Results 1 to 7 of 7

Thread: Trojan Sheur3

  1. #1
    Junior Member
    Join Date
    Sep 2010
    Posts
    4

    Default Trojan Sheur3

    My avg came up with lots of Trojan Sheur3s and, zbots and VBS/generics. A lot, like thousands by now. And they keep on coming. They're spreading fast and many things have become unsuable. I was not able to run ERUNT or uninstall certain undesirable programs mentioned elsewhere in this forum. When I try, it tells me I don't have permission yet I am the only one on this computer and permissions have never been set. I'm hearing random speaker sounds. I have an out of date Adobe Reader and an out of date Java, I have a feeling it was the latter since I see most issues in Java files, Java processes activate on their own, and I can't remove it. These seems agressive.

    HELP!
    Here is my dds log, I selected all, so this should be everything I've got:



    DDS (Ver_10-03-17.01) - NTFSx86
    Run by User at 11:48:15.71 on Tue 09/21/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.435 [GMT -4:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wuauclt.exe
    "C:\WINDOWS\System32\svchost.exe"
    "C:\WINDOWS\System32\svchost.exe"
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\User\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.ca/
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [ZE18MW23GY] c:\docume~1\user\locals~1\temp\Mhg.exe
    uRun: [newsecureapp70700.exe] c:\documents and settings\user\application data\3b44b5168e31195f95279ae35cdc442d\newsecureapp70700.exe
    uRun: [{7035CFFA-F19B-82F7-FE0B-849A3179F5D9}] "c:\documents and settings\user\application data\abfydu\uhedc.exe"
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [SkyTel] SkyTel.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [<NO NAME>]
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [sta] rundll32 "E1890.dll",,Run
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    StartupFolder: c:\docume~1\user\startm~1\programs\startup\erunta~1.lnk - c:\documents and settings\all users\desktop\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\user\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\user\local settings\temp\{49d5baa7-c294-42bd-a692-27751846f984}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199812469102
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199812422587
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\progra~1\google\google~4\GOEC62~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    LSA: Notification Packages = scecli c:\windows\system32\kasomunu.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-18 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-18 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-18 243024]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
    S2 gupdate1caa5cf44f269d2;Google Update Service (gupdate1caa5cf44f269d2);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 133104]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;"c:\program files\google\google desktop search\googledesktop.exe" --> c:\program files\google\google desktop search\GoogleDesktop.exe [?]
    S3 PentaxUsb;PENTAX Optio E10 on USB;c:\windows\system32\drivers\CoachUsb.sys [2009-1-29 50976]
    S3 PentaxVc;PENTAX Optio E10 Video Capture;c:\windows\system32\drivers\CoachVc.sys [2009-1-29 44256]

    =============== Created Last 30 ================

    2010-09-21 02:58:32 0 d-----w- c:\program files\sys231
    2010-09-20 15:11:38 0 d-----w- c:\program files\sys21
    2010-09-14 13:16:43 112 ----a-w- c:\docume~1\alluse~1\applic~1\SpEDc3UK.dat
    2010-09-14 03:57:05 0 d-----w- c:\documents and settings\user\WINDOWS
    2010-09-14 03:56:52 47104 ----a-w- c:\windows\system32\KMVIDC32.DLL
    2010-08-24 23:45:49 0 d-----w- c:\program files\JRE
    2010-08-24 23:45:06 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-08-23 01:47:00 664 ----a-w- c:\windows\system32\d3d9caps.dat

    ==================== Find3M ====================

    2010-09-21 15:48:40 786432 ----a-w- c:\windows\system32\drivers\umrlleci.sys
    2010-07-15 15:37:16 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:15:28 832512 ----a-w- c:\windows\system32\wininet.dll
    2010-06-24 12:15:26 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-06-24 12:15:26 17408 ------w- c:\windows\system32\corpol.dll
    2009-07-14 18:59:36 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009071420090715\index.dat

    ============= FINISH: 11:50:22.89 ===============

  2. #2
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello The apprentice and

    My name is JonTom

    • Malware Logs can sometimes take a lot of time to research and interpret.
    • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
    • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
    • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
    • PLEASE NOTE: If you do not reply after 5 days your thread will be closed.


    Please work your way through the following steps. If you encounter any problems come back and let me know.


    1. Please scan your system with GMER



      Download GMER Rootkit Scanner from here or here.
      • Extract the contents of the zipped file to desktop.
      • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
      • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
      • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
        • IAT/EAT
        • Drives/Partition other than Systemdrive (typically C:\)
        • Show All (don't miss this one)
      • Then click the Scan button & wait for it to finish.
      • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
      • Save it where you can easily find it, such as your desktop, and post it in your reply.


      **Caution**
      Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


      Did you save the DDS attach.txt? If so please post it along with the GMER log in your next reply.
    Proud Graduate of the WTT Classroom

  3. #3
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Do you still need help?
    Proud Graduate of the WTT Classroom

  4. #4
    Junior Member
    Join Date
    Sep 2010
    Posts
    4

    Default

    yes! I am starting now.

    Thank you.

  5. #5
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Okay

    Post when you can. If you have any problems with the scan come back and let me know.
    Proud Graduate of the WTT Classroom

  6. #6
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Hello The apprentice

    You have had 10 days to run the required scans now.

    I will leave this thread open for another 24 hours to give you time to reply.

    If I receive no reply from you after that time this thread will be closed.
    Proud Graduate of the WTT Classroom

  7. #7
    Senior Member
    Join Date
    Apr 2010
    Posts
    463

    Default

    Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread. Everyone else please begin a New Topic.
    Proud Graduate of the WTT Classroom

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •