Thread: Multiple trojans found by AV but they reappear after AV "cleans" them
View Single Post
Old 12-06-2008, 12:20 AM   #6 (permalink)
sordavie
Registered User
 
Join Date: Dec 2008
Posts: 9
OS: XP


Re: Multiple trojans found by AV but they reappear after AV "cleans" them
Hi Ried, I dragged the notepad file, CFScript, with your script into ComboFix.exe and it ran and gave me a log. However, no additional message box opened up along with ComboFix log at the end. I am connected to the internet, but there was nothing about capturing files to submit for analysis. Instead two error windows popped up saying something like "emobabuyu.dll cannot be initialized or cannot be found" and also for Eloheja.dll.

Here's the ComboFix log:

ComboFix 08-12-05.02 - Sordavie 2008-12-06 2:05:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2608 [GMT -5:00]
Running from: c:\documents and settings\Sordavie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sordavie\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\live.com-error.html
c:\windows\search.yahoo.com-error.html
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\414080910\
C:\bmwife.exe
C:\dtqlv.exe
c:\windows\Eloheja.dll
c:\windows\emobabuyu.dll
c:\windows\live.com-error.html
c:\windows\search.yahoo.com-error.html
c:\windows\system32\TDSSdbamnavx.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI6ATXX
-------\Service_ati3unxx
-------\Service_ati6atxx


((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 01:59 . 2001-07-21 14:40 3,144 --a--c--- c:\windows\system32\dllcache\srgb.icm
2008-12-04 22:27 . 2008-12-05 02:26 250 --a------ c:\windows\gmer.ini
2008-12-04 11:36 . 2008-12-04 11:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-04 11:35 . 2008-12-04 11:35 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-04 11:35 . 2008-12-04 11:35 <DIR> d-------- c:\documents and settings\Sordavie\Application Data\SUPERAntiSpyware.com
2008-12-04 03:41 . 2008-12-04 03:40 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-04 03:40 . 2008-12-04 06:09 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6
2008-12-04 03:31 . 2008-12-04 03:40 <DIR> d-------- c:\documents and settings\Administrator
2008-12-04 03:26 . 2008-12-04 03:26 2 --a------ C:\414080910
2008-12-04 03:24 . 2008-12-04 03:24 <DIR> d-------- c:\windows\Easy Decrypter
2008-12-04 03:24 . 2008-12-04 03:24 <DIR> d-------- c:\program files\Easy Decrypter
2008-12-03 18:18 . 2008-12-03 18:18 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-01 15:51 . 2006-02-28 07:00 221,184 --a------ c:\windows\system32\wmpns.dll
2008-12-01 15:32 . 2008-12-01 15:32 <DIR> d-------- c:\windows\system32\scripting
2008-12-01 15:32 . 2008-12-01 15:32 <DIR> d-------- c:\windows\system32\en
2008-12-01 15:32 . 2008-12-01 15:32 <DIR> d-------- c:\windows\system32\bits
2008-12-01 15:32 . 2008-12-01 15:32 <DIR> d-------- c:\windows\l2schemas
2008-12-01 15:30 . 2008-12-01 15:30 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-01 15:27 . 2008-12-01 15:27 <DIR> d-------- c:\windows\EHome
2008-11-12 18:52 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 07:11 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-05 07:13 --------- d-----w c:\program files\MSBuild
2008-12-05 07:13 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-05 07:10 87,608 ----a-w c:\documents and settings\Sordavie\Application Data\ezpinst.exe
2008-12-05 07:10 47,360 ----a-w c:\documents and settings\Sordavie\Application Data\pcouffin.sys
2008-12-05 07:10 --------- d-----w c:\program files\DVDFab Platinum 3
2008-12-05 07:10 --------- d-----w c:\documents and settings\Sordavie\Application Data\Vso
2008-12-05 07:08 --------- d-----w c:\program files\Common Files\Adobe
2008-12-05 07:03 --------- d-----w c:\program files\BitComet
2008-12-05 07:00 --------- d-----w c:\program files\uTorrent
2008-12-05 07:00 --------- d-----w c:\documents and settings\Sordavie\Application Data\uTorrent
2008-12-04 16:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-04 06:54 --------- d-----w c:\program files\Trillian
2008-12-03 23:18 --------- d-----w c:\program files\Java
2008-11-08 23:08 --------- d-----w c:\program files\Xfire
2008-11-08 02:45 --------- d-----w c:\documents and settings\Sordavie\Application Data\Xfire
2008-11-08 02:08 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-06 18:04 --------- d-----w c:\documents and settings\Sordavie\Application Data\OpenOffice.org2
2008-10-29 07:00 --------- d-----w c:\program files\MSXML 6.0
2008-10-29 02:03 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-29 02:03 --------- d-----w c:\program files\Bethesda Softworks
2008-10-29 02:03 --------- d-----w c:\documents and settings\All Users\Application Data\Fallout3
2008-10-29 02:00 --------- d-----w c:\program files\Reference Assemblies
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 01:37 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-21 01:35 --------- d-----w c:\program files\Yahoo!
2008-01-20 20:46 22,328 ----a-w c:\documents and settings\Sordavie\Application Data\PnkBstrK.sys
2007-11-20 01:28 714,775,323 ----a-w c:\documents and settings\Sordavie\PoE2-v2.1.0.0.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-05_14.16.08.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-06 07:09:58 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_138.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-19 50528]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]
"Fraps"="c:\fraps\FRAPS.EXE" [2008-01-14 913064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-03 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-04-29 158624]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-01-19 805392]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-16 13:01 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PMCRemote]
--------- 2007-08-07 08:03 257096 c:\program files\Pinnacle\Shared Files\Programs\Remote\remoterm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-19 22:13 1266936 c:\program files\Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\WatchHDTV\\WatchHDTVInfo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\DarkCrusade\\DarkCrusade.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16186:TCP"= 16186:TCP:BitComet 16186 TCP
"16186:UDP"= 16186:UDP:BitComet 16186 UDP
"20925:TCP"= 20925:TCP:BITCOMMET PORT
"20925:UDP"= 20925:UDP:BitComet 20925 UDP
"6113:TCP"= 6113:TCP:BitComet 6113 TCP
"6113:UDP"= 6113:UDP:BitComet 6113 UDP

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-28 97928]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-28 231704]
R3 cmudaxp;Razer Barracuda AC-1 Gaming Interface;c:\windows\system32\drivers\cmudaxp.sys [2008-02-02 1423360]
R3 OmniTV;Cx2388x AvStream Video Capture;c:\windows\system32\DRIVERS\OmniTV.sys [2007-09-03 401280]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\Sordavie\LOCALS~1\Temp\ALSysIO.sys []
S3 OnAirGtSvc;OnAir GT USB HDTV Capture (ATSC/NTSC);c:\windows\system32\drivers\OnAirGt.sys [2008-02-10 98192]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Wcujolet - c:\windows\Eloheja.dll
HKLM-Run-Mnadiqurejadan - c:\windows\emobabuyu.dll
MSConfigStartUp-AlcoholAutomount - c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe
MSConfigStartUp-Wcujolet - c:\windows\Eloheja.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {97A52C02-61E4-4789-8D03-99708175597F} = 192.168.0.1
FireFox -: Profile - c:\documents and settings\Sordavie\Application Data\Mozilla\Firefox\Profiles\uev7b638.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
FF -: plugin - c:\documents and settings\Sordavie\Application Data\Mozilla\Firefox\Profiles\uev7b638.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 02:10:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-12-06 2:13:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-06 07:13:50
ComboFix2.txt 2008-12-05 19:16:26

Pre-Run: 129,012,015,104 bytes free
Post-Run: 129,005,744,128 bytes free

219 --- E O F --- 2008-12-03 08:00:32
Attached Files
File Type: txt ComboFix.txt (12.8 KB, 0 views)
sordavie is offline