trojan horse

3 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

trojan horse2nd August 2009, 2:32 pm

I keep getting a trojan horse clicker.aalx popup... I have run a virus scan from avg that won't clean it up...

Here is my logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:30 AM, on 02/08/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Users\Chrisandra\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Chrisandra\Documents\Downloads\winlogon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_CA&Sys=PTB&M=T-6829
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_CA&Sys=PTB&M=T-6829
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_CA&Sys=PTB&M=T-6829
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_CA&Sys=PTB&M=T-6829
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Gateway\traybar.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Chrisandra\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Wedding%20Dash%202/Images/stg_drm.ocx
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8FFE36E-D0E9-4ABD-A268-05DC051EA9EB}: NameServer = 85.255.112.109,85.255.112.192
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1E19A42-07FB-4981-BFBC-B77D53649020}: NameServer = 85.255.112.109,85.255.112.192
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.109,85.255.112.192
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.109,85.255.112.192
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10442 bytes

Re: trojan horse2nd August 2009, 8:00 pm

Hello heliftsmeup,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
If you have any cracked/pirated software in your computer delete them or we will not help you.
Only follow advise from Geek Police Staff and not a regular member.
Do NOT run any tool without Geek Police supervision as it could hinder your system useless.

Open HijackThis.
Choose "Do a system scan only"
Check the boxes in front of these lines:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
Press "Fix Checked"
Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

............................................................................................
While my help is always free, please consider donating to keep this site alive: Donate

Re: trojan horse5th August 2009, 11:23 pm

I did the first steps but when I go to the malware site, nothing comes up, it is a blank page

Re: trojan horse6th August 2009, 3:30 pm

Download combofix from here
Link 1
Link 2

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

trojan horse CF_download_FF

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

See HERE for how to disable your AV.
Double click on ComboFix.exe.
Follow the prompts. NOTE:
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouse click combofix's window whilst it's running. That may cause it to stall.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
trojan horse DXwU4

Re: trojan horse13th August 2009, 11:23 pm

Sorry, I am feeling like an idiot here, but my daughters computer is running on Vista and I cannot change the name before it downloads. It simply asks me if I trust the site then it does its own thing.... any suggestions? I don't know if it makes a difference but she is also using google chrome.

Thanks
Claire

Re: trojan horse14th August 2009, 6:41 pm

Hello.
Try downloading it without renaming, so what happens.

Re: trojan horse14th August 2009, 7:05 pm

it keeps telling me windows has detected a problem that has stopped the program from working... no details

Re: trojan horse14th August 2009, 8:41 pm

Download the GMER rootkit scan from here: GMER

Unzip it and start GMER.
Click the >>> tab and then click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

Re: trojan horse14th August 2009, 10:07 pm

MER 1.0.15.15020 [ekh3k27s.exe] - http://www.gmer.net
Rootkit scan 2009-08-14 18:00:27
Windows 6.0.6001 Service Pack 1

---- System - GMER 1.0.15 ----

Code 8608B518 ZwEnumerateKey
Code 8608B4E0 ZwFlushInstructionCache

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCompleteRequest 81E7CFE2 5 Bytes JMP 8613B9EB
.text ntkrnlpa.exe!IofCallDriver 81EFEF6F 5 Bytes JMP 8613B9B2
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 81FF530B 5 Bytes JMP 8608B4E4
PAGE ntkrnlpa.exe!ZwEnumerateKey 8204ABA2 5 Bytes JMP 8608B51C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73BF7BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73C398C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73BFD3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73BEF527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73BF7599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73BEE43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73C2B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73BFD68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73BF012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73BF0095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73BE71F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73C7D802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73C175E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73BEDAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73BE668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73BE66BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73BF1E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Re: trojan horse15th August 2009, 5:50 pm

Please download SysProt AntiRootkit v1.0.1.0 by Swatkat

Next run the file; *Note: If running vista right click and select run as administrator
Once opened, navigate to the log tab and select all the areas including the hidden objects only box and click on the create log button
A scan will start and then a window will pop up with two options, select scan all drives
Once finished it will give you a location where it was saved, navigate to that place usually the desktop, and open the log, post all the contents of the log back here.

............................................................................................
While my help is always free, please consider donating to keep this site alive: Donate

Re: trojan horse16th August 2009, 5:32 pm

I was unable to right click to open as administrator, so I don't know if that changes anything, but here is the log that came up

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
No Hidden Kernel Modules found

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: CHRISANDRA-PC:49221
Remote Address: QB-IN-F100.GOOGLE.COM:HTTPS
Type: TCP
Process: 1264 (PID)
State: SYN_SENT

Local Address: CHRISANDRA-PC:49218
Remote Address: AN-IN-F91.GOOGLE.COM:HTTP
Type: TCP
Process: 3252 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49215
Remote Address: QW-IN-F102.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49191
Remote Address: YO-IN-F166.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49189
Remote Address: HE-IN-F189.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49188
Remote Address: VX-IN-F132.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49187
Remote Address: YO-IN-F103.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49186
Remote Address: HE-IN-F18.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49185
Remote Address: HE-IN-F18.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49184
Remote Address: HE-IN-F18.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49183
Remote Address: HE-IN-F18.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49182
Remote Address: HE-IN-F18.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49181
Remote Address: HE-IN-F18.GOOGLE.COM:HTTP
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49174
Remote Address: VW-IN-F95.GOOGLE.COM:HTTPS
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49173
Remote Address: HE-IN-F18.GOOGLE.COM:HTTPS
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49172
Remote Address: HE-IN-F18.GOOGLE.COM:HTTPS
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49171
Remote Address: HE-IN-F18.GOOGLE.COM:HTTPS
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49170
Remote Address: VX-IN-F97.GOOGLE.COM:HTTPS
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49169
Remote Address: HE-IN-F18.GOOGLE.COM:HTTPS
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49168
Remote Address: YO-IN-F103.GOOGLE.COM:HTTPS
Type: TCP
Process: 4004 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:49196
Remote Address: LOCALHOST:49193
Type: TCP
Process: 3560 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49193
Remote Address: LOCALHOST:49196
Type: TCP
Process: 2896 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:49193
Remote Address: 0.0.0.0:0
Type: TCP
Process: 2896 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:49162
Remote Address: LOCALHOST:27015
Type: TCP
Process: 3312 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:27015
Remote Address: LOCALHOST:49162
Type: TCP
Process: 536 (PID)
State: ESTABLISHED

Local Address: CHRISANDRA-PC:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: 536 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1096 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:4664
Remote Address: 0.0.0.0:0
Type: TCP
Process: 3252 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:49157
Remote Address: 0.0.0.0:0
Type: TCP
Process: 668 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:49156
Remote Address: 0.0.0.0:0
Type: TCP
Process: 680 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:49155
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1264 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:49154
Remote Address: 0.0.0.0:0
Type: TCP
Process: 1168 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:49153
Remote Address: 0.0.0.0:0
Type: TCP
Process: 620 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: 4 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: 980 (PID)
State: LISTENING

Local Address: CHRISANDRA-PC:62706
Remote Address: NA
Type: UDP
Process: 1020 (PID)
State: NA

Local Address: CHRISANDRA-PC:5353
Remote Address: NA
Type: UDP
Process: 1096 (PID)
State: NA

Local Address: CHRISANDRA-PC:SSDP
Remote Address: NA
Type: UDP
Process: 1020 (PID)
State: NA

Local Address: CHRISANDRA-PC:138
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA

Local Address: CHRISANDRA-PC:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: 4 (PID)
State: NA

Local Address: CHRISANDRA-PC:62707
Remote Address: NA
Type: UDP
Process: 1020 (PID)
State: NA

Local Address: CHRISANDRA-PC:62604
Remote Address: NA
Type: UDP
Process: 1264 (PID)
State: NA

Local Address: CHRISANDRA-PC:53392
Remote Address: NA
Type: UDP
Process: 3372 (PID)
State: NA

Local Address: CHRISANDRA-PC:SSDP
Remote Address: NA
Type: UDP
Process: 1020 (PID)
State: NA

Local Address: CHRISANDRA-PC:55352
Remote Address: NA
Type: UDP
Process: 1096 (PID)
State: NA

Local Address: CHRISANDRA-PC:52906
Remote Address: NA
Type: UDP
Process: 1096 (PID)
State: NA

Local Address: CHRISANDRA-PC:LLMNR
Remote Address: NA
Type: UDP
Process: 1072 (PID)
State: NA

Local Address: CHRISANDRA-PC:IPSEC-MSFT
Remote Address: NA
Type: UDP
Process: 1264 (PID)
State: NA

Local Address: CHRISANDRA-PC:500
Remote Address: NA
Type: UDP
Process: 1264 (PID)
State: NA

Local Address: CHRISANDRA-PC:123
Remote Address: NA
Type: UDP
Process: 1020 (PID)
State: NA

******************************************************************************************
******************************************************************************************
No hidden files/folders found

Re: trojan horse16th August 2009, 7:02 pm

Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
Link 1
Link 2
Double click DDS.scr to run.
When complete, two logs will open. Save both of the report to your Desktop.
Copy and paste DDS.txt back here, I don't need to see attach.txt.

Re: trojan horse16th August 2009, 7:32 pm

DDS (Ver_09-07-30.01) - NTFSx86
Run by Chrisandra at 15:29:08.42 on 16/08/2009
Internet Explorer: 8.0.6001.18783
Microsoft

Windows Vista

Home Premium 6.0.6001.1.1252.2.1033.18.3062.2007 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\IDT\WDM\STacSV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\sttray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Users\Chrisandra\Documents\Downloads\SysProt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Chrisandra\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_CA&Sys=PTB&M=T-6829
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_CA&Sys=PTB&M=T-6829
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_CA&Sys=PTB&M=T-6829
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=BB&Br=GTW&Loc=ENG_CA&Sys=PTB&M=T-6829
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {A057A204-BACC-4D26-8087-36EE87E26986} - No File
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Microsoft Location Finder] "c:\program files\microsoft location finder\LocationFinder.exe"
uRun: [Google Update] "c:\users\chrisandra\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for gateway\traybar.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\chrisa~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: cantireu.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Wedding%20Dash%202/Images/stg_drm.ocx
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
TCP: NameServer = 85.255.112.109,85.255.112.192
TCP: {B8FFE36E-D0E9-4ABD-A268-05DC051EA9EB} = 85.255.112.109,85.255.112.192
TCP: {F1E19A42-07FB-4981-BFBC-B77D53649020} = 85.255.112.109,85.255.112.192
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,avgrsstx.dll c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-27 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-11 327688]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-4 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-4-3 29744]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2009-08-14 15:01 318,976 a------- c:\windows\system32\CF16936.exe
2009-08-13 19:13 318,976 a------- c:\windows\system32\CF13593.exe
2009-08-13 19:12 318,976 a------- c:\windows\system32\CF13358.exe
2009-08-13 19:11 318,976 a------- c:\windows\system32\CF12395.exe
2009-08-08 22:12 --dsh--- C:\found.000
2009-08-05 16:26 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-08-05 16:26 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-05 16:26 --d----- c:\program files\iPod
2009-08-05 16:26 --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-05 16:26 --d----- c:\program files\iTunes
2009-08-05 16:26 --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-02 10:20 --d----- c:\users\chrisandra\.SunDownloadManager
2009-07-31 19:23 --d----- c:\users\chrisa~1\appdata\roaming\OpenSong
2009-07-31 19:17 --d----- c:\program files\OpenSong
2009-07-27 14:48 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-27 14:34 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-27 14:32 -cd-h--- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-27 14:32 -cd-h--- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-27 14:32 --d----- c:\programdata\Lavasoft
2009-07-27 14:32 --d----- c:\program files\Lavasoft
2009-07-27 14:16 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-27 14:16 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-27 14:16 --d----- c:\programdata\Malwarebytes
2009-07-27 14:16 --d----- c:\progra~2\Malwarebytes
2009-07-27 14:16 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-27 14:00 --d----- c:\programdata\WindowsSearch

==================== Find3M ====================

2009-08-05 16:23 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-05 16:23 86,016 a------- c:\windows\inf\infstor.dat
2009-08-05 16:23 51,200 a------- c:\windows\inf\infpub.dat
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-01 17:39 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-01 17:39 11,952 a------- c:\windows\system32\avgrsstx.dll
2008-09-11 21:26 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-05-12 16:06 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-12 16:06 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-12 16:06 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 15:29:35.23 ===============

Re: trojan horse16th August 2009, 9:11 pm

Hello.
No rootkit by the looks ok it, GMER isn't flagging anything.

Open HijackThis
Choose "Do a system scan only"
Check the boxes in front of these lines:

O17 - HKLM\System\CCS\Services\Tcpip\..\{B8FFE36E-D0E9-4ABD-A268-05DC051EA9EB}: NameServer = 85.255.112.109,85.255.112.192
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1E19A42-07FB-4981-BFBC-B77D53649020}: NameServer = 85.255.112.109,85.255.112.192
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.109,85.255.112.192
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.109,85.255.112.192
Press "Fix Checked"
Close Hijack This.

How is the machine running now?

trojan horse

descriptiontrojan horse2nd August 2009, 2:32 pm

descriptionRe: trojan horse2nd August 2009, 8:00 pm

descriptionRe: trojan horse5th August 2009, 11:23 pm

descriptionRe: trojan horse6th August 2009, 3:30 pm

descriptionRe: trojan horse13th August 2009, 11:23 pm

descriptionRe: trojan horse14th August 2009, 6:41 pm

descriptionRe: trojan horse14th August 2009, 7:05 pm

descriptionRe: trojan horse14th August 2009, 8:41 pm

descriptionRe: trojan horse14th August 2009, 10:07 pm

descriptionRe: trojan horse15th August 2009, 5:50 pm

descriptionRe: trojan horse16th August 2009, 5:32 pm

descriptionRe: trojan horse16th August 2009, 7:02 pm

descriptionRe: trojan horse16th August 2009, 7:32 pm

descriptionRe: trojan horse16th August 2009, 9:11 pm

descriptionRe: trojan horse