Jump to content

Recommended Posts

Hi,

My pc has picked upa trojan. A .exe file is sitting in my Documents and Settings directory that even fileassassin can't remove (c:\Documents and Settings\All Users\Application Data\PJUdowMnnh.exe).

All files on the infected profile were hidden, warnings about hard drive failure, insufficient RAM etc. keep popping up. All icons have disappeared on the infected profile and some from other profiles, as have file listings on the start menu.

McAfee finds the file but cannot remove it. MBAM kept being stopped short so I manually halted it each time it found an infection and cleared whichever problem it had found. Doing this removed a Vundo trojan and PUM Hijack Taskmaster.

I have now followed the instructions for what to do if problems are still being encountered after running MBAM.

DEFOGGER - appeared to run but defogger_disable file appeared on desktop with following content:

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 06:34 on 13/05/2011 (naughty steph)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

DDS.txt content is here:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by naughty steph at 6:35:30.10 on 13/05/2011

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.959.484 [GMT 1:00]

.

AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

svchost.exe

C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe

C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe

C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe

C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kontiki\KService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\TalkTalk\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\CyberLink\PowerCinema\PCMService.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam10\QuickCam10.exe

C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe

C:\Program Files\WLAN\Common\RaUI.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Trusteer\Rapport\bin\RapportService.exe

C:\Program Files\Kontiki\KHost.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Logitech\QuickCam10\COCIManager.exe

C:\Documents and Settings\naughty steph\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://uk.yahoo.com/

uWindow Title = Tiscali Internet Access

mWindow Title = Tiscali Internet Access

uURLSearchHooks: H - No File

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

uRun: [Power2GoExpress]

uRun: [kdx] c:\program files\kontiki\KHost.exe -all

uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

mRun: [PCMService] "c:\program files\cyberlink\powercinema\PCMService.exe"

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "c:\program files\cyberlink\powerbackup\PBKScheduler.exe"

mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe

mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide

mRun: [LVCOMSX] "c:\program files\common files\logitech\lcommgr\LVComSX.exe"

mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk

mRun: [WLan Utility] c:\program files\wlan\common\RaUI.exe -s

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [mxomssmenu] "c:\program files\maxtor\onetouch status\maxmenumgr.exe"

mRun: [uSB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [uSBToolTip] c:\progra~1\pinnacle\shared~1\programs\usbtip\USBTip.exe

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

mPolicies-system: DisableTaskMgr = 1 (0x1)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: Bootstrap - hxxp://www.myfujiprints.co.uk/media/site/kiosk/Myfujiprints.CAB

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://doubleoverhead-porthcawl.remotemanager.co.uk/common/activex/MJPEGRender.ocx

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab

DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} - hxxp://static.photobox.co.uk/sg/common/uploader_uni.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-11-27 386840]

R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-4-8 53816]

R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\26169\RapportCerberus_26169.sys [2011-4-25 57144]

R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-4-8 66360]

R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-4-8 158904]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-1 54752]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-2-5 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-2-5 144704]

R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-4-8 870200]

R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]

R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-2-5 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-11-27 79816]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-11-27 35272]

R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-11-27 34248]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-11-27 40552]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S2 LogWatch;Event Log Watch;"c:\program files\ca\sharedcomponents\ca_lic\logwatnt.exe" --> c:\program files\ca\sharedcomponents\ca_lic\LogWatNT.exe [?]

S3 CA_LIC_CLNT;CA License Client;"c:\program files\ca\sharedcomponents\ca_lic\lic98rmt.exe" --> c:\program files\ca\sharedcomponents\ca_lic\lic98rmt.exe [?]

S3 CA_LIC_SRVR;CA License Server;"c:\program files\ca\sharedcomponents\ca_lic\lic98rmtd.exe" --> c:\program files\ca\sharedcomponents\ca_lic\lic98rmtd.exe [?]

S3 cpuz;cpuz;\??\e:\cpuz.sys --> e:\cpuz.sys [?]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S3 Lapwdck;Lapwdck; [x]

S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s115mgmt.sys [2007-4-23 100488]

S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\drivers\s115obex.sys [2007-4-23 98568]

S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [2005-11-25 85888]

S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2005-11-25 51840]

.

=============== Created Last 30 ================

.

2011-05-12 22:09:14 -------- d-----w- c:\docume~1\naught~1\locals~1\applic~1\Apple

2011-05-12 16:36:49 -------- d-----w- C:\FilASS

2011-05-12 08:48:28 -------- d-----w- C:\Kontiki

2011-05-10 07:26:10 -------- d-----w- c:\docume~1\naught~1\locals~1\applic~1\Trusteer

2011-05-01 06:16:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-01 06:16:13 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-01 06:16:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-04-20 19:04:32 -------- d-----w- c:\docume~1\naught~1\locals~1\applic~1\Spotify

2011-04-20 19:04:32 -------- d-----w- c:\docume~1\naught~1\applic~1\Spotify

2011-05-12 17:38:34 -------- d-----w- c:\docume~1\guest\applic~1\Trusteer

2011-05-12 09:25:35 -------- d-----w- c:\docume~1\guest\applic~1\Malwarebytes

2011-05-12 08:21:18 507392 ----a-w- c:\docume~1\alluse~1\applic~1\PJUdowMnnh.exe

.

==================== Find3M ====================

.

2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

.

============= FINISH: 6:37:48.45 ===============

(note that I'd got in a pickle and ran DDS from 2 different profiles on the pc - each time gave a slightly different result. The changes were in the 'Created last 30' section so I've merged the content in this bit from both runs, mainly because the first run included a reference to the undeletable file reference at the beginning of this post.

Zipped copies of attach.txt and ark.txt are attached as is the last MBAM scan log.

Thanks for your help. Let me know if you need any other info.

Pete

Attach.zip

mbam-log-2011-05-12 (20-39-25).txt

Link to post
Share on other sites

Thanks for your help, the Trojan is now gone and the pc cleaned.

I had a mild panic when in safe mode could not find the offending file until I realised that McAfee must have removed it after two previous, failed, attempts.

Thanks for the Autoruns and desktop fix tips. Also note that two other changes had been made to the registry that needed to be resolved. One was preventing access to the Task Manager and the other stopping changes to the walpaper on the (previously) infected profile. The registry entries affected are as follows:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper

and

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Both were fixed during a final MBAM full scan.

Thanks again

Pete

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.