PDA

View Full Version : Win32.Palevo can not remove


peterkail
2011-06-09, 13:56
Hi
Spybot detects a Win32.Palevo on my work cpu that has no connection to the net. It either has had it a long time (may of had net at one time) or it got transferred via data key.
The original problem was when all the data key files got turned to shortcuts and avg and spybot quoshed a heap of trojans but not this one. Only spybot can detect this one and once deleted it just comes back up on the next check. Safe mode does not seem to help either.
The key will also randomly contract Trojan horse PSW.Generic7.ABAN which avg can remove, i am presuming that the palevo is putting it on and trying to spread to other computers.
dds below and also attached
Running xp

Many Thanks
.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by VIP at 10:31:01 on 2011-06-09
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.521 [GMT 10:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\System32\hkeyman.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Taskman=c:\recycler\s-1-5-21-0393427168-4281156661-707118548-2633\rundll32.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Spyware Doctor] c:\documents and settings\vip\desktop\sdsetup_revwire207.exe -min
uRun: [giaxiic] c:\documents and settings\vip\giaxiic.exe /D
mRun: [Hotkey] c:\windows\system32\hkeyman.exe
mRun: [TtabCtrl] ttabctrl.exe
mRun: [TtabBeep] ttabbeep.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
S3 MATRIX;%MATRIX.SvcDesc%;c:\windows\system32\drivers\MATRIX.sys [2009-1-31 16512]
S3 ttab2k;Ttab2K;c:\windows\system32\drivers\ttab2k.sys [2007-10-10 32245]
.
=============== Created Last 30 ================
.
2011-06-08 09:48:18 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-06-08 07:49:24 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-06-08 07:46:08 135032 ----a-w- c:\windows\system32\drivers\dwprot.sys
2011-06-08 07:32:46 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-06-03 07:28:39 -------- d--h--w- C:\$AVG
2011-06-03 07:24:24 -------- d-----w- c:\documents and settings\vip\application data\AVG10
2011-06-03 07:19:09 -------- d-----w- c:\windows\system32\drivers\AVG
2011-06-03 07:19:09 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-06-03 07:18:21 -------- d-----w- c:\program files\AVG
2011-06-02 22:12:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-02 22:12:06 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-06-02 21:36:41 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-06-02 21:36:33 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-05-31 23:29:02 -------- d-----w- C:\Simandou 06-2011_G68
.
==================== Find3M ====================
.
2011-04-14 11:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-04 14:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 06:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
.
============= FINISH: 10:31:44.90 ===============
Blade81
2011-06-13, 11:38
Hi

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Blade81
2011-06-19, 12:23
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.