WiredWX Hobby Weather ToolsLog in

 


descriptionTrojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more.. EmptyTrojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more..

more_horiz
Hello. Earlier I clicked on a link (accidentally of course) encountered a site that was reported by Firefox as an attack site. The site was up for less than a second and my AVG 8.0 Anti-Virus went crazy. Telling me that There have been some trojans found on my computer. I tried to delete them and it quarantined them in the Virus Vault but could not delete them. I then did a full computer scan and sent some other objects that were reported by AVG as trojans, trojan agents and whatever. I deleted the following from my disk that was reported by AVG:

1. Trojan Horse SHeur2.FJD - Prunnet.exe
2. Trojan Horse Agent.AOQG - gadcom.exe
3. Trojan horse downloader agent - wininstall[1].exe
4. Trojan Horse BHO.GQR - geBrrRkk.dll

I deleted those items from my disk. I then did another scan and nothing appeared. I then followed to run a scan with Malwarebytes Anti-Malware. The following is the log:

"Malwarebytes' Anti-Malware 1.31
Database version: 1457
Windows 5.1.2600 Service Pack 2

12/17/2008 2:36:23 AM
mbam-log-2008-12-17 (02-36-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 209973
Time elapsed: 2 hour(s), 17 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
C:\Documents and Settings\Derek\Application Data\gadcom (Trojan.Agent) -> No action taken.

Files Infected:
C:\Documents and Settings\Derek\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Derek\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> No action taken."

Although it says no action taken the files were put into quarantine and I deleted them.

I know that people have had success with these programs in removing malware and whatnot.. but I just want to be extra careful with this since I do my online banking with this computer.

The following is my HijackThis log:

"Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40:45 AM, on 12/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20583)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\msconfig.exe /auto
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\program,files\relevantknowledge\rlai.dll,avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8299 bytes"

Hopefully I have provided enough info on this. Please help me! I'm just worried my computer is still infected Indifferent or Blank

descriptionTrojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more.. EmptyRe: Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more..

more_horiz

  • Download combofix from here, use the top links - combofix.exe
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more.. Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will this next prompt that asks if you want to continue the malware scan, select yes

    Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more.. Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionTrojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more.. EmptyRe: Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more..

more_horiz
Running from: c:\documents and settings\Derek\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Derek\Application Data\inst.exe
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.

2008-12-17 15:12 . 2008-12-17 15:12 d-------- c:\windows\system32\xircom
2008-12-17 15:12 . 2008-12-17 15:12 d-------- c:\windows\srchasst
2008-12-17 15:12 . 2008-12-17 15:12 d-------- c:\program files\microsoft frontpage
2008-12-17 03:15 . 2008-12-17 03:15 d-------- c:\program files\SUPERAntiSpyware
2008-12-17 03:15 . 2008-12-17 03:15 d-------- c:\documents and settings\Derek\Application Data\SUPERAntiSpyware.com
2008-12-17 03:15 . 2008-12-17 03:15 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-17 03:14 . 2008-12-17 03:14 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-04 02:16 . 2008-12-04 02:16 d-------- c:\documents and settings\Guest\Application Data\AVGTOOLBAR
2008-12-04 02:15 . 2008-12-17 02:37 d-------- c:\documents and settings\Guest
2008-12-04 02:05 . 2008-12-04 02:05 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-12-04 01:55 . 2008-12-04 02:14 d-------- c:\documents and settings\Administrator
2008-12-04 00:52 . 2008-12-04 00:52 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 00:52 . 2008-12-04 00:52 d-------- c:\documents and settings\Derek\Application Data\Malwarebytes
2008-12-04 00:52 . 2008-12-04 00:52 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 00:52 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 00:51 . 2004-02-23 01:00 1,386,496 --a------ c:\windows\MSVBVM60.DLL
2008-12-04 00:36 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:28 . 2008-12-04 00:28 d-------- c:\program files\Trend Micro
2008-11-30 22:10 . 2008-12-16 23:31 d--h----- C:\$AVG8.VAULT$
2008-11-30 19:29 . 2008-12-17 09:14 d-------- c:\windows\system32\drivers\Avg
2008-11-30 19:29 . 2008-12-16 03:35 d-------- c:\documents and settings\Derek\Application Data\AVGTOOLBAR
2008-11-30 19:29 . 2008-11-30 19:29 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-30 19:29 . 2008-11-30 19:29 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-30 19:29 . 2008-11-30 19:29 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-30 19:03 . 2008-11-30 19:29 d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-11-22 00:17 . 2008-11-22 00:17 d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-11-21 23:35 . 2008-11-21 23:35 d-------- c:\program files\LG Software Innovations
2008-11-21 23:35 . 2008-11-21 23:35 d-------- c:\documents and settings\Derek\Application Data\Vso
2008-11-21 23:35 . 2008-11-21 23:42 d-------- c:\documents and settings\All Users\Application Data\1Click DVD Copy Pro
2008-11-21 23:35 . 2008-11-21 23:35 47,360 --a------ c:\documents and settings\Derek\Application Data\pcouffin.sys
2008-11-17 00:45 . 2008-11-17 00:46 d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2008-11-17 00:43 . 2008-11-17 00:45 d-------- c:\windows\nview
2008-11-17 00:43 . 2004-10-29 16:50 172,032 --a------ c:\windows\system32\nvudisp.exe
2008-11-17 00:43 . 2004-10-29 16:50 13,653 --a------ c:\windows\system32\nvdisp.nvu
2008-11-17 00:36 . 2008-11-17 00:36 d-------- C:\NVIDIA
2008-11-17 00:22 . 2008-11-17 00:27 d-------- c:\program files\Maxis

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-17 03:18 --------- d-----w c:\program files\Steam
2008-12-14 02:45 --------- d-----w c:\documents and settings\Derek\Application Data\uTorrent
2008-12-07 19:58 --------- d-----w c:\program files\Motorola Phone Tools
2008-12-07 19:56 --------- d-----w c:\program files\Avanquest update
2008-12-06 21:31 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-26 04:33 --------- d-----w c:\documents and settings\Derek\Application Data\Skype
2008-11-26 03:11 --------- d-----w c:\documents and settings\Derek\Application Data\skypePM
2008-11-22 17:47 --------- d-----w c:\documents and settings\Derek\Application Data\LimeWire
2008-11-22 06:15 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-22 05:35 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-11-17 06:22 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-03 06:36 --------- d-----w c:\documents and settings\All Users\Application Data\Zoom Player
2008-11-03 06:35 --------- d-----w c:\program files\Zoom Player
2008-10-31 15:12 --------- d-----w c:\program files\TagRename
2008-10-17 21:03 --------- d-----w c:\program files\007DVD
2008-10-13 04:08 90,112 ----a-w c:\windows\DUMP731c.tmp
2007-08-22 18:44 92,064 ----a-w c:\documents and settings\Derek\mqdmmdm.sys
2007-08-22 18:44 9,232 ----a-w c:\documents and settings\Derek\mqdmmdfl.sys
2007-08-22 18:44 79,328 ----a-w c:\documents and settings\Derek\mqdmserd.sys
2007-08-22 18:44 66,656 ----a-w c:\documents and settings\Derek\mqdmbus.sys
2007-08-22 18:44 6,208 ----a-w c:\documents and settings\Derek\mqdmcmnt.sys
2007-08-22 18:44 5,936 ----a-w c:\documents and settings\Derek\mqdmwhnt.sys
2007-08-22 18:44 4,048 ----a-w c:\documents and settings\Derek\mqdmcr.sys
2007-08-22 18:44 25,600 ----a-w c:\documents and settings\Derek\usbsermptxp.sys
2007-08-22 18:44 22,768 ----a-w c:\documents and settings\Derek\usbsermpt.sys
2007-08-10 02:57 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2007-08-10 02:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-08-10 02:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007080920070810\index.dat
2007-08-10 02:57 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-03-01 16:14 360704 1157d0d6ba036fb9537d4cd81375b12c c:\windows\system32\dllcache\TCPIP.SYS
2008-03-01 16:14 360704 1157d0d6ba036fb9537d4cd81375b12c c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-04 1809648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\system32\msconfig.exe" [2007-07-22 169984]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-10-29 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-01 1261336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-29 4620288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2007-07-22 c:\windows\system32\advpack.dll]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI6"= diomidi.dll
"wave6"= Digi32.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCENT.SYS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HideFilesAndFolders_S]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-12-01 09:46 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Computer Alarm Clock]
--a------ 2007-09-06 14:29 696832 c:\progra~1\COMPUT~1\cac.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
--a------ 2003-02-24 15:11 266313 c:\progra~1\AIM\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DigidesignMMERefresh]
--a------ 2006-02-14 23:31 61440 c:\program files\Digidesign\Drivers\MMERefresh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-10-29 16:50 4620288 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-10-29 16:50 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
--a------ 2004-03-02 10:49 86016 c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 18:05 200704 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-08-11 16:46 21741864 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sofonesia Reminder]
--a------ 2008-06-28 18:56 917504 c:\program files\Sofonesia Reminder\Sofonesia_Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-11-08 15:45 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
--a------ 2008-10-08 16:54 270128 c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-07-25 10:47 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2005-07-25 10:47 2806272 c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-10-29 16:50 921600 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-07-25 10:47 90112 c:\windows\SOUNDMAN.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"11909:TCP"= 11909:TCP:utorent
"3703:TCP"= 3703:TCP:*:Disabled:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:*:Disabled:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:*:Disabled:Adobe Version Cue CS3 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-30 97928]
R1 FDCENT;FDCENT;\??\c:\windows\system32\drivers\FDCENT.SYS [2008-09-12 47470]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-30 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-30 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-30 76040]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-10-02 24652]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2008-09-15 42112]
S3 PciCon;PciCon;\??\D:\PciCon.sys []

NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
WmdmPmSN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs


*Newly Created Service* - HELPSVC
.
Contents of the 'Scheduled Tasks' folder

2008-12-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-17 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Derek\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-08 21:41]
.

descriptionTrojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more.. EmptyRe: Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more..

more_horiz
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Derek\Application Data\Mozilla\Firefox\Profiles\f6oe4gor.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT756030&SearchSource=3&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\Derek\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 15:12:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-17 15:18:02 - machine was rebooted [Derek]
ComboFix-quarantined-files.txt 2008-12-17 21:17:59

Pre-Run: 49,877,925,888 bytes free
Post-Run: 49,788,092,416 bytes free

292

descriptionTrojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more.. EmptyRe: Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more..

more_horiz
Hello.
Download this .reg file from here:
http://www.sendspace.com/file/uehh37

Download the file to your desktop.
Double click it and select yes to the registry merge prompt.

What problems remain?

descriptionTrojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more.. EmptyRe: Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more..

more_horiz
Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.

descriptionTrojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more.. EmptyRe: Trojan Horse SHeur2.FJD, Trojan Horse BHO.GQR, and more..

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum