Trojan problem persists

[Flapjack]

Hi

My computer has been hit twice this last week with the same trojan: Trojan Horse SHeur3.BRHV.

I am on a desktop running XP SP3 with AVG as my realtime AV program.

AVG picked up this trojan the first time when I ran a full scan and I quarantined it. I also deleted the file that had apparently been infected as I was no longer using it and wondered if it was a security risk in some way.

I had decided to run the full system scan because I had experienced problems booting up my computer that morning - I had kept getting the following message when I turned on the computer:

Disk Boot Failure

BR Error

Insert System Disk

[it did definitely say BRError and not MBR, btw]

When I did a general search this trojan did not seem to be being picked up by any other AV programs. I had run SuperAntiSpyware and this did not pick it up.

On the second occasion, 3 days later, the Resident Shield picked up this trojan and flashed up the warning box. Again the trojan was quarantined. However, on checking further via a Windows search (including hidden files and folders), the 'file' that apparently was infected did not appear to exist.

I have cleared the cache, emptied system restore and reset my router since dealing with these trojans.

However, since having this trojan I still seem to be experiencing further problems - odd things, such as pop-up boxes for missing files (one for my printer, one for a microsoft game), webpages not redirecting to the correct page when I click on a link, the computer jumping to different tabs without me asking it to - I did not see these problems before the trojan first appeared. This led me to believe there must be some residual problem after the trojan.

I have downloaded and run MBAM and the scans I have run this last two days have been clear.

This morning I took a look at your info on dealing with infections and I have (I think!) meticulously followed your instructions. I would be very grateful if you could look at the info I have provided and assist me in resolving this problem. Many thanks.

I did use the DeFogger tool and it produced the following log:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 07:03 on 11/04/2011 (Kitchen)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=

These are the other logs and attachments you ask for:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6330

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/04/2011 06:52:13

mbam-log-2011-04-11 (06-52-13).txt

Scan type: Quick scan

Objects scanned: 145263

Time elapsed: 9 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Kitchen at 7:12:17.10 on 11/04/2011

Internet Explorer: 8.0.6001.18702

.

============== Running Processes ===============

.

\??\C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\SM1BG.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\system32\VTtrayp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe

C:\Program Files\Lexmark 2400 Series\lxcrmon.exe

C:\Program Files\Lexmark 2400 Series\ezprint.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\MozyHome\mozystat.exe

C:\Program Files\MagicDisc\MagicDisc.exe

C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\MozyHome\mozybackup.exe

C:\Program Files\PC Tools Firewall Plus\FWService.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\AVG\AVG10\avgemcx.exe

C:\WINDOWS\system32\lxcrcoms.exe

C:\WINDOWS\System32\alg.exe

\??\C:\PROGRA~1\AVG\AVG10\avgrsx.exe

\??\C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Documents and Settings\Kitchen\My Documents\Downloads\Defogger(1).exe

C:\Documents and Settings\Kitchen\My Documents\Downloads\dds.scr

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.pcservicecall.co.uk/

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [AOL_Demo] c:\applications\tool\aol demo\DSGDemo.exe

mRun: [sM1BG] c:\windows\SM1BG.EXE

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [<NO NAME>]

mRun: [VTTimer] VTTimer.exe

mRun: [VTTrayp] VTtrayp.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [lxcrmon.exe] "c:\program files\lexmark 2400 series\lxcrmon.exe"

mRun: [EzPrint] "c:\program files\lexmark 2400 series\ezprint.exe"

mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,_RunDLLEntry@16

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R? AVG Security Toolbar Service;AVG Security Toolbar Service

R? gupdate;Google Update Service (gupdate)

R? SetupNTGLM7X;SetupNTGLM7X

S? AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9

S? AVGIDSAgent;AVGIDSAgent

S? AVGIDSDriver;AVGIDSDriver

S? AVGIDSEH;AVGIDSEH

S? AVGIDSFilter;AVGIDSFilter

S? AVGIDSShim;AVGIDSShim

S? Avgldx86;AVG AVI Loader Driver

S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield

S? Avgrkx86;AVG Anti-Rootkit Driver

S? Avgtdix;AVG TDI Driver

S? avgwd;AVG WatchDog

S? PCTAppEvent;PCTAppEvent Driver

S? pctgntdi;pctgntdi

S? PCToolsFirewallPlus;PC Tools Firewall Plus

S? pctplfw;pctplfw

S? SASDIFSV;SASDIFSV

S? SASKUTIL;SASKUTIL

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

2011-02-11 16:39:49 1594543 ----a-w- c:\windows\WANEUninstaller.exe

2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-02 21:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-02-02 19:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll

2003-08-27 22:19:18 36963 -c--a-r- c:\program files\common files\SM1updtr.dll

.

============= FINISH: 7:14:44.53 ===============

Many thanks for your assistance.

Attach.zip

ark.zip

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[Flapjack]

Hi screen317

thank you for your reply.

I have carried out the scans you had requested and the logs are below - though all appear to be coming up clear. I did temporarily disable AVG whilst I carried out the ESET scan - as ESET said the AV system would interfere with the scan result.

Our computer problem seems to have now levelled out to a) running very slowly; B) occasional stalling/freezing requiring a hard reboot. I am also wondering if some of these symptoms are related to fact that I updated to Firefox 4 during last weekend whilst I was experiencing the trojan issue - I will try re-installing Firefox 4 to see if this makes a difference.

I would be grateful if you could let me know if there is anything else I should now do. Many thanks.

MBAM log 14.04.2011

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6359

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

14/04/2011 07:37:20

mbam-log-2011-04-14 (07-37-20).txt

Scan type: Quick scan

Objects scanned: 145744

Time elapsed: 8 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ESET log

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6425

# api_version=3.0.2

# EOSSerial=15096e4733d7964eb79016c2787ee7bb

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-04-14 07:52:14

# local_time=2011-04-14 08:52:14 (+0000, GMT Daylight Time)

# country="United Kingdom"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1032 16777189 100 94 81454 46055201 0 0

# compatibility_mode=2560 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 403 403 0 0

# scanned=90707

# found=0

# cleaned=0

# scan_time=2727

Security Check log

Results of screen317's Security Check version 0.99.10

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

AVG 2011

ESET Online Scanner v3

PC Tools Firewall Plus 5.0

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 24

Adobe Flash Player 10.2.153.1

Adobe Reader 9.4.3

Out of date Adobe Reader installed!

Mozilla Firefox (x86 en-US..)

Mozilla Thunderbird (3.1.7) Thunderbird Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

PC Tools Firewall Plus FirewallGUI.exe

PC Tools Firewall Plus FWService.exe

``````````End of Log````````````

[screen317]

Hi,

Navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Adobe Reader 9.4.3

Restart your computer.

Get the latest version of Adobe Reader.

Next, please run the PCPitstop Full Tests here (NOT the PCMatic scan or any other scan; simply register with the box on the left and you will be taken to the Full Tests/Overdrive Test). When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

[Flapjack]

Hi

I have now removed the old Adobe Reader and updated it. I also removed the outdated Thunderbird. I have also re-installed Firefox 4 and I am pleased to say this does seem to have made the computer run better.

In case there were other underlying factors affecting computer speed, I have run the other diagnostic test you suggest. This is the results page:

http://www.pcpitstop.com/betapit/sec.asp?conid=24312604

I have looked through the results and will action the junk stuff, the defrag and the system restore level. I am wary of altering registry values, and the sound driver is something of an ongoing saga!

many thanks for your help.

[screen317]

Hi,

Don't worry so much about the drivers. The defrag, removing the 'junk,' and lowering the System Restore cache should help.

Let me know if there's anything else I can do for you.