Virus, the attached warning popped up?
I moved it to the virus vault, but it will no doubt re-appear upon re-booting?
Can you advise?

Nothing to worry about. That was created by ComboFix.
When all is well we will remove all traces of the tool.


Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 31
Java 7 Update 9


Java 7 update 10 introduces important new security controls
You can read about it here.
http://nakedsecurity.sophos.com/2012/12/19/java-7-update-10-introduces-important-new-security-controls/
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

Remove the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Everything that was found will be deleted.
  • Follow the prompts to reboot the computer. A text file will open after the restart.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number)..

Please post the log and let me know what problem persists.

#8 johnbenett

johnbenett
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 12 January 2013 - 06:14 PM

Ran all updates as requested.

Final request to delete using AdwCleaner was performed and re-boot produced the log.

As soon as I went to find the log or open mail or web browser. the Trojan virus reappeared once again....detected by AVG (see pic)

I re-ran the AdwCleaner delete once again and have attached that report as well.

What next!!!

John







#9 johnbenett

johnbenett
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 12 January 2013 - 07:33 PM

Just saw this pop out of my computer, and wanted to know if this is the culprit?
:)
Cheers,
John



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:57 PM

Posted 13 January 2013 - 10:24 AM

This file in bold was delete by ComboFix.

c:\windows\system32\lssasr.exe

I suggest you boot to Safe Mode and if the file is present delete it.
Restart the computer normally.

How to boot to Safe Mode, Vista - Windows 7
http://www.computerhope.com/issues/chsafe.htm#03

Please run ComboFix again and post a fresh log for my review.

#11 johnbenett

johnbenett
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 13 January 2013 - 04:38 PM

Hi

Completed the last task.

Not sure what you meant me to do on this instruction after restarting in safe mode, as that file on a search does not exist and I had tried that many days ago as well. [instruction] I suggest you boot to Safe Mode and if the file is present delete it.
Restart the computer normally.

Attached is the log file.



On re-boot, the same AVG warning appears?

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:57 PM

Posted 14 January 2013 - 09:31 AM

The report from AVG is a false positive.
ComboFix removed the file, however the file is quarantined.
Remove ComboFix as suggested below.
After the removal restart the computer normally.
Lets hope that this false notice will be eliminated.
If not select the ignore request.

Keep me posted.

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on AdwCleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

If you decide to keep the AdwCleaner tool make sure delete your version and download the latest before running it.

Delete the other tools we used.
You can Keep the DDS tool as most forum will ask to see a log before suggesting a fix.

Surf Safely, and Think Prevention!
===

#13 johnbenett

johnbenett
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 14 January 2013 - 05:01 PM

Unfortunately...after all of that AVG still pops up an alert that the Trojan Agent3 is still there.

If, as you suggest, the Trojan is now removed by ComboFix, will this alert go on forever every time i re-boot? Should I uninstall AVG and replace it?

John

#14 johnbenett

johnbenett
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 14 January 2013 - 05:19 PM

Update: As I am moving house tomorrow morning...I decided to uninstall AVG and replaced it with Zone Alarm free anti virus and firewall. On activation of the Virus checker (I had it already running as a firewall as Free AVG does not supply a Firewall) it said the Lssasr.exe was trying to access the internet, do you approve or deny. I obviously denied it and the Zone Alarm anti virus and firewall are now running.
Does the fact that Zone Alarm identified Lssasr.exe as wanting to access the internet, mean the file is still there or if not how did Zone Alarm recognise it was trying to access the net?

John

#15 johnbenett

johnbenett
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 14 January 2013 - 06:24 PM

After the Zone Alarm virus scan, it has reported that 4 x virus have been found.

The image, as you can see, says that 1 x file is quarantined but when i click on that is indicates 0 files??

I can't upload anymore images...as the system says i have a maximum of 512K and currently its at 499.65K !!



John




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users