Thread: Multiple trojans found by AV but they reappear after AV "cleans" them
View Single Post
Old 12-05-2008, 12:19 PM   #4 (permalink)
sordavie
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: XP


Re: Multiple trojans found by AV but they reappear after AV "cleans" them
Hi Ried,

Thank you for donating your time to help me out. I really appreciate it. I'll be sure to follow all your instructions to the letter.

Here's the ComboFix log.

ComboFix 08-12-05.01 - Sordavie 2008-12-05 14:10:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2479 [GMT -5:00]
Running from: c:\documents and settings\Sordavie\Desktop\ComboFix.exe
* Created a new restore point
.
ADS - svchost.exe: deleted 25088 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_TDSSSERV.SYS
-------\Service_FCI
-------\Service_restore
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-05 01:59 . 2001-07-21 14:40 3,144 --a--c--- c:\windows\system32\dllcache\srgb.icm
2008-12-04 22:27 . 2008-12-05 02:26 250 --a------ c:\windows\gmer.ini
2008-12-04 11:42 . 2008-12-04 11:42 132,608 --a------ c:\windows\emobabuyu.dll
2008-12-04 11:36 . 2008-12-04 11:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-04 11:35 . 2008-12-04 11:35 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-04 11:35 . 2008-12-04 11:35 <DIR> d-------- c:\documents and settings\Sordavie\Application Data\SUPERAntiSpyware.com
2008-12-04 03:41 . 2008-12-04 03:40 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-04 03:40 . 2008-12-04 06:09 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6
2008-12-04 03:31 . 2008-12-04 03:40 <DIR> d-------- c:\documents and settings\Administrator
2008-12-04 03:26 . 2008-12-04 03:26 103,936 --a------ C:\dtqlv.exe
2008-12-04 03:26 . 2008-12-04 03:26 39,424 --a------ c:\windows\Eloheja.dll
2008-12-04 03:26 . 2008-12-04 03:26 39,424 --a------ C:\bmwife.exe
2008-12-04 03:26 . 2008-12-04 03:26 6,182 --a------ c:\windows\live.com-error.html
2008-12-04 03:26 . 2008-12-04 03:26 2,274 --a------ c:\windows\system32\TDSSdbamnavx.dll
2008-12-04 03:26 . 2008-12-04 03:26 2,258 --a------ c:\windows\search.yahoo.com-error.html
2008-12-04 03:26 . 2008-12-04 03:26 2 --a------ C:\414080910
2008-12-04 03:24 . 2008-12-04 03:24 <DIR> d-------- c:\windows\Easy Decrypter
2008-12-04 03:24 . 2008-12-04 03:24 <DIR> d-------- c:\program files\Easy Decrypter
2008-12-03 18:18 . 2008-12-03 18:18 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-01 15:51 . 2006-02-28 07:00 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-01 15:32 . 2008-12-01 15:32 <DIR> d-------- c:\windows\system32\scripting
2008-12-01 15:32 . 2008-12-01 15:32 <DIR> d-------- c:\windows\system32\en
2008-12-01 15:32 . 2008-12-01 15:32 <DIR> d-------- c:\windows\system32\bits
2008-12-01 15:32 . 2008-12-01 15:32 <DIR> d-------- c:\windows\l2schemas
2008-12-01 15:30 . 2008-12-01 15:30 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-01 15:27 . 2008-12-01 15:27 <DIR> d-------- c:\windows\EHome
2008-11-12 18:52 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 19:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 07:13 --------- d-----w c:\program files\MSBuild
2008-12-05 07:13 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-05 07:10 87,608 ----a-w c:\documents and settings\Sordavie\Application Data\ezpinst.exe
2008-12-05 07:10 47,360 ----a-w c:\documents and settings\Sordavie\Application Data\pcouffin.sys
2008-12-05 07:10 --------- d-----w c:\program files\DVDFab Platinum 3
2008-12-05 07:10 --------- d-----w c:\documents and settings\Sordavie\Application Data\Vso
2008-12-05 07:08 --------- d-----w c:\program files\Common Files\Adobe
2008-12-05 07:03 --------- d-----w c:\program files\BitComet
2008-12-05 07:00 --------- d-----w c:\program files\uTorrent
2008-12-05 07:00 --------- d-----w c:\documents and settings\Sordavie\Application Data\uTorrent
2008-12-04 16:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-04 06:54 --------- d-----w c:\program files\Trillian
2008-12-03 23:18 --------- d-----w c:\program files\Java
2008-11-08 23:08 --------- d-----w c:\program files\Xfire
2008-11-08 02:45 --------- d-----w c:\documents and settings\Sordavie\Application Data\Xfire
2008-11-08 02:08 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-06 18:04 --------- d-----w c:\documents and settings\Sordavie\Application Data\OpenOffice.org2
2008-10-29 07:00 --------- d-----w c:\program files\MSXML 6.0
2008-10-29 02:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 02:03 --------- d-----w c:\program files\Bethesda Softworks
2008-10-29 02:03 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2008-10-29 02:00 --------- d-----w c:\program files\Reference Assemblies
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 01:37 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-21 01:35 --------- d-----w c:\program files\Yahoo!
2008-10-05 23:53 --------- d-----w c:\program files\Defraggler
2008-01-20 20:46 22,328 ----a-w c:\documents and settings\Sordavie\Application Data\PnkBstrK.sys
2007-11-20 01:28 714,775,323 ----a-w c:\documents and settings\Sordavie\PoE2-v2.1.0.0.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-19 50528]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]
"Fraps"="c:\fraps\FRAPS.EXE" [2008-01-14 913064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-03 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-04-29 158624]
"Wcujolet"="c:\windows\Eloheja.dll" [2008-12-04 39424]
"Mnadiqurejadan"="c:\windows\emobabuyu.dll" [2008-12-04 132608]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-01-19 805392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3unxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6atxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-07-02 05:29 220544 c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 13:01 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCRemote]
--------- 2007-08-07 08:03 257096 c:\program files\Pinnacle\Shared Files\Programs\Remote\remoterm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-19 22:13 1266936 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Wcujolet]
--a------ 2008-12-04 03:26 39424 c:\windows\Eloheja.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\WatchHDTV\\WatchHDTVInfo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\DarkCrusade\\DarkCrusade.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16186:TCP"= 16186:TCP:BitComet 16186 TCP
"16186:UDP"= 16186:UDP:BitComet 16186 UDP
"20925:TCP"= 20925:TCP:BITCOMMET PORT
"20925:UDP"= 20925:UDP:BitComet 20925 UDP
"6113:TCP"= 6113:TCP:BitComet 6113 TCP
"6113:UDP"= 6113:UDP:BitComet 6113 UDP

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-28 97928]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-28 231704]
R3 cmudaxp;Razer Barracuda AC-1 Gaming Interface;c:\windows\system32\drivers\cmudaxp.sys [2008-02-02 1423360]
R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\DRIVERS\OmniTV.sys [2007-09-03 401280]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S0 ati3unxx;ati3unxx;c:\windows\system32\Drivers\ati3unxx.sys []
S3 ALSysIO;ALSysIO;\??\c:\docume~1\Sordavie\LOCALS~1\Temp\ALSysIO.sys []
S3 ati6atxx;ati6atxx;\??\c:\windows\System32\drivers\ati6atxx.sys []
S3 OnAirGtSvc;OnAir GT USB HDTV Capture (ATSC/NTSC);c:\windows\system32\drivers\OnAirGt.sys [2008-02-10 98192]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}]
rundll32 sxmg4.dll,InitModule
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio8788 - cmicnfgp.cpl
Notify-hseihuu - hseihuu.dll
MSConfigStartUp-Acrobat Assistant 7 - c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
MSConfigStartUp-GrooveMonitor - c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
MSConfigStartUp-rs32net - c:\windows\System32\rs32net.exe
MSConfigStartUp-CTHelper - CTHELPER.EXE
MSConfigStartUp-CTxfiHlp - CTXFIHLP.EXE


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {97A52C02-61E4-4789-8D03-99708175597F} = 192.168.0.1
FireFox -: Profile - c:\documents and settings\Sordavie\Application Data\Mozilla\Firefox\Profiles\uev7b638.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
FF -: plugin - c:\documents and settings\Sordavie\Application Data\Mozilla\Firefox\Profiles\uev7b638.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 14:12:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Razer Barracuda AC-1 Gaming Audio Card\CustomApp\Program\Razer Barracuda AC-1 Gaming Audio card.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-12-05 14:16:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 19:16:23

Pre-Run: 126,813,655,040 bytes free
Post-Run: 129,020,715,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

240 --- E O F --- 2008-12-03 08:00:32
Attached Files
File Type: txt ComboFix.txt (14.5 KB, 0 views)
sordavie is offline