Trojan Horse Generic17.BKCS & SpamTool.FYS

Avg Anti-virus and anti-spyware 9.0
June 13, 2010 at 07:43:51
Specs: Windows XP, P4 2.Ghz - 1GB Ram
PLEASE HELP!!!. My PC has a virus that I'm having trouble getting rid of. It started out as a fake alert virus that took control of my system. I seem to be getting on top of things but my AVG antivirus continues to show infected files with "Trojan horse Generic17.BKCS and Trojan horse SpamTool.FYS". I have ran Malwarebytes, Spybot.

Thanks


See More: Trojan Horse Generic17.BKCS & SpamTool.FYS

Report •

#1
June 13, 2010 at 08:59:03
If you have a trojan horse, try Trojan Remover and also Hitman Pro and remove all they find

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#2
June 13, 2010 at 12:31:37
Ran both Trojan Remover and also Hitman Pro. Trojan Remover cleared some problems and is now 100% clear. Hitman Pro found 2 problems, fixed 1 on reboot but is unable to remove virus from file "ndis.sys". in drivers folder. I ran AVG again and the "Trojan horse Generic17.BKCS and Trojan horse SpamTool.FYS still being found.

AVG is now giving a warning "Treat detected" Trojan Horse Rootkit-Pakes.AA.

Any Help would be much appreciated..


Report •

#3
June 13, 2010 at 13:15:50

Report •

Related Solutions

#4
June 13, 2010 at 14:44:35
Thanks XpUser4Real, I ran ComboFix as instructed and the following log was created.

ComboFix 10-06-13.01 - Administrator 13/06/2010 22:30:33.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.204 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe
C:\Thumbs.db

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected
Restored copy from - Kitty had a snack :p
c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-05-13 to 2010-06-13 )))))))))))))))))))))))))))))))
.

2010-06-13 20:08 . 2010-06-13 20:08 0 ----a-w- c:\windows\nsreg.dat
2010-06-13 20:08 . 2010-06-13 20:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-06-13 19:39 . 2010-06-13 19:39 -------- d-----w- c:\program files\ERUNT
2010-06-13 19:18 . 2010-02-27 19:46 3691384 ----a-w- c:\documents and settings\Administrator\Application Data\Simply Super Software\Trojan Remover\gpw7.exe
2010-06-13 19:12 . 2010-06-13 20:06 0 ----a-w- c:\windows\system32\drivers\ndis.vir
2010-06-13 19:03 . 2010-06-13 21:11 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-13 19:03 . 2010-06-13 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-06-13 19:03 . 2010-06-13 19:03 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-06-13 18:51 . 2010-06-13 19:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-13 18:51 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-13 18:51 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-13 18:51 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-13 18:51 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-06-13 18:51 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-13 18:51 . 2010-06-13 18:51 -------- d-----w- c:\program files\Trojan Remover
2010-06-13 18:51 . 2010-06-13 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-06-13 18:51 . 2010-06-13 18:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software
2010-06-13 13:46 . 2010-06-13 13:46 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-13 13:46 . 2010-06-13 13:46 -------- d-----w- c:\program files\Trend Micro
2010-06-13 13:43 . 2010-04-19 09:25 2117704 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-06-11 21:15 . 2010-06-11 21:15 -------- d-----w- C:\$AVG
2010-06-11 21:12 . 2010-06-11 21:12 13328 ----a-w- C:\cc_20100611_221215.reg
2010-06-11 20:48 . 2010-06-11 20:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-11 20:48 . 2010-06-11 21:03 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-11 20:48 . 2010-06-11 20:48 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-11 20:48 . 2010-06-11 21:03 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-11 20:48 . 2010-06-13 13:41 -------- d-----w- c:\windows\system32\drivers\Avg
2010-06-11 20:36 . 2010-06-13 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-06-11 20:05 . 2010-06-11 20:05 -------- d-----w- c:\windows\ERUNT
2010-06-11 20:01 . 2010-06-11 20:24 -------- d-----w- C:\SDFix
2010-06-11 20:01 . 2010-06-11 19:52 1529241 ----a-w- C:\SDFix.exe
2010-06-11 19:32 . 2010-06-11 19:32 -------- d-----w- c:\program files\MSXML 6.0
2010-06-11 17:50 . 2010-06-11 17:50 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-06-11 16:34 . 2010-05-06 10:41 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-11 16:34 . 2010-05-06 10:41 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-11 16:34 . 2010-05-06 10:41 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-11 16:34 . 2010-05-06 10:41 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-11 16:34 . 2010-05-06 10:41 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-06-11 16:34 . 2010-05-06 10:41 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-06-11 16:34 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-11 16:34 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-06-11 16:18 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-11 16:12 . 2010-02-16 13:19 2181376 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-06-11 16:12 . 2010-02-16 13:17 2137088 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-06-11 16:12 . 2010-02-16 12:39 2058368 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-06-11 16:12 . 2010-02-16 12:39 2016768 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-06-11 16:10 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-11 16:07 . 2010-06-11 16:07 -------- dc----w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-11 12:12 . 2004-08-03 22:06 25600 ----a-w- c:\windows\system32\setupcl.exe
2010-06-11 11:53 . 2010-06-11 11:53 -------- d-----w- c:\windows\msapps
2010-06-11 11:24 . 2001-08-17 21:36 38912 -c--a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2010-06-11 11:23 . 2006-02-28 12:00 8192 -c--a-w- c:\windows\system32\dllcache\httpmb51.dll
2010-06-11 11:22 . 2006-02-28 12:00 6144 -c--a-w- c:\windows\system32\dllcache\admxprox.dll
2010-06-11 11:20 . 2006-02-28 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-06-11 11:02 . 2006-02-28 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-06-11 11:02 . 2006-02-28 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-06-11 11:02 . 2006-02-28 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-06-11 11:02 . 2006-02-28 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-06-11 09:47 . 2010-06-11 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-11 08:52 . 2010-06-11 08:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\VS Revo Group
2010-06-11 08:51 . 2010-06-11 08:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\VS Revo Group
2010-06-11 08:51 . 2009-12-30 11:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-06-11 08:51 . 2010-06-11 08:51 -------- d-----w- c:\program files\VS Revo Group
2010-06-11 08:22 . 2010-06-11 08:22 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-11 07:58 . 2010-06-11 07:58 -------- d-----w- c:\program files\AVG
2010-06-11 07:55 . 2010-06-11 08:27 -------- d-----w- c:\windows\system32\MpEngineStore
2010-06-10 13:52 . 2010-06-10 13:52 52432 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-06-10 12:45 . 2010-06-10 13:07 -------- d-----w- c:\windows\4FC9DA9DF608454E8191D7EFFDCC5726.TMP
2010-06-10 12:45 . 2010-06-10 12:45 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-10 12:44 . 2010-06-10 12:44 -------- d-----w- c:\program files\CCleaner
2010-06-10 11:03 . 2010-06-10 11:03 -------- d-----w- c:\program files\Enigma Software Group
2010-06-10 10:31 . 2010-06-13 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-10 10:31 . 2010-06-13 20:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-10 09:49 . 2010-06-10 09:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-10 09:49 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-10 09:49 . 2010-06-10 09:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-10 09:49 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-10 09:49 . 2010-06-10 12:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 14:17 . 2010-05-16 14:17 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 19:34 . 2010-06-11 19:34 20 ----a-w- c:\documents and settings\LocalService\Application Data\ohipmn.dat
2010-06-11 19:34 . 2006-02-28 12:00 211072 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-06-11 11:18 . 2004-08-09 13:28 23444 -c--a-w- c:\windows\system32\emptyregdb.dat
2010-06-11 08:41 . 2010-02-16 10:26 23126 ----a-w- c:\windows\hpqins15.dat
2010-06-11 08:33 . 2009-05-25 23:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\HPAppData
2010-06-10 16:00 . 2005-03-22 15:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-10 15:29 . 2006-03-10 17:11 -------- d-----w- c:\program files\Symantec
2010-06-10 15:29 . 2006-03-10 17:11 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-10 11:05 . 2005-03-22 03:00 42432 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-09 19:05 . 2010-06-09 19:05 20 ----a-w- c:\windows\system32\config\systemprofile\Application Data\ohipmn.dat
2010-06-09 18:58 . 2010-06-09 18:58 20 ----a-w- c:\documents and settings\NetworkService\Application Data\ohipmn.dat
2010-05-06 10:41 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2010-05-04 17:20 78336 ------w- c:\windows\system32\ieencode.dll
2010-05-02 05:56 . 2006-02-28 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2006-02-28 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
.

------- Sigcheck -------

[-] 2010-06-11 19:34 . DF275AF293A11E4AE96B781C2D8702F1 . 211072 . . [------] . . c:\windows\system32\dllcache\ndis.sys
[-] 2010-06-11 19:34 . DF275AF293A11E4AE96B781C2D8702F1 . 211072 . . [------] . . c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="OSK.exe" [2006-02-28 215552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_01\bin\jusched.exe" [2003-08-20 32873]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-06 524800]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-11 2065248]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-27 1165192]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-13 5937984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 122880]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-06-11 20:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-11 13:41 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/06/2010 21:48 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/06/2010 21:48 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/06/2010 21:48 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/06/2010 21:48 308064]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [11/06/2010 21:48 430152]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [11/06/2010 09:51 27064]
S4 klmdb;klmdb;c:\windows\system32\drivers\klmdb.sys [10/06/2010 14:52 52432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tmv1hkog.default\
FF - plugin: c:\program files\Java\j2re1.4.2_01\bin\NPJPI142_01.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
Notify-NavLogon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-13 22:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1150653608-2414557687-2016300987-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
@SACL=
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,bb,43,51,0f,9f,02,48,96,44,4b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,bb,43,51,0f,9f,02,48,96,44,4b,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,bb,43,51,0f,9f,02,48,96,44,4b,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,bb,43,51,0f,9f,02,48,96,44,4b,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1c,bb,43,51,0f,9f,02,48,96,44,4b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2010-06-13 22:39:29
ComboFix-quarantined-files.txt 2010-06-13 21:39

Pre-Run: 71,022,927,872 bytes free
Post-Run: 71,025,971,200 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4DAF1A8DCC06CBFF3E0DB0CD3BA42134



Report •

#5
June 13, 2010 at 20:53:26
Download GMER from the
following location and save it to your desktop.

http://www.gmer.net/gmer.zip

When you click on the above link you will see a download
prompt.

Click on the Save button. You will now be presented with a
screen asking where you would like to save the file.

Click once on the Desktop button, to save the file to your
Desktop and then press the Save button.
Your computer will now download the file to your computer and save it on
your Desktop. When it is done downloading you will find an icon on
your desktop called Gmer.Zip.

Right-click on the gmer.zip icon and select the Extract all...
menu option.

You will be shown a screen asking how you would like to
extract the file. Just keep pressing the Next button until you
get to the last screen and then press the Finish button to finish the
extraction process.

The GMER folder should automatically open and you will see that it
contains the file called gmer.exe.

Please double-click on the gmer.exe program. Once you
double-click the icon a Windows Security Warning may
appear asking if you are sure you would like to run the
program. If this warning appears, please click on the Run
button to allow GMER to start.

If no warning appeared then you should just continue!

You will now see the main GMER window. If it gives you a
warning about rootkit activity and asks if you want to run a full
scan, please click on the NO button. We now need to
configure GMER to not use some settings.

Please uncheck the following settings that we do not want in our scan.

These will be located off to the right side of the main window,
uncheck only these three!
* IAT/EAT
* Drives/Partition other than Systemdrive, which is typically C:\
* Show All (This is important, so do not miss it.)

Click on the Scan button to scan your computer for rootkits.
This may take a while, so please be patient. When it has
finished you will be back at the main screen.

You now need need to save the rootkit scan report to your
Desktop by clicking on the Save button.

A screen will open asking where you would like to save the
report. Click once on the Desktop button to change to the
Desktop folder and then in the File name: field enter nai.txt.

Finally, press the Save button to save the report to your
desktop. Please do not act on any of the information you find
in this report as many legitimate programs could be listed in
it. Post the log!!


Report •

#6
June 13, 2010 at 23:32:34
This is a trojan virus which is a faulty file which effects the computer program which can infect the remote computers by changing the desktop or also deleting important files. It appears as a malicious file or software which comes from a trusted source, and it can trick users into opening or downloading it. You need to take action and protect your personal computer files from deleting by this Trojan virus.

Kristain Hayes


Report •

#7
June 14, 2010 at 01:29:44
Hi, I ran the gmer.exe and the following report was created.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-14 09:23:45
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxlyqpob.sys


---- System - GMER 1.0.15 ----

Code 823D20E0 pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.reloc C:\WINDOWS\system32\drivers\NDIS.sys section is executable [0x82304200, 0x3262A, 0xE0000060]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\internet explorer\iexplore.exe[2784] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2784] USER32.dll!DialogBoxParamW 77D56702 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2784] USER32.dll!DialogBoxParamA 77D588E1 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2784] USER32.dll!DialogBoxIndirectParamW 77D62598 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2784] USER32.dll!MessageBoxIndirectA 77D6AEF1 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2784] USER32.dll!MessageBoxExW 77D80559 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2784] USER32.dll!MessageBoxExA 77D8057D 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2784] USER32.dll!DialogBoxIndirectParamA 77D86CED 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2784] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2784] ole32.dll!OleLoadFromStream 77518C62 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
? C:\WINDOWS\System32\svchost.exe[3984] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;
? C:\WINDOWS\System32\svchost.exe[3992] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;

---- Devices - GMER 1.0.15 ----

Device \Driver\NDIS \Device\Ndis [8230B982] NDIS.sys[.reloc]

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Report •

#8
July 7, 2010 at 19:04:16
Hi, I have the same problem here!
Have you found any solution ?
Thanks.

Report •

#9
August 3, 2010 at 17:16:47
Hi Roozveh
I managed to get the pc fixed after some time. Check out this link to and AVG forum where I got it sorted
http://forums.avg.com/ie-en/avg-free-forum?sec=thread&act=show&id=93233
Hope it helps.

Report •

Ask Question