Jump to content

Multiple Trojans: dwm.exe, conhost.exe, and csrss.exe


Recommended Posts

I'm getting redirects when clicking links from google, so I ran Malwarebytes but it didn't find anything, however AVG recognizes dwm.exe and conhost.exe as trojans. And under taskmanager I can see conhost,csrss, and dwm running.

Malwarebytes and GMER did not find anything, but I will paste the DDS log if it helps. :/ Any help is much appreciated so please let me know what other scans/logs I need to provide.

.

DDS (Ver_2011-06-23.01) - NTFSAMD64

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20

Run by Bree at 8:17:37 on 2011-08-23

Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4027.2897 [GMT -10:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\PROGRA~2\AVG\AVG10\avgchsva.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\Hpservice.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE

C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\Program Files (x86)\AVG\AVG10\avgnsa.exe

C:\Program Files (x86)\AVG\AVG10\avgemca.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\WUDFHost.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\AVG\AVG10\avgtray.exe

C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\wuauclt.exe

C:\PROGRA~2\AVG\AVG10\avgrsa.exe

C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

uRun: [EPSON3FDDE8 (WorkForce 520)] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGIA.EXE /FU "C:\Windows\TEMP\E_SA5E0.tmp" /EF "HKCU"

uRun: [EPSON WorkForce 520 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGIA.EXE /FU "C:\Windows\TEMP\E_S3F9F.tmp" /EF "HKCU"

uRun: [Google Update] "C:\Users\Bree\AppData\Local\Google\Update\GoogleUpdate.exe" /c

mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: Interfaces\{2066469E-2C18-44B4-8E9F-E17AEA08B4D9} : DhcpNameServer = 192.168.1.1

TCP: Interfaces\{88E5ED59-AB2C-4E93-A34E-E9C07FE835C1} : DhcpNameServer = 24.25.227.55 209.18.47.61 24.25.227.53

TCP: Interfaces\{88E5ED59-AB2C-4E93-A34E-E9C07FE835C1}\16474777966696 : DhcpNameServer = 192.168.4.1 64.134.255.2 64.134.255.10

TCP: Interfaces\{88E5ED59-AB2C-4E93-A34E-E9C07FE835C1}\356425027596649602055726C69636 : DhcpNameServer = 109.0.66.20 109.0.66.10

TCP: Interfaces\{88E5ED59-AB2C-4E93-A34E-E9C07FE835C1}\75F425B47425F45505 : DhcpNameServer = 192.168.0.1

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll

BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File

BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll

BHO-X64: Search Helper - No File

BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll

mRun-x64: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe

Hosts: 127.0.0.1 www.spywareinfo.com

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]

R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]

R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]

R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]

R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]

R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]

R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-4-18 7398752]

R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2011-2-8 269520]

R2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [2011-4-6 166400]

R2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [2011-4-6 128512]

R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]

R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]

R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-29 136176]

S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-4-28 704872]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-29 136176]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]

S3 WSDScan;WSD Scan Support via UMB;C:\Windows\system32\DRIVERS\WSDScan.sys --> C:\Windows\system32\DRIVERS\WSDScan.sys [?]

.

=============== Created Last 30 ================

.

2011-08-22 05:46:54 -------- d-----w- C:\Users\Bree\AppData\Roaming\AVG10

2011-08-22 05:46:06 -------- d-----w- C:\Windows\SysWow64\drivers\AVG

2011-08-22 05:44:36 -------- d-----w- C:\Windows\System32\drivers\AVG

2011-08-22 05:44:36 -------- d-----w- C:\ProgramData\AVG10

2011-08-22 05:43:07 -------- d-----w- C:\Program Files (x86)\AVG

2011-08-22 05:04:37 -------- d-----w- C:\Program Files\CCleaner

2011-08-22 04:49:30 388096 ----a-w- C:\Users\Bree\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-08-22 04:49:30 -------- d-----w- C:\Program Files (x86)\Trend Micro

2011-08-22 04:49:00 -------- d-----w- C:\Users\Bree\AppData\Roaming\SUPERAntiSpyware.com

2011-08-22 04:48:42 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com

2011-08-22 04:48:42 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2011-08-22 04:48:30 -------- d--h--w- C:\ProgramData\Common Files

2011-08-22 04:48:00 -------- d-----w- C:\ProgramData\MFAData

2011-08-15 09:04:52 -------- d-----w- C:\Windows\pss

2011-08-15 09:04:13 198144 ----a-w- C:\Users\Bree\AppData\Roaming\dwm.exe

2011-08-11 07:54:56 -------- d-sh--w- C:\Windows\System32\%APPDATA%

2011-08-01 20:56:12 294912 ----a-w- C:\Windows\System32\browserchoice.exe

2011-07-30 17:32:57 -------- d-----w- C:\Users\Bree\AppData\Local\Microsoft Games

2011-07-30 00:11:30 -------- d-----w- C:\Users\Bree\AppData\Local\Google

.

==================== Find3M ====================

.

2011-07-22 05:35:08 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2011-07-22 04:56:17 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-07-16 05:26:54 362496 ----a-w- C:\Windows\System32\wow64win.dll

2011-07-16 05:26:53 243200 ----a-w- C:\Windows\System32\wow64.dll

2011-07-16 05:26:53 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2011-07-16 05:26:18 214528 ----a-w- C:\Windows\System32\winsrv.dll

2011-07-16 05:24:09 16384 ----a-w- C:\Windows\System32\ntvdm64.dll

2011-07-16 05:21:32 422400 ----a-w- C:\Windows\System32\KernelBase.dll

2011-07-16 05:17:46 338432 ----a-w- C:\Windows\System32\conhost.exe

2011-07-16 04:36:09 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2011-07-16 04:32:14 44032 ----a-w- C:\Windows\apppatch\acwow64.dll

2011-07-16 04:31:50 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2011-07-16 04:30:29 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2011-07-16 04:30:27 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2011-07-16 02:26:12 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2011-07-16 02:26:11 2048 ----a-w- C:\Windows\SysWow64\user.exe

2011-07-16 02:21:47 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2011-07-16 02:21:47 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2011-07-16 02:21:47 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2011-07-16 02:21:47 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

2011-07-09 02:44:55 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys

2011-06-23 05:29:39 5507968 ----a-w- C:\Windows\System32\ntoskrnl.exe

2011-06-23 04:38:05 3957120 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe

2011-06-23 04:38:04 3902336 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe

2011-06-21 06:27:14 1896832 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2011-06-21 06:20:48 1197056 ----a-w- C:\Windows\System32\wininet.dll

2011-06-21 06:20:06 57856 ----a-w- C:\Windows\System32\licmgr10.dll

2011-06-21 05:36:36 981504 ----a-w- C:\Windows\SysWow64\wininet.dll

2011-06-21 05:35:05 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll

2011-06-21 05:05:13 482816 ----a-w- C:\Windows\System32\html.iec

2011-06-21 04:26:02 386048 ----a-w- C:\Windows\SysWow64\html.iec

2011-06-15 09:58:31 212992 ----a-w- C:\Windows\System32\odbctrac.dll

2011-06-15 09:58:31 163840 ----a-w- C:\Windows\System32\odbccp32.dll

2011-06-15 09:58:31 106496 ----a-w- C:\Windows\System32\odbccu32.dll

2011-06-15 09:58:31 106496 ----a-w- C:\Windows\System32\odbccr32.dll

2011-06-15 09:04:46 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll

2011-06-15 09:04:46 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll

2011-06-15 09:04:46 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll

2011-06-15 09:04:46 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll

2011-06-15 09:04:46 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll

2011-06-11 02:56:44 3134464 ----a-w- C:\Windows\System32\win32k.sys

.

============= FINISH: 8:18:44.03 ===============

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

  • 2 weeks later...
  • 1 month later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.