Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Back Door Trojan? Some web pages freeze. XP

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby melboy » March 2nd, 2010, 1:43 pm

Hi Gramps

Looks good - Well done! ;)


ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix: Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    For instructions on how to disable your security programs, please see this topic:
    How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby Gramps » March 2nd, 2010, 3:49 pm

ComboFix 10-03-01.04 - dad 03/02/2010 13:33:10.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.205 [GMT -6:00]
Running from: c:\documents and settings\dad\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\SIntf16.dll
c:\windows\system32\spdwnwxp.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-01 18:24 . 2010-03-01 18:24 77312 ----a-w- C:\mbr.exe
2010-03-01 18:18 . 2010-03-01 18:18 -------- d-----w- c:\documents and settings\dad\Application Data\Malwarebytes
2010-03-01 18:18 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-01 18:18 . 2010-03-01 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 18:18 . 2010-03-01 18:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 18:18 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-28 00:27 . 2010-02-28 00:29 -------- d-----w- C:\rsit
2010-02-28 00:15 . 2010-02-27 23:53 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-28 00:15 . 2010-02-27 23:53 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-27 23:54 . 2010-02-27 23:56 -------- d-----w- C:\$AVG
2010-02-27 23:53 . 2010-02-27 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-22 01:59 . 2010-02-22 01:59 -------- d-----w- c:\program files\JRE
2010-02-20 21:37 . 2008-04-14 00:11 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-20 21:19 . 2010-02-20 21:19 -------- d-sh--w- c:\documents and settings\dad\IECompatCache
2010-02-20 20:56 . 2010-03-02 17:05 -------- d-----w- c:\windows\system32\NtmsData
2010-02-20 20:15 . 2010-02-20 20:18 -------- dc-h--w- c:\windows\ie8
2010-02-20 19:53 . 2010-02-20 19:53 -------- d-----w- c:\windows\system32\msmq
2010-02-10 04:33 . 2009-12-14 07:08 33280 -c----w- c:\windows\system32\dllcache\csrsrv.dll
2010-02-10 04:33 . 2009-12-08 09:23 474112 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2010-02-10 04:33 . 2009-11-27 16:07 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2010-02-10 04:32 . 2009-12-16 18:43 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe
2010-02-04 16:25 . 2009-03-08 10:33 18944 -c--a-w- c:\windows\system32\dllcache\corpol.dll
2010-02-04 03:14 . 2010-02-04 03:14 503808 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-52271643-n\msvcp71.dll
2010-02-04 03:14 . 2010-02-04 03:14 499712 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-52271643-n\jmc.dll
2010-02-04 03:14 . 2010-02-04 03:14 348160 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-52271643-n\msvcr71.dll
2010-02-04 03:14 . 2010-02-04 03:14 61440 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-448217c7-n\decora-sse.dll
2010-02-04 03:14 . 2010-02-04 03:14 12800 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-448217c7-n\decora-d3d.dll
2010-02-03 02:23 . 2010-02-03 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-03 01:32 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-03 01:32 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2010-02-03 01:32 . 2009-10-12 13:38 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2010-02-03 01:32 . 2009-10-12 13:38 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2010-02-02 21:32 . 2010-02-02 21:32 -------- d-----w- c:\program files\Trend Micro
2010-02-02 19:25 . 2010-02-02 19:25 -------- d-----w- c:\program files\QuickTime
2010-02-02 19:25 . 2010-02-02 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\program files\Common Files\Apple
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\documents and settings\dad\Local Settings\Application Data\Apple
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\program files\Apple Software Update
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\documents and settings\dad\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 19:38 . 2009-09-21 15:56 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-02 19:38 . 2009-08-27 19:00 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-03-01 18:04 . 2009-04-16 16:18 1 ----a-w- c:\documents and settings\dad\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-27 23:53 . 2009-04-13 01:55 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-27 23:53 . 2009-04-13 01:55 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-27 23:53 . 2009-04-13 01:55 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-27 23:53 . 2009-04-13 01:55 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-27 23:53 . 2009-04-13 00:46 -------- d-----w- c:\program files\AVG
2010-02-22 01:59 . 2009-04-16 05:31 -------- d-----w- c:\program files\OpenOffice.org 3
2010-02-21 00:36 . 2009-04-16 05:30 -------- d-----w- c:\program files\Common Files\Java
2010-02-21 00:36 . 2009-04-16 05:08 -------- d-----w- c:\program files\Java
2010-02-20 22:27 . 2009-04-16 05:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-20 21:59 . 2009-04-11 05:30 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-02 23:28 . 2009-07-23 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-02 22:31 . 2009-12-07 22:48 -------- d-----w- c:\program files\ordrumbox
2010-02-01 17:01 . 2009-09-17 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-12 21:25 . 2010-01-13 02:53 52224 ----a-w- c:\documents and settings\dad\Application Data\Mozilla\Firefox\Profiles\qvrol8yx.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-01-12 21:25 . 2010-01-13 02:53 101376 ----a-w- c:\documents and settings\dad\Application Data\Mozilla\Firefox\Profiles\qvrol8yx.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-01-07 02:49 . 2009-04-13 00:24 22352 ----a-w- c:\documents and settings\dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-07 00:16 . 2009-08-27 22:38 -------- d-----w- c:\documents and settings\dad\Application Data\Skype
2010-01-06 23:50 . 2009-08-27 22:41 -------- d-----w- c:\documents and settings\dad\Application Data\skypePM
2010-01-05 16:09 . 2010-01-05 16:09 -------- d-----w- c:\program files\NCH Software
2010-01-05 16:05 . 2010-01-05 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-01-05 16:04 . 2010-01-05 16:04 -------- d-----w- c:\program files\NCH Swift Sound
2010-01-05 16:04 . 2010-01-05 16:04 -------- d-----w- c:\documents and settings\dad\Application Data\NCH Swift Sound
2010-01-04 22:37 . 2010-01-04 22:21 -------- d-----w- c:\documents and settings\dad\Application Data\MP3Rocket
2009-12-31 16:50 . 2007-06-24 07:40 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2007-06-24 07:40 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-04-11 05:26 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-03 23:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2007-06-24 07:39 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2007-02-28 07:15 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2007-06-24 07:39 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime"="c:\documents and settings\All Users\common\dll\netdr\msdtc.exe" [2007-12-27 466944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-27 23:53 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^dad^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\dad\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 10:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-09-09 15:58 133104 ----atw- c:\documents and settings\dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2009-06-02 13:59 5451536 ----a-w- c:\program files\Logitech\Logitech Vid\Vid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-05-08 15:35 2780432 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime]
2007-12-27 23:17 466944 ----a-w- c:\documents and settings\All Users\common\dll\netdr\msdtc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-07-16 18:20 25604904 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Diablo II\\Game.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3383:TCP"= 3383:TCP:Services
"7477:TCP"= 7477:TCP:Services

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/12/2009 7:55 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/12/2009 7:55 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/27/2010 5:53 PM 285392]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [5/23/2007 4:15 AM 547744]
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1060284298-682003330-1003Core.job
- c:\documents and settings\dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-09 15:58]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1060284298-682003330-1003UA.job
- c:\documents and settings\dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-09 15:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\dad\Application Data\Mozilla\Firefox\Profiles\qvrol8yx.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\dad\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 13:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3068)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\LTMSG.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG9\avgnsx.exe
.
**************************************************************************
.
Completion time: 2010-03-02 13:43:01 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-02 19:42

Pre-Run: 41,178,247,168 bytes free
Post-Run: 41,140,432,896 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FFCE073D23176E003C7AEECC3954F068
Gramps
Active Member
 
Posts: 12
Joined: February 20th, 2010, 12:17 pm

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby melboy » March 2nd, 2010, 5:09 pm

Hi Gramps


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Registry:: 
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "65533:TCP"=-
    "52344:TCP"=-
    "3246:TCP"=-
    "2479:TCP"=-
    "3389:TCP"=-
    "3383:TCP"=-
    "7477:TCP"=-
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby Gramps » March 2nd, 2010, 6:12 pm

ComboFix 10-03-02.02 - dad 03/02/2010 16:02:40.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.362 [GMT -6:00]
Running from: c:\documents and settings\dad\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\dad\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))
.

2010-03-01 18:24 . 2010-03-01 18:24 77312 ----a-w- C:\mbr.exe
2010-03-01 18:18 . 2010-03-01 18:18 -------- d-----w- c:\documents and settings\dad\Application Data\Malwarebytes
2010-03-01 18:18 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-01 18:18 . 2010-03-01 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-01 18:18 . 2010-03-01 18:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 18:18 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-28 00:27 . 2010-02-28 00:29 -------- d-----w- C:\rsit
2010-02-28 00:15 . 2010-02-27 23:53 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-28 00:15 . 2010-02-27 23:53 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-27 23:54 . 2010-02-27 23:56 -------- d-----w- C:\$AVG
2010-02-27 23:53 . 2010-02-27 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-22 01:59 . 2010-02-22 01:59 -------- d-----w- c:\program files\JRE
2010-02-20 21:37 . 2008-04-14 00:11 81920 ------w- c:\windows\system32\ieencode.dll
2010-02-20 21:19 . 2010-02-20 21:19 -------- d-sh--w- c:\documents and settings\dad\IECompatCache
2010-02-20 20:56 . 2010-03-02 17:05 -------- d-----w- c:\windows\system32\NtmsData
2010-02-20 20:15 . 2010-02-20 20:18 -------- dc-h--w- c:\windows\ie8
2010-02-20 19:53 . 2010-02-20 19:53 -------- d-----w- c:\windows\system32\msmq
2010-02-10 04:33 . 2009-12-14 07:08 33280 -c----w- c:\windows\system32\dllcache\csrsrv.dll
2010-02-10 04:33 . 2009-12-08 09:23 474112 -c----w- c:\windows\system32\dllcache\shlwapi.dll
2010-02-10 04:33 . 2009-11-27 16:07 11264 -c----w- c:\windows\system32\dllcache\msrle32.dll
2010-02-10 04:32 . 2009-12-16 18:43 343040 -c----w- c:\windows\system32\dllcache\mspaint.exe
2010-02-04 16:25 . 2009-03-08 10:33 18944 -c--a-w- c:\windows\system32\dllcache\corpol.dll
2010-02-04 03:14 . 2010-02-04 03:14 503808 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-52271643-n\msvcp71.dll
2010-02-04 03:14 . 2010-02-04 03:14 499712 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-52271643-n\jmc.dll
2010-02-04 03:14 . 2010-02-04 03:14 348160 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-52271643-n\msvcr71.dll
2010-02-04 03:14 . 2010-02-04 03:14 61440 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-448217c7-n\decora-sse.dll
2010-02-04 03:14 . 2010-02-04 03:14 12800 ----a-w- c:\documents and settings\dad\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-448217c7-n\decora-d3d.dll
2010-02-03 02:23 . 2010-02-03 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-03 01:32 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-03 01:32 . 2009-10-13 10:30 270336 -c----w- c:\windows\system32\dllcache\oakley.dll
2010-02-03 01:32 . 2009-10-12 13:38 149504 -c----w- c:\windows\system32\dllcache\rastls.dll
2010-02-03 01:32 . 2009-10-12 13:38 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2010-02-02 21:32 . 2010-02-02 21:32 -------- d-----w- c:\program files\Trend Micro
2010-02-02 19:25 . 2010-02-02 19:25 -------- d-----w- c:\program files\QuickTime
2010-02-02 19:25 . 2010-02-02 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\program files\Common Files\Apple
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\documents and settings\dad\Local Settings\Application Data\Apple
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\program files\Apple Software Update
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-02 19:24 . 2010-02-02 19:24 -------- d-----w- c:\documents and settings\dad\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-02 19:38 . 2009-09-21 15:56 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-02 19:38 . 2009-08-27 19:00 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-03-01 18:04 . 2009-04-16 16:18 1 ----a-w- c:\documents and settings\dad\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-02-27 23:53 . 2009-04-13 01:55 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-27 23:53 . 2009-04-13 01:55 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-27 23:53 . 2009-04-13 01:55 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-27 23:53 . 2009-04-13 01:55 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-27 23:53 . 2009-04-13 00:46 -------- d-----w- c:\program files\AVG
2010-02-22 01:59 . 2009-04-16 05:31 -------- d-----w- c:\program files\OpenOffice.org 3
2010-02-21 00:36 . 2009-04-16 05:30 -------- d-----w- c:\program files\Common Files\Java
2010-02-21 00:36 . 2009-04-16 05:08 -------- d-----w- c:\program files\Java
2010-02-20 22:27 . 2009-04-16 05:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-20 21:59 . 2009-04-11 05:30 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-02 23:28 . 2009-07-23 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-02 22:31 . 2009-12-07 22:48 -------- d-----w- c:\program files\ordrumbox
2010-02-01 17:01 . 2009-09-17 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-12 21:25 . 2010-01-13 02:53 52224 ----a-w- c:\documents and settings\dad\Application Data\Mozilla\Firefox\Profiles\qvrol8yx.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-01-12 21:25 . 2010-01-13 02:53 101376 ----a-w- c:\documents and settings\dad\Application Data\Mozilla\Firefox\Profiles\qvrol8yx.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-01-07 02:49 . 2009-04-13 00:24 22352 ----a-w- c:\documents and settings\dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-07 00:16 . 2009-08-27 22:38 -------- d-----w- c:\documents and settings\dad\Application Data\Skype
2010-01-06 23:50 . 2009-08-27 22:41 -------- d-----w- c:\documents and settings\dad\Application Data\skypePM
2010-01-05 16:09 . 2010-01-05 16:09 -------- d-----w- c:\program files\NCH Software
2010-01-05 16:05 . 2010-01-05 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-01-05 16:04 . 2010-01-05 16:04 -------- d-----w- c:\program files\NCH Swift Sound
2010-01-05 16:04 . 2010-01-05 16:04 -------- d-----w- c:\documents and settings\dad\Application Data\NCH Swift Sound
2010-01-04 22:37 . 2010-01-04 22:21 -------- d-----w- c:\documents and settings\dad\Application Data\MP3Rocket
2009-12-31 16:50 . 2007-06-24 07:40 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2007-06-24 07:40 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2009-04-11 05:26 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-03 23:56 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2007-06-24 07:39 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2007-02-28 07:15 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2007-06-24 07:39 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime"="c:\documents and settings\All Users\common\dll\netdr\msdtc.exe" [2007-12-27 466944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-27 23:53 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^dad^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\dad\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 10:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-09-09 15:58 133104 ----atw- c:\documents and settings\dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2009-06-02 13:59 5451536 ----a-w- c:\program files\Logitech\Logitech Vid\Vid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-05-08 15:35 2780432 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime]
2007-12-27 23:17 466944 ----a-w- c:\documents and settings\All Users\common\dll\netdr\msdtc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-07-16 18:20 25604904 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Diablo II\\Game.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/12/2009 7:55 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/12/2009 7:55 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/27/2010 5:53 PM 285392]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [5/23/2007 4:15 AM 547744]
.
Contents of the 'Scheduled Tasks' folder

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1060284298-682003330-1003Core.job
- c:\documents and settings\dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-09 15:58]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1060284298-682003330-1003UA.job
- c:\documents and settings\dad\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-09 15:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\dad\Application Data\Mozilla\Firefox\Profiles\qvrol8yx.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\dad\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 16:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6096)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2010-03-02 16:09:24
ComboFix-quarantined-files.txt 2010-03-02 22:09
ComboFix2.txt 2010-03-02 19:43

Pre-Run: 41,137,987,584 bytes free
Post-Run: 41,127,301,120 bytes free

- - End Of File - - 9A05D7D5A0931A53FE228C4018F2B523
Gramps
Active Member
 
Posts: 12
Joined: February 20th, 2010, 12:17 pm

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby melboy » March 2nd, 2010, 6:23 pm

Hi Gramps

Looks good!



Malwarebytes' Anti-Malware (MBAM)

As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.

    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.




ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby Gramps » March 2nd, 2010, 7:58 pm

Here they are thanks for you help

Malwarebytes' Anti-Malware 1.44
Database version: 3816
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/2/2010 5:26:25 PM
mbam-log-2010-03-02 (17-26-25).txt

Scan type: Quick Scan
Objects scanned: 106302
Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2603dfd59f040149ae41bff7da943871
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-03-02 11:53:24
# local_time=2010-03-02 05:53:24 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 2343954 2343954 0 0
# compatibility_mode=1024 16777191 100 0 175483 175483 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=33732
# found=0
# cleaned=0
# scan_time=920
Gramps
Active Member
 
Posts: 12
Joined: February 20th, 2010, 12:17 pm

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby melboy » March 3rd, 2010, 1:20 pm

Hi Gramps.

Your original assumption that this might be due to a backdoor was correct. It was supported by a rootkit and gave remote access to your PC.

A backdoor can give intruders complete control of your computer, log your keystrokes, steal personal information, etc.

A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

This can allow hackers to remotely control your computer, steal critical system information and Download and Execute files

Symantec- Mebroot/HelpAssistant

Although as best as I can tell we look to have cleaned your computer, we have no real way of knowing what was done to the machine whilst is was compromised. Many experts in the security community believe that once infected with this type of infection, the best course of action would be a reformat and reinstall of the OS.


  • If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, It would be prudent to change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • It would be wise to contact those same financial institutions to apprise them of your situation.


Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Any Questions - feel free to ask.



Update Adobe Reader
Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 9.3 to your PC's desktop.
  • Uninstall Adobe Reader 9.2 via Start > Control Panel > Add/Remove Programs
  • Install the new downloaded updated software.



Please post back with a fresh HijackThis log (Do a system scan and save a log file) and a description of how the computer is running now.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby Gramps » March 3rd, 2010, 9:55 pm

Thanks again for your help. Seems to be running much better. Browsers load much faster. And no blue screen since about half way thru the process. I will start the process of changing passwords now. Again thank you for all you've done it is greatly appreciated.

Gramps


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:47 PM, on 3/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\All Users\common\dll\netdr\msdtc.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime] C:\Documents and Settings\All Users\common\dll\netdr\msdtc.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 5160479062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8295481718
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4636 bytes
Gramps
Active Member
 
Posts: 12
Joined: February 20th, 2010, 12:17 pm

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby melboy » March 5th, 2010, 5:42 pm

Hi Gramps

Sorry for the delay.


You should be aware that there are signs of what I would consider is a commercial keylogging programme on your computer.

It may well be that the program was legitimately installed by the owner of the computer as Parental Control software.
However - The program is technically considered malware by some security vendors for it's ability to:

Run in stealth mode and log all keystrokes, list the names of all running programs, takes periodic screenshots, save Web sites if they contain predefined keywords, and log URLs of all visited Web sites.

Such programs can be used for both legitimate and nefarious means.

That said, Your logs now appear to be clean. Please bare in mind the infection you had and the advice I gave you previously. We can finish up here and remove the tools I had you download.



Uninstall Combofix
We Need to Remove ComboFix
  1. Please go to Start -> Run
  2. Enter "ComboFix /uninstall" (without quotes). Note the space between "ComboFix" and "/uninstall", it needs to be there.
    Image
  3. Press OK (Or hit enter).
  4. Allow ComboFix to remove itself.



OTC by OldTimer

Download OTC by Old Timer and save it to your Desktop.

  • Double-click OTC.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


You can then delete the following files/folders if present:

SysProt.zip and SysProt folder
RootRepeal.zip and RootRepeal folder
MBR.exe
MBR.txt
MBR.log
mbrold.log
Helpass.bat
Profiles.exe
HelpAsst_mebroot_fix.exe



======================================================


This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
  • Make Internet Explorer More Secure
    Internet Explorer 8 <<< Recommended Version
    For older versions please read and follow the recommendations at this site
    Internet Explorer7


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Malwarebytes' Anti-Malware
    As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Install and use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
    Suggestions:

[Please note that trial pay is not needed to get any product for free.]




Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: Back Door Trojan? Some web pages freeze. XP

Unread postby jmw3 » March 8th, 2010, 9:48 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 63 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware