Jump to content

Recommended Posts

Hi,

My computer got infected by trojan last night. The AVG identified the virus as PC defender variant (it disable the windows firewall and security center). The AVG seemed to stop the virus, but I could not run the exe file. I used rregistry recovery program and manage to make the computer run the exe file. Then, I run the Malwarebytes, re-install AVG and install Avira and run the scan.

log from MBAM quick scan:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6244

Windows 5.1.2600 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18702

4/1/2011 11:31:03 PM

mbam-log-2011-04-01 (23-31-03).txt

Scan type: Quick scan

Objects scanned: 146270

Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Log from MBAM complete scan:

atabase version: 6244

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

4/2/2011 12:42:50 PM

mbam-log-2011-04-02 (12-42-50).txt

Scan type: Full scan (C:\|)

Objects scanned: 304143

Time elapsed: 2 hour(s), 42 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\Arka\application data\desktopicon\ebayshortcuts.exe (Adware.ADON) -> Quarantined and deleted successfully.

DDS:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Arka at 19:09:49.62 on Sat 04/02/2011

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.152 [GMT -7:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\runservice.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Arka\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

uInternet Settings,ProxyServer = proxy.library.ubc.ca:8000

uURLSearchHooks: H - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNDgxOTY1Nzk1LUtWMys3LUJBKzEtWEwrMS1UNC1GUDkyKzYtQkFSOUcrMS1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtRjEwTTEwRCsxLVgyMDEwKzI"&"prod=90"&"ver=10.0.1204

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install-ie/alttiff.cab

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://myvpn.ubc.ca/CACHE/stc/1/binaries/vpnweb.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38205.908125

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} - hxxps://merlin.telus.net/wizlet/Merlin11/static/controls/TELUSHighSpeedInstallWizard.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\arka\applic~1\mozilla\firefox\profiles\x6fhr17v.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo! Search

FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll

FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\program files\common files\motive\npMotive.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

============= SERVICES / DRIVERS ===============

.

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-3-25 26624]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-2 11608]

R1 SASDIFSV;SASDIFSV;c:\docume~1\arka\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\docume~1\arka\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-2 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-2 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-2 61960]

R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2006-11-27 2560]

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]

.

=============== Created Last 30 ================

.

2011-04-03 00:51:44 -------- d-----w- c:\windows\system32\scripting

2011-04-03 00:51:42 -------- d-----w- c:\windows\l2schemas

2011-04-03 00:51:41 -------- d-----w- c:\windows\system32\en

2011-04-03 00:27:48 144384 ------w- c:\windows\system32\drivers\hdaudbus.sys

2011-04-03 00:27:40 81920 ------w- c:\windows\system32\ieencode.dll

2011-04-03 00:27:18 24064 -c----w- c:\windows\system32\dllcache\pidgen.dll

2011-04-03 00:27:18 102912 -c----w- c:\windows\system32\dllcache\dpcdll.dll

2011-04-03 00:27:15 6144 ------w- c:\windows\system32\kbdpash.dll

2011-04-03 00:27:15 6144 ------w- c:\windows\system32\kbdnepr.dll

2011-04-03 00:27:15 6144 ------w- c:\windows\system32\kbdiultn.dll

2011-04-03 00:27:15 6144 ------w- c:\windows\system32\kbdbhc.dll

2011-04-03 00:27:14 61440 ------w- c:\windows\system32\kmsvc.dll

2011-04-03 00:27:13 37376 ------w- c:\windows\system32\l2gpstore.dll

2011-04-03 00:27:00 397312 ------w- c:\windows\system32\mmcex.dll

2011-04-03 00:27:00 184320 ------w- c:\windows\system32\microsoft.managementconsole.dll

2011-04-03 00:27:00 106496 ------w- c:\windows\system32\mmcfxcommon.dll

2011-04-03 00:25:56 32768 ------w- c:\windows\system32\setupn.exe

2011-04-03 00:25:55 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys

2011-04-03 00:25:43 53248 ------w- c:\windows\system32\tsgqec.dll

2011-04-03 00:25:42 50688 ------w- c:\windows\system32\tspkg.dll

2011-04-03 00:25:20 69120 ------w- c:\windows\system32\wlanapi.dll

2011-04-02 08:18:14 -------- d-----w- c:\docume~1\arka\applic~1\Avira

2011-04-02 08:11:30 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-04-02 08:11:30 -------- d-----w- c:\program files\Avira

2011-04-02 08:11:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

2011-03-20 04:24:03 839680 ----a-w- c:\windows\system32\lameACM.acm

2011-03-20 04:24:02 810496 ----a-w- c:\windows\system32\xvidcore.dll

2011-03-20 04:24:02 80896 ----a-w- c:\windows\system32\ff_vfw.dll

2011-03-20 04:24:02 237568 ----a-w- c:\windows\system32\yv12vfw.dll

2011-03-20 04:24:02 183808 ----a-w- c:\windows\system32\xvidvfw.dll

2011-03-20 04:24:02 151552 ----a-w- c:\windows\system32\ac3acm.acm

2011-03-20 04:23:59 -------- d-----w- c:\program files\K-Lite Codec Pack

2011-03-12 19:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

2011-03-12 19:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

.

==================== Find3M ====================

.

2011-04-03 02:06:36 1657 --sha-w- c:\windows\system32\mmf.sys

.

============= FINISH: 19:11:23.32 ===============

I tried to run GMER scan for my entire c:drive twice, but it gave me an error everytime it finish (I could not save the result). So I decide to run it with C:\ unchecked and the result is attached.

Attach.zip

Link to post
Share on other sites

Hello and :welcome:

What problems are you still having at this moment.

I see you use a proxy server to connect to the internet; is that something you have set yourself?

Hello,

Thanks for the quick reply. One thing that I am quite worried my Avira gave me warnings several times (Dldr.Bandom.B virus) within the last two days when I visited several regular websites (including wikihow, wikipedia, and Fox sport).

I believed I used VPN from my university to access some library resources. Aside from that, I don't believe I used any proxy server to connect to internet for web browsing.

Link to post
Share on other sites

Hi again,

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

  • 4 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.