[SOLVED] Please help - Trojan horse PSW.Banker5.OGA

[floydster]

Hi,

I have picked up a virus and cant get rid of it. Avg names it as "Trojan horse PSW.Banker5.OGA";"C:\WINDOWS\system32\khmx0.dll

It has done a few things to my computer. Firstly when i start up my comp i now get the windows password logon screen which i have not had before as my comp isnt passworded. After entering through this DEP prevents explorer starting so i just have the background and nothing else, no icons or anything. I can get into the computer using ctrl alt del at this point and starting explorer this way but this takes several atempts. Both avg and super antispyware find this infection and tells me it is cleaned but after i reboot im back to square 1. I have tried running the scans in safe mode with the same out come :(

Please can someone help me as i really don't want to have to reinstall windows.

Kind Regards

Floyd


DDS (Ver_09-06-26.01) - NTFSx86
Run by Floydster at 22:31:45.54 on 01/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.442 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
svchost.exe C:\WINDOWS\TEMP\VRT1.tmp
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Floydster\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: MSN helper: {4efd3aea-b660-4f24-8519-12531d2a3b0c} - khmx0.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [nwiz] nwiz.exe /install
mRun: [PC Pitstop Optimize Scheduler] c:\program files\pcpitstop\optimize\PCPOptimize.exe -boot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236551171294
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236594445484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
TCP: {095CB884-E4B4-447F-B9BB-0949CB08E398} = 194.168.4.100,194.168.8.100
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-9 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-9 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-9 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-9 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-9 298776]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
R3 Smc1046;EZ Connect USB to Dual Speed Ethernet Converter;c:\windows\system32\drivers\SMCUSB.sys [2009-3-25 25260]

=============== Created Last 30 ================

2009-07-01 22:10 <DIR> --d----- c:\program files\Trend Micro
2009-07-01 21:13 40 a------- c:\windows\system32\5.tmp
2009-07-01 21:08 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-07-01 20:22 40 a------- c:\windows\system32\4.tmp
2009-07-01 20:02 40 a------- c:\windows\system32\3.tmp
2009-07-01 17:19 40 a------- c:\windows\system32\2.tmp
2009-06-30 23:08 <DIR> --d----- C:\Temp
2009-06-30 23:05 <DIR> --d----- c:\windows\system32\rmdll
2009-06-30 23:05 <DIR> --d----- c:\program files\Cheetah Burner
2009-06-30 22:40 40 a------- c:\windows\system32\9.tmp
2009-06-30 19:24 69,120 a------- c:\windows\system32\inform.dat
2009-06-30 19:24 15,477 a------- c:\windows\system32\lxf
2009-06-30 19:24 0 a------- c:\windows\system32\8.tmp
2009-06-30 19:24 40 a------- c:\windows\system32\6.tmp
2009-06-30 19:24 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-06-10 17:08 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 17:08 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-06 22:20 <DIR> --d----- c:\docume~1\floyds~1\applic~1\Any Video Converter
2009-06-06 22:20 <DIR> --d----- c:\program files\Any Video Converter

==================== Find3M ====================

2009-06-27 11:03 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-27 11:03 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-17 18:31 34 a------- c:\documents and settings\floydster\jagex_runescape_preferences.dat
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 10:34 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 22:32:00.32 ===============

[floydster]

Sorry i unticked the wrong box in Gmer so have re-attached the correct one. I did try to edit my first post but i couldnt see the edit button

[floydster]

after much investigation and finding i may have Virut virus. i decided the best thing was a fresh xp install.

comp now running like a dream

[Ried]

Hello floydster,

I can see by the dds.txt you posted that you indeed did have Virut on this system. A reformat was certainly in order. The only problem you may after the reinstall is if you backed up any files before you reformatted, and placed them back on the system after the reinstall.

Virut is a polymorphic file infector which affects the executable files (.exe) and screensaver files (.scr) corrupting them beyond repair in most cases.

DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

There is a recent variant of Virut which also infects .htm and .html files, so those should not be backed up either.

[floydster]

phew luckily i didnt back anything up. i didnt have anything that was essential to keep so just wiped it and started a fresh :)

[Ried]

Thank goodness.

Take care, and Think Prevention