[RESOLVED] Trying to find Trogan

**pennydog** · November 30th, 2011, 06:08 PM

Our desktop is infected with something. AVG keeps popping up a warning about generic trojan. I updated AVG and scanned, found nothing, I did a malwarebytes a few nights ago and it found nothing. So tonight I start scanning and posting logs per the instructions.

Step 1 malwarebytes log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8280

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/30/2011 4:59:17 PM
mbam-log-2011-11-30 (16-59-17).txt

Scan type: Quick scan
Objects scanned: 172680
Time elapsed: 14 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**pennydog** · November 30th, 2011, 07:09 PM

Gmer

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-30 18:05:22
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600JB-00REA0 rev.20.00K20
Running: 0wtx2xmq[1].exe; Driver: C:\DOCUME~1\THESUI~1\LOCALS~1\Temp\pxtdypow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xF23B1F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xF23B1FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xF23B2080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xF23B211C]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 DumaNT.SYS (DUMA NT Keyboard Filter/NVIDIA Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 DumaNT.SYS (DUMA NT Keyboard Filter/NVIDIA Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB40741$\1403085163 0 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763 0 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\bckfg.tmp 764 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\cfg.ini 208 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\keywords 57 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\L 0 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\L\mbngogna 295248 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\U 0 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB40741$\1761015763\U\80000032.@ 98304 bytes

---- EOF - GMER 1.0.15 ----

aswMBR

swMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-30 18:10:25
-----------------------------
18:10:25.453 OS Version: Windows 5.1.2600 Service Pack 3
18:10:25.453 Number of processors: 1 586 0x408
18:10:25.453 ComputerName: UserName:
18:10:26.218 Initialize success
18:10:36.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:10:36.375 Disk 0 Vendor: WDC_WD1600JB-00REA0 20.00K20 Size: 152627MB BusType: 3
18:10:38.390 Disk 0 MBR read successfully
18:10:38.390 Disk 0 MBR scan
18:10:38.390 Disk 0 Windows XP default MBR code
18:10:38.390 Disk 0 scanning sectors +312576705
18:10:38.484 Disk 0 scanning C:\WINDOWS\system32\drivers
18:10:51.000 Service scanning
18:10:51.968 Modules scanning
18:11:02.281 Disk 0 trace - called modules:
18:11:02.312 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
18:11:02.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f7cab8]
18:11:02.312 3 CLASSPNP.SYS[f75b0fd7] -> nt!IofCallDriver -> \Device\00000064[0x86f509e8]
18:11:02.312 5 ACPI.sys[f7427620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f82940]
18:11:02.812 Scan finished successfully
18:11:58.390 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Desktop\MBR.dat"
18:11:58.406 The log file has been saved successfully to "C:\Documents and Settings\Desktop\aswMBR.txt"

**pennydog** · November 30th, 2011, 07:18 PM

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_27
Run by The Suits at 18:15:27 on 2011-11-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.626 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [hpqSRMon] c:\program files\hewlett-packard\digital imaging\bin\hpqSRMon.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [POINTER] point32.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 68.238.112.12
TCP: Interfaces\{F3F986E0-6D84-40D3-A9D8-5D4F74A3C63A} : DhcpNameServer = 192.168.1.1 68.238.112.12
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
SSODL: Makimres - {7F34F761-2DE1-4F23-9146-C92E778DBEF7} - c:\windows\system32\dirucart.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\the suits\application data\mozilla\firefox\profiles\7om59h7k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.harleytechtalk.org/htt/index.php
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\superadblocker.com\super ad blocker\sabkutil.sys --> c:\program files\superadblocker.com\super ad blocker\SABKUTIL.sys [?]
.
=============== Created Last 30 ================
.
2011-11-30 21:43:42 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-30 21:43:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-29 01:24:27 762 ---ha-w- C:\aaw7boot.cmd
2011-11-28 22:22:21 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-11-28 22:20:08 -------- d-----w- c:\program files\Lavasoft
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 10:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 10:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 10:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-03 02:44:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2003-03-31 12:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2011-02-08 13:33:55 978944 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll
2010-12-20 17:32:15 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
============= FINISH: 18:15:59.46 ===============

**pennydog** · November 30th, 2011, 07:19 PM

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/18/2007 6:26:50 PM
System Uptime: 11/30/2011 5:12:51 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer Inc. | | K8VSEDX
Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket 754 | 2002/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 129.619 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_105A&DEV_3373&SUBSYS_80F51043&REV_02\3&267A616A&0&40
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_105A&DEV_3373&SUBSYS_80F51043&REV_02\3&267A616A&0&40
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_80ED1043&REV_80\3&267A616A&0&78
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_80ED1043&REV_80\3&267A616A&0&78
Service:
.
==== System Restore Points ===================
.
RP668: 9/1/2011 9:38:59 PM - System Checkpoint
RP669: 9/3/2011 9:59:43 PM - System Checkpoint
RP670: 9/3/2011 10:56:11 PM - Software Distribution Service 3.0
RP671: 9/5/2011 8:39:19 PM - System Checkpoint
RP672: 9/6/2011 7:30:13 PM - Software Distribution Service 3.0
RP673: 9/12/2011 8:40:58 PM - System Checkpoint
RP674: 9/14/2011 11:05:42 AM - System Checkpoint
RP675: 9/15/2011 12:59:56 PM - System Checkpoint
RP676: 9/15/2011 5:22:49 PM - Software Distribution Service 3.0
RP677: 9/16/2011 6:31:18 PM - System Checkpoint
RP678: 9/17/2011 7:28:45 PM - System Checkpoint
RP679: 9/18/2011 8:26:30 PM - System Checkpoint
RP680: 9/19/2011 9:20:08 PM - System Checkpoint
RP681: 9/21/2011 7:53:29 PM - System Checkpoint
RP682: 9/23/2011 1:00:36 PM - System Checkpoint
RP683: 9/24/2011 6:16:25 PM - System Checkpoint
RP684: 9/26/2011 7:17:14 PM - System Checkpoint
RP685: 9/27/2011 7:07:42 PM - Software Distribution Service 3.0
RP686: 9/27/2011 8:00:40 PM - Installed AVG 2012
RP687: 9/27/2011 8:00:53 PM - Removed AVG 2011
RP688: 9/27/2011 8:01:14 PM - Installed AVG 2012
RP689: 9/27/2011 8:06:46 PM - Removed AVG 2011
RP690: 9/29/2011 9:33:43 AM - System Checkpoint
RP691: 9/30/2011 9:31:52 PM - System Checkpoint
RP692: 10/2/2011 5:42:42 PM - System Checkpoint
RP693: 10/3/2011 8:24:10 PM - System Checkpoint
RP694: 10/4/2011 9:20:08 PM - System Checkpoint
RP695: 10/5/2011 9:22:38 PM - System Checkpoint
RP696: 10/7/2011 9:52:20 AM - System Checkpoint
RP697: 10/8/2011 8:08:41 PM - System Checkpoint
RP698: 10/9/2011 6:52:58 PM - Installed Windows Media Player 10
RP699: 10/9/2011 6:54:30 PM - Software Distribution Service 3.0
RP700: 10/10/2011 7:19:37 PM - System Checkpoint
RP701: 10/10/2011 9:32:23 PM - Software Distribution Service 3.0
RP702: 10/12/2011 7:59:24 PM - System Checkpoint
RP703: 10/13/2011 10:57:56 PM - Software Distribution Service 3.0
RP704: 10/14/2011 8:25:41 AM - Software Distribution Service 3.0
RP705: 10/14/2011 4:49:13 PM - Software Distribution Service 3.0
RP706: 10/15/2011 5:31:28 PM - System Checkpoint
RP707: 10/17/2011 4:23:06 PM - System Checkpoint
RP708: 10/18/2011 8:14:25 PM - System Checkpoint
RP709: 10/19/2011 8:24:54 PM - System Checkpoint
RP710: 10/21/2011 1:33:11 PM - System Checkpoint
RP711: 10/22/2011 7:41:22 PM - System Checkpoint
RP712: 10/24/2011 7:52:24 PM - System Checkpoint
RP713: 10/26/2011 7:51:02 PM - System Checkpoint
RP714: 10/28/2011 10:40:55 AM - System Checkpoint
RP715: 10/29/2011 6:03:27 PM - System Checkpoint
RP716: 10/30/2011 6:53:48 PM - System Checkpoint
RP717: 10/31/2011 7:30:54 PM - System Checkpoint
RP718: 11/2/2011 7:29:47 PM - System Checkpoint
RP719: 11/3/2011 11:09:03 PM - System Checkpoint
RP720: 11/5/2011 10:14:58 AM - System Checkpoint
RP721: 11/6/2011 6:03:00 PM - System Checkpoint
RP722: 11/7/2011 7:40:47 PM - System Checkpoint
RP723: 11/9/2011 7:14:35 PM - Software Distribution Service 3.0
RP724: 11/10/2011 11:34:06 PM - System Checkpoint
RP725: 11/11/2011 8:42:18 AM - Software Distribution Service 3.0
RP726: 11/12/2011 6:39:08 PM - System Checkpoint
RP727: 11/14/2011 7:20:33 PM - System Checkpoint
RP728: 11/15/2011 7:48:40 PM - System Checkpoint
RP729: 11/16/2011 7:53:21 PM - System Checkpoint
RP730: 11/18/2011 11:11:47 AM - System Checkpoint
RP731: 11/19/2011 6:19:35 PM - System Checkpoint
RP732: 11/21/2011 7:36:20 PM - System Checkpoint
RP733: 11/22/2011 8:04:40 PM - System Checkpoint
RP734: 11/24/2011 8:32:04 AM - System Checkpoint
RP735: 11/25/2011 6:45:04 PM - System Checkpoint
RP736: 11/28/2011 5:19:30 PM - Installed Ad-Aware
RP737: 11/28/2011 5:20:05 PM - Installed Ad-Aware
RP738: 11/28/2011 8:33:31 PM - Removed Ad-Aware
.
==== Installed Programs ======================
.
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8
AVG 2012
BufferChm
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Creative System Information
Destinations
DocProc
EXPERTool
GPBaseService2
Harley-Davidson Super Tuner VCI Drivers (Driver Removal)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Imaging Device Functions 13.0
HP Memories Disc
HP Photo and Imaging 2.0 - Photosmart Cameras
HP Photo Printing Software
hp photosmart 7600 series
HP Photosmart Essential 3.5
HP Scanjet G3110
HP Share-to-Web
HP Solution Center 13.0
HP Update
hpg3110
HPPhotosmartEssential
HPProductAssistant
Image Resizer Powertoy for Windows XP
Java Auto Updater
Java(TM) 6 Update 27
KODAK Picture CD
Malwarebytes' Anti-Malware version 1.51.2.1300
Marvell Miniport Driver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 4.1
Microsoft IntelliType Pro 2.2
Microsoft Office 2000 Premium
Microsoft Picture It! Photo Premium 9
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser (KB973685)
NVIDIA Display Driver
NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers
OCR Software by I.R.I.S. 13.0
Picasa 3
Redist
Scan
Screamin Eagle Pro Super Tuner
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SolutionCenter
Sound Blaster Live!
Trellix Web Express Site Building
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Verizon Media Manager
WebFldrs XP
WebReg
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WOT for Internet Explorer
.
==== Event Viewer Messages From Past Week ========
.
11/30/2011 4:39:07 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
11/28/2011 8:40:36 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgtdix SABKUTIL
11/27/2011 7:04:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SABKUTIL
11/27/2011 7:04:51 PM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/27/2011 7:02:05 PM, error: Service Control Manager [7034] - The Canon Camera Access Library 8 service terminated unexpectedly. It has done this 1 time(s).
11/27/2011 6:34:59 PM, error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: The system cannot find the file specified.
11/27/2011 10:37:33 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
.
==== End Of File ===========================

**pennydog** · November 30th, 2011, 07:20 PM

Awaiting further instructions. Thanks for the help.

**Broni** · November 30th, 2011, 10:57 PM

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running tools or applying updates other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**pennydog** · December 1st, 2011, 10:25 AM

Thank you Broni. I am at work now and will not be able to clean this evening. I will start on the cleaning process as soon as I get home tomorrow (Friday).

We are not happy with AVG, so we may go with another program after uninstall/clean. Thank you very much for the help.

**pennydog** · December 1st, 2011, 07:45 PM

Ok I can work on the computer tonight but I just tried to boot up the computer and it will not log on, it says there is a trojan and XP Anti Virus 2012 will not let me access anything. I cannot get the home page to load and cannot pull up any page. Can this fix be run is safe mode? This XP Anti Virus thing just popped up so don't think it was there last night. How do I proceed?

**Broni** · December 1st, 2011, 11:22 PM

Yes you can run Combofix from safe mode.

**pennydog** · December 1st, 2011, 11:47 PM

I booted up in safemode with networking but the trojan will not let me access the internet so I can get to your site.

**Broni** · December 2nd, 2011, 12:05 AM

Why do you want to go to my site?

**pennydog** · December 2nd, 2011, 10:12 AM

Originally Posted by Broni

Why do you want to go to my site?

Sorry - not your site exactly, but this site so I could get the combo fix to run or even get online to get combo fix. All we get are pop up boxes to pay to have them removed the 28 trojans "they" found, pop ups about security threats, it has blocked the page from loading due to "security threats" etc. I was in safe mode with networking and at first it connected to the internet, but the key board would not work and then the security threats popped up and that was the end of it. This computer belongs to my husband. He does back up with click free so he has everything backed up in case we have to take a drastic measure. Any help is appreciated.

**Broni** · December 2nd, 2011, 09:16 PM

How did you post all initial logs since you're saying computer is not usable?

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
Reboot your system using the boot CD you just created.
- Note : If you do not know how to set your computer to boot from CD follow the steps HERE
Your system should now display a REATOGO-X-PE desktop.
Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
Double-click on the OTLPE icon.
When asked Do you wish to load the remote registry, select Yes
When asked Do you wish to load remote user profile(s) for scanning, select Yes
Ensure the box Automatically Load All Remaining Users" is checked and press OK
OTL should now start.
Press Run Scan to start the scan.
When finished, the file will be saved in drive C:\OTL.txt
Copy this file to your USB drive if you do not have internet connection on this system
Please post the contents of the OTL.txt file in your reply.

**pennydog** · December 2nd, 2011, 09:41 PM

It was usuable until 12/1 at 6:45 and it would no longer get online, then I tried safe mode with networking and that does not get onlne. Tried it again when I got home this afternoon and it will not go online in safe mode. I get all the pop ups that say it has blocked it due to security issues.

So if I understand I download the above file to my laptop and then create a cd to use on the infected computer at reboot? I will give that a try and post back. Tanks Broni.

**Broni** · December 2nd, 2011, 10:13 PM

I download the above file to my laptop and then create a cd to use on the infected computer at reboot?

Exactly.

Thread: [RESOLVED] Trying to find Trogan

Thread Tools

Search Thread

Display

[RESOLVED] Trying to find Trogan

Thread Information

Users Browsing this Thread

Posting Permissions