Two Plus Two Publishing LLC
Two Plus Two Publishing LLC
 

Go Back   Two Plus Two Poker Forums > >

Notices

Computer Technical Help Post your questions about computer hardware and software and configuring same here.

Reply
 
Thread Tools Display Modes
Old 01-23-2009, 09:31 AM   #1
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Trojan that MBAM can't delete and keeps respawning!?

I was setting up my Auto-Import Folders in HEM, not using the internet, then Avira alerted me of 3 Trojans all in quick succession of each other. I moved all 3 to quarantine.

I then ran MBAM and it found 11 Objects, while scanning Avira alerted me of some more Trojans, with a similar name.

MBAM told me to restart, but also said it couldn't delete one of the trojans (the one that Avira keeps telling me about). After the re-start I ran MBAM again, but no viruses showed up this time.

However I have had 2 notifications from Avira of trojans since restarting.

In my last thread I got told to do this:

Quote:
Originally Posted by LirvA View Post
Can you post all the logs.

MBAM>logs

Avira>Overview>Reports

SAS>preferences>logs/statistics

and a new HJT log.
So I will do this now, but WTF to do? I can't seem to look in my D drive, each time I click it seems Avira finds more Trojans
hennerz is offline   Reply With Quote
Old 01-23-2009, 09:34 AM   #2
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?

1st MBAM Log

Malwarebytes' Anti-Malware 1.33
Database version: 1682
Windows 5.1.2600 Service Pack 3

23/01/2009 13:19:38
mbam-log-2009-01-23 (13-19-38).txt

Scan type: Quick Scan
Objects scanned: 57733
Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\videoplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.162,85.255.112.92 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{98fa71cf-cbf5-413f-9aea-dec89faafcdb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.162,85.255.112.92 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.162,85.255.112.92 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{98fa71cf-cbf5-413f-9aea-dec89faafcdb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.162,85.255.112.92 -> Quarantined and deleted successfully.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\hennerz\Local Settings\Temp\tmp120.tmp (Trojan.Agent) -> Delete on reboot.
C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\resycled\ntldr.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-A11.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-CFF.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
hennerz is offline   Reply With Quote
Old 01-23-2009, 09:36 AM   #3
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?

3rd Log File of MBAM



Scan type: Quick Scan
Objects scanned: 57179
Time elapsed: 1 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\videoplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.162,85.255.112.92 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Tcpip\Parameters\Interfaces\{98fa71cf-cbf5-413f-9aea-dec89faafcdb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.162,85.255.112.92 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.162,85.255.112.92 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\T cpip\Parameters\Interfaces\{98fa71cf-cbf5-413f-9aea-dec89faafcdb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.162,85.255.112.92 -> Quarantined and deleted successfully.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\hennerz\Local Settings\Temp\tmp3.tmp (Trojan.Agent) -> Delete on reboot.
C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\resycled\ntldr.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-60D.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-83F.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
hennerz is offline   Reply With Quote
Old 01-23-2009, 09:52 AM   #4
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/23/2009 at 01:50 PM

Application Version : 4.24.1004

Core Rules Database Version : 3723
Trace Rules Database Version: 1697

Scan type : Quick Scan
Total Scan Time : 00:10:09

Memory items scanned : 421
Memory threats detected : 0
Registry items scanned : 453
Registry threats detected : 0
File items scanned : 7241
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\hennerz\Cookies\hennerz@adrevolver[2].txt
C:\Documents and Settings\hennerz\Cookies\hennerz@media.adrevolver[1].txt
C:\Documents and Settings\hennerz\Cookies\hennerz@msnaccountservice s.112.2o7[1].txt
C:\Documents and Settings\hennerz\Cookies\hennerz@media.adrevolver[2].txt
C:\Documents and Settings\hennerz\Cookies\hennerz@bs.serving-sys[1].txt
C:\Documents and Settings\hennerz\Cookies\hennerz@doubleclick[1].txt
C:\Documents and Settings\hennerz\Cookies\hennerz@tradedoubler[2].txt
C:\Documents and Settings\hennerz\Cookies\hennerz@msnportal.112.2o7[1].txt
C:\Documents and Settings\hennerz\Cookies\hennerz@112.2o7[2].txt
C:\Documents and Settings\hennerz\Cookies\hennerz@serving-sys[2].txt
C:\Documents and Settings\hennerz\Cookies\hennerz@mediaplex[1].txt
C:\Documents and Settings\hennerz\Cookies\hennerz@adopt.euroclick[2].txt
C:\Documents and Settings\hennerz\Cookies\hennerz@advertising[1].txt
C:\Documents and Settings\hennerz\Cookies\hennerz@atdmt[2].txt
hennerz is offline   Reply With Quote
Old 01-23-2009, 10:03 AM   #5
LirvA
self-banned
 
LirvA's Avatar
 
Join Date: Sep 2007
Location: Free Manning, Hammond, and Brown.
Posts: 42,857
Re: Trojan that MBAM can't delete and keeps respawning!?

Can you post a link to your previous thread you mentioned. Also a HiJackThis log.
LirvA is offline   Reply With Quote
Old 01-23-2009, 10:21 AM   #6
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?

Previous thread:
https://forumserver.twoplustwo.com/48...-found-389609/

Hijack this log coming right after Avira log, which is about to finish:



Avira AntiVir Personal
Report file date: 23 January 2009 13:54

Scanning for 1259407 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: HENRY-BD1D9A0B5

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 18/11/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 25/11/2008 18:05:58
AVSCAN.DLL : 8.1.4.0 40705 Bytes 26/05/2008 08:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 12/06/2008 13:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 26/05/2008 08:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 23:54:36
ANTIVIR1.VDF : 7.1.1.113 2817536 Bytes 14/01/2009 14:13:44
ANTIVIR2.VDF : 7.1.1.148 440832 Bytes 20/01/2009 14:13:45
ANTIVIR3.VDF : 7.1.1.170 342016 Bytes 23/01/2009 13:45:26
Engineversion : 8.2.0.60
AEVDF.DLL : 8.1.0.6 102772 Bytes 15/10/2008 15:03:35
AESCRIPT.DLL : 8.1.1.32 340347 Bytes 23/01/2009 13:45:28
AESCN.DLL : 8.1.1.5 123251 Bytes 09/11/2008 00:34:28
AERDL.DLL : 8.1.1.3 438645 Bytes 05/11/2008 23:49:09
AEPACK.DLL : 8.1.3.5 393588 Bytes 09/01/2009 12:00:59
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 12/12/2008 19:33:31
AEHEUR.DLL : 8.1.0.86 1552759 Bytes 23/01/2009 13:45:27
AEHELP.DLL : 8.1.2.0 119159 Bytes 19/11/2008 00:42:39
AEGEN.DLL : 8.1.1.10 323957 Bytes 18/01/2009 14:13:26
AEEMU.DLL : 8.1.0.9 393588 Bytes 15/10/2008 15:03:25
AECORE.DLL : 8.1.5.2 172405 Bytes 28/11/2008 14:10:29
AEBB.DLL : 8.1.0.3 53618 Bytes 15/10/2008 15:03:21
AVWINLL.DLL : 1.0.0.12 15105 Bytes 09/07/2008 09:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 16/05/2008 10:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 19/09/2008 19:26:41
AVREG.DLL : 8.0.0.1 33537 Bytes 09/05/2008 12:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 09:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12/06/2008 13:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 18:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12/06/2008 13:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 13:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12/06/2008 14:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 27/06/2008 14:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 23 January 2009 13:54

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'SUPERANTISPYWARE.EXE' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '1' Module(s) have been scanned
Scan process 'ISUSPM.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'WD_SRT.exe' - '1' Module(s) have been scanned
Scan process 'SnoopFreeUI.exe' - '1' Module(s) have been scanned
Scan process 'stsystra.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'cfp.exe' - '1' Module(s) have been scanned
Scan process 'WLTRAY.EXE' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'postgres.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SnoopFreeSvc.exe' - '1' Module(s) have been scanned
Scan process 'pg_ctl.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'dlbtcoms.exe' - '1' Module(s) have been scanned
Scan process 'cmdagent.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'BCMWLTRY.EXE' - '1' Module(s) have been scanned
Scan process 'WLTRYSVC.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
52 processes with 52 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '63' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\SnopFree.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\'
D:\resycled\ntldr.com
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49e5d2fb.qua'!
D:\System Volume Information\_restore{43667112-5491-4050-8FED-9F882CDB5AC5}\RP171\A0065926.com
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49a9d2d9.qua'!


End of the scan: 23 January 2009 14:22
Used time: 28:00 Minute(s)

The scan has been done completely.

5807 Scanning directories
226877 Files were scanned
2 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
2 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
226872 Files not concerned
2823 Archives were scanned
3 Warnings
2 Notes
hennerz is offline   Reply With Quote
Old 01-23-2009, 10:26 AM   #7
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?

This was what I got at the end of the MBAM scan:


This is what Avira keeps telling me, which option should I be choosing?
hennerz is offline   Reply With Quote
Old 01-23-2009, 10:29 AM   #8
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:29:23, on 23/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Documents and Settings\hennerz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [WD_SRT] "C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\hennerz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [UltraMon] "D:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1292428093-1801674531-725345543-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: allSnap.lnk = D:\Program Files\allSnap\allSnap.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: dlbt_device - - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - D:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8362 bytes
hennerz is offline   Reply With Quote
Old 01-23-2009, 11:11 AM   #9
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?

These are all the files in Avira fwiw, idk what to do with them:

hennerz is offline   Reply With Quote
Old 01-23-2009, 12:36 PM   #10
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?



funniest character in Reno 911 to lure you back to this thread
hennerz is offline   Reply With Quote
Old 01-23-2009, 08:13 PM   #11
LirvA
self-banned
 
LirvA's Avatar
 
Join Date: Sep 2007
Location: Free Manning, Hammond, and Brown.
Posts: 42,857
Re: Trojan that MBAM can't delete and keeps respawning!?

First of all, go ahead and delete everything from Avira quarantine.

Avira>administration>quarantine>right click>delete


Then follow these steps to delete all your temp files and run another scanner.


Download install and update SUPERAntiSpyware

www.superantispyware.com


Don't scan yet.

Also download and install CCleaner.

www.ccleaner.com

Install without the yahoo toolbar.

(copy and paste these instructions into notepad and save as a .txt file to your desktop so you can access the instructions while in safe mode)

Now boot into safe mode by tapping F8 until you get a menu. Select safe mode and hit enter. Once in safe mode, perform this cleaning with CCleaner on each user account, including the safe mode admin account. (if you don't see the CCleaner icon on your desktop when logged into the admin account, or any other account, browse to
C:\Program Files\CCleaner\
and double click CCleaner.exe to run the program.)


CCleaner>Windows tab>Make sure all of these are checked, uncheck the other boxes.
It's important to avoid checking the "old prefetch data" box. Also avoid the registry cleaner, it's not a good idea to casually remove registry keys.
Only check the following boxes


All of the Internet Explorer boxes

Windows Explorer
recent documents


System
Empty Recyle bin
Temp files
Clipboard


Analyze>Run cleaner. Do this once more to make sure it deletes everything.
Analyze>Run cleaner.


Now The Applications tab.

Check every box if it lists Firefox or Opera

Every box in the Applications category

Every box in the Internet Category

Analyze>Run cleaner
Analyze>Run cleaner



Do this on every user account, and the safe mode admin account.


After doing this on each user account in safe mode, run a full scan with SUPERAntiSpyware while still in safe mode.

Remove anything it detects, and restart your computer into normal boot mode and post the SAS log

SAS>preferences>logs/statistics


And a new HJT log.
LirvA is offline   Reply With Quote
Old 01-23-2009, 08:14 PM   #12
LirvA
self-banned
 
LirvA's Avatar
 
Join Date: Sep 2007
Location: Free Manning, Hammond, and Brown.
Posts: 42,857
Re: Trojan that MBAM can't delete and keeps respawning!?

For Avira detections, quarantine, delete, or quarantine and delete should be used.
LirvA is offline   Reply With Quote
Old 01-24-2009, 04:00 AM   #13
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/24/2009 at 06:54 AM

Application Version : 4.25.1012

Core Rules Database Version : 3723
Trace Rules Database Version: 1697

Scan type : Quick Scan
Total Scan Time : 00:46:04

Memory items scanned : 228
Memory threats detected : 0
Registry items scanned : 447
Registry threats detected : 0
File items scanned : 7102
File threats detected : 1

Trojan.Unknown Origin
D:\PROGRAM FILES\REAL\REALPLAYER\RPPLUGINS\RPAPPDEMON.DLL

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:54:16, on 24/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Documents and Settings\hennerz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
D:\Program Files\allSnap\allSnap.exe
D:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [WD_SRT] "C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\hennerz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [UltraMon] "D:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1292428093-1801674531-725345543-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: allSnap.lnk = D:\Program Files\allSnap\allSnap.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: dlbt_device - - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - D:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8597 bytes
hennerz is offline   Reply With Quote
Old 01-24-2009, 08:32 AM   #14
LirvA
self-banned
 
LirvA's Avatar
 
Join Date: Sep 2007
Location: Free Manning, Hammond, and Brown.
Posts: 42,857
Re: Trojan that MBAM can't delete and keeps respawning!?

Close all browsers and fix these entries with HJT by scanning, checking the box next to the entries and clicking "fix checked." Only fix these entries.


O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O20 - AppInit_DLLs:




After this, run on online scan and post the results.

http://www.kaspersky.com/virusscanner


And post a new HJT log.
LirvA is offline   Reply With Quote
Old 01-24-2009, 09:15 AM   #15
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?

Thank youu. Running the online scan now, should be done in ~40mins.

Some specific information; every time I go Start > My Computer > Local Disk (D: ) (i have my hard drive partitioned, C and D) I get an error message and cannot directly view the files within (Program Files and My Documents). However when I go directly Start > My Documents, it works fine.
hennerz is offline   Reply With Quote
Old 01-24-2009, 10:00 AM   #16
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:59:49, on 24/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Documents and Settings\hennerz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
D:\Program Files\allSnap\allSnap.exe
D:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [WD_SRT] "C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\hennerz\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [UltraMon] "D:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1292428093-1801674531-725345543-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'postgres')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: allSnap.lnk = D:\Program Files\allSnap\allSnap.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: dlbt_device - - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - D:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8668 bytes
hennerz is offline   Reply With Quote
Old 01-25-2009, 02:28 AM   #17
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?

Just putting this back to the top of the page, I am planning on playing a session in like ~4 hours, which will involve typing my password in etc, should this be fine?

Fwiw, I still cant click on my D drive
hennerz is offline   Reply With Quote
Old 01-25-2009, 03:53 AM   #18
LirvA
self-banned
 
LirvA's Avatar
 
Join Date: Sep 2007
Location: Free Manning, Hammond, and Brown.
Posts: 42,857
Re: Trojan that MBAM can't delete and keeps respawning!?

You should be fine typing passwords and all that. But you should reset your system restore.


Let's reset your system restore.

Start>all programs>accessories>system tools>system restore>system restore settings>system restore tab>check the "turn off system restore" box>OK

now restart your computer and follow those steps to turn system restore back on. Just uncheck the box this time>OK


As far as your problem with the D partition, I'm not sure. You only started having that problem after the infection, correct?

Have you tried booting into safe mode and logging in as the admin to try access that partition?

You might google around for Partition errors or something, if I have some time I'll google around a bit.
LirvA is offline   Reply With Quote
Old 01-25-2009, 09:51 AM   #19
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?

Thank you so much. I have now done all that. Regarding the error message, it is:
Quote:
Windows cannot find 'resycled\ntldr.com'. Make sure you typed the name correctly, and then try again. To search for a file click the Start button, and then click Search.
Quote:
A google search turns up a fair few potential solutions. First is Combofix, which seems quite hard/powerful and complicated, any thoughts?

Second is http://www.precisesecurity.com/blogs...ycledntldrcom/ something called Flash Disinfector (in the 1st comment) - gets good praise, but idk if this counts for much?

Going to do Flash Disinfector now...
hennerz is offline   Reply With Quote
Old 01-25-2009, 09:54 AM   #20
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?

Great success. There is a lot of people with the same problem occurring over the last couple of weeks. Apparently codecs are the main source but it is also passed around on flash usb sticks (and portioned drives i guess).

But at the end of the day, the classic stuff worked, but this time with the use of Flash indicator at the end.

For anyone else, Flash indicator can be found here: http://www.precisesecurity.com/tools...h-disinfector/

And to clarify, MBAM + SAS are awesome, but not as awesome as LirvA, thank you so much man, you're a diamond, I hope I was helpful ITT.
hennerz is offline   Reply With Quote
Old 01-25-2009, 03:23 PM   #21
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?

I just got this:



I quarantined the file and will delete now.

I just ran MBAM and SAS again and nothing. I did a quick google and people seemed to be able to delete the file fine...
hennerz is offline   Reply With Quote
Old 01-25-2009, 05:39 PM   #22
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?



Damn it, checking out more online now
hennerz is offline   Reply With Quote
Old 01-26-2009, 04:58 PM   #23
LirvA
self-banned
 
LirvA's Avatar
 
Join Date: Sep 2007
Location: Free Manning, Hammond, and Brown.
Posts: 42,857
Re: Trojan that MBAM can't delete and keeps respawning!?

Quote:
Combofix, which seems quite hard/powerful and complicated, any thoughts?

I've tried Combofix on a virtual machine before, it's easy to run, you just save it to your desktop and double click to run, then just select 1 or 2 or whatever and hit enter.

I believe Combofix will remove some known malware and it also generates a good log and afterwards you can write up a command into notepad and drop it onto the combofix icon to execute the command. This is the area I don't have any experience with. I generally don't suggest people use Combofix because I don't have much experience with it. Also, it doesn't work on Vista FWIW.


Quote:
Second is http://www.precisesecurity.com/blogs...ycledntldrcom/ something called Flash Disinfector (in the 1st comment) - gets good praise, but idk if this counts for much?

I've never heard of flash disinfector before. If you can find it for download at places like download.com or softpedia or other download sites, it's probably safe to use. Definitely worth checking out reviews before using it.



Quote:
Great success. There is a lot of people with the same problem occurring over the last couple of weeks. Apparently codecs are the main source but it is also passed around on flash usb sticks (and portioned drives i guess).

But at the end of the day, the classic stuff worked, but this time with the use of Flash indicator at the end.
You're not getting that error any more?



Quote:
MBAM + SAS are awesome, but not as awesome as LirvA
LirvA is offline   Reply With Quote
Old 01-26-2009, 05:03 PM   #24
LirvA
self-banned
 
LirvA's Avatar
 
Join Date: Sep 2007
Location: Free Manning, Hammond, and Brown.
Posts: 42,857
Re: Trojan that MBAM can't delete and keeps respawning!?

Quote:
Originally Posted by hennnerz View Post
I just got this:



I quarantined the file and will delete now.

I just ran MBAM and SAS again and nothing. I did a quick google and people seemed to be able to delete the file fine...

This is possibly a false positive. If Flash Disinfector is a safe, legitimate application, and you downloaded it from a safe, legetimate source, it's probably a false positive.

Quote:
Originally Posted by hennnerz View Post


Damn it, checking out more online now

This is Avira detecting an infection in a system restore point. It appears to be the same detection because it says it's the same worm. Did you reset your system restore as instructed in my previous post?
LirvA is offline   Reply With Quote
Old 01-26-2009, 05:29 PM   #25
hennerz
2008 uNL WSOP Champion
 
hennerz's Avatar
 
Join Date: Dec 2006
Location: Winchester Location: Bristol
Posts: 5,567
Re: Trojan that MBAM can't delete and keeps respawning!?

The problem is gone and I did do what you said here:

Quote:
Let's reset your system restore.

Start>all programs>accessories>system tools>system restore>system restore settings>system restore tab>check the "turn off system restore" box>OK

now restart your computer and follow those steps to turn system restore back on. Just uncheck the box this time>OK
Shall I do it again? Fwiw I haven't had anymore messages since.

Although the detection of the Flash Detector, which may have been a false positive, is the same worm as that most recent detection and the original detection...Both the last 2 are still in Avira fwiw, shall I go ahead and delete them too?
hennerz is offline   Reply With Quote

Reply
      

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Forum Jump


All times are GMT -4. The time now is 12:39 PM.


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Copyright ę 2008-2017, Two Plus Two Interactive
 
 
Poker Players - Streaming Live Online