Thread: Multiple trojans found by AV but they reappear after AV "cleans" them
View Single Post
Old 12-05-2008, 12:43 AM   #2 (permalink)
sordavie
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: XP


Re: Multiple trojans found by AV but they reappear after AV "cleans" them
Reread the stickys. Here are updated logs.

Thanks for your time.


DDS (Version 1.0) - NTFSx86
Run by Sordavie at 2:36:04.48 on Fri 12/05/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2579 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Razer Barracuda AC-1 Gaming Audio Card\Customapp\PROGRAM\RAZER BARRACUDA AC-1 GAMING AUDIO CARD.EXE
C:\FRAPS\FRAPS.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Documents and Settings\Sordavie\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg8\avgssie.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Fraps] c:\fraps\FRAPS.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Cmaudio8788] RunDll32 cmicnfgp.cpl,CMICtrlWnd
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Wcujolet] rundll32.exe "c:\windows\Eloheja.dll",e
mRun: [Mnadiqurejadan] rundll32.exe "c:\windows\emobabuyu.dll",e
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {97A52C02-61E4-4789-8D03-99708175597F} = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: hseihuu - hseihuu.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-1-19 26824]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-11-17 55024]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-7-7 611664]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-28 231704]
R3 cmudaxp;Razer Barracuda AC-1 Gaming Interface;c:\windows\system32\drivers\cmudaxp.sys [2008-2-2 1423360]
R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\drivers\OmniTV.sys [2007-9-3 401280]
R3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-11-17 7408]
S0 ati3unxx;ati3unxx;c:\windows\system32\drivers\ati3unxx.sys []
S2 FCI;FCI;c:\windows\system32\svchost.exe:ext.exe []
S3 ALSysIO;ALSysIO;\??\c:\docume~1\sordavie\locals~1\temp\ALSysIO.sys []
S3 ati6atxx;ati6atxx;\??\c:\windows\system32\drivers\ati6atxx.sys []
S3 OnAirGtSvc;OnAir GT USB HDTV Capture (ATSC/NTSC);c:\windows\system32\drivers\OnAirGt.sys [2008-2-10 98192]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys []

=============== Created Last 30 ================

2008-12-05 01:59 3,144 ac------ c:\windows\system32\dllcache\srgb.icm
2008-12-04 22:27 250 a------- c:\windows\gmer.ini
2008-12-04 11:42 132,608 a------- c:\windows\emobabuyu.dll
2008-12-04 11:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-04 11:35 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-04 11:35 <DIR> --d----- c:\docume~1\sordavie\applic~1\SUPERAntiSpyware.com
2008-12-04 03:41 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2008-12-04 03:26 6,182 a------- c:\windows\live.com-error.html
2008-12-04 03:26 2,258 a------- c:\windows\search.yahoo.com-error.html
2008-12-04 03:26 103,936 a------- C:\dtqlv.exe
2008-12-04 03:26 2,274 a------- c:\windows\system32\TDSSdbamnavx.dll
2008-12-04 03:26 2 a------- C:\414080910
2008-12-04 03:26 39,424 a------- c:\windows\Eloheja.dll
2008-12-04 03:26 39,424 a------- C:\bmwife.exe
2008-12-04 03:24 <DIR> --d----- c:\windows\Easy Decrypter
2008-12-04 03:24 <DIR> --d----- c:\program files\Easy Decrypter
2008-12-03 18:18 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-01 15:51 221,184 a------- c:\windows\system32\wmpns.dll
2008-12-01 15:32 <DIR> --d----- c:\windows\system32\scripting
2008-12-01 15:32 <DIR> --d----- c:\windows\l2schemas
2008-12-01 15:32 <DIR> --d----- c:\windows\system32\en
2008-12-01 15:32 <DIR> --d----- c:\windows\system32\bits
2008-12-01 15:30 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-01 15:27 <DIR> --d----- c:\windows\EHome
2008-11-12 18:52 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys

==================== Find3M ====================

2008-12-05 02:10 <DIR> --d----- c:\program files\DVDFab Platinum 3
2008-12-05 02:03 <DIR> --d----- c:\program files\BitComet
2008-12-05 02:00 <DIR> --d----- c:\program files\uTorrent
2008-12-05 02:00 <DIR> --d----- c:\docume~1\sordavie\applic~1\uTorrent
2008-12-04 11:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-04 03:26 14,336 a------- c:\windows\system32\svchost.exe
2008-12-01 15:34 <DIR> --d----- c:\program files\Messenger
2008-12-01 15:33 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-01 15:30 <DIR> --d----- c:\program files\Windows NT
2008-11-08 18:08 <DIR> --d----- c:\program files\Xfire
2008-11-07 21:45 <DIR> --d----- c:\docume~1\sordavie\applic~1\Xfire
2008-11-07 21:07 183,128 a------- c:\windows\system32\PnkBstrB.exe
2008-10-29 20:24 42,320 a------- c:\windows\system32\xfcodec.dll
2008-10-29 02:00 <DIR> --d----- c:\program files\MSXML 6.0
2008-10-28 21:03 <DIR> --d----- c:\program files\Bethesda Softworks
2008-10-28 20:57 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-10-20 20:35 <DIR> --d----- c:\program files\Yahoo!
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 20:14 1,307,648 a------- c:\windows\system32\msxml6.dll
2008-08-25 23:09 <DIR> --d----- c:\docume~1\sordavie\applic~1\Any Video Converter
2008-08-07 04:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-07-28 00:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2008-05-28 14:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-02-10 14:19 <DIR> --d----- c:\docume~1\sordavie\applic~1\OnAirSolution
2008-01-25 06:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation

============= FINISH: 2:36:18.20 ===============

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:08 AM, on 12/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Razer Barracuda AC-1 Gaming Audio Card\Customapp\PROGRAM\RAZER BARRACUDA AC-1 GAMING AUDIO CARD.EXE
C:\FRAPS\FRAPS.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Cmaudio8788] RunDll32 cmicnfgp.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [Wcujolet] rundll32.exe "C:\WINDOWS\Eloheja.dll",e
O4 - HKLM\..\Run: [Mnadiqurejadan] rundll32.exe "C:\WINDOWS\emobabuyu.dll",e
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1200726816937
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97A52C02-61E4-4789-8D03-99708175597F}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hseihuu - hseihuu.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6126 bytes
Attached Files
File Type: zip Attach.zip (4.0 KB, 0 views)
File Type: txt gmer.txt (19.3 KB, 1 views)
File Type: txt hijackthis.txt (6.0 KB, 0 views)
File Type: txt DDS.txt (8.5 KB, 0 views)
sordavie is offline