Possible sick PC; Trojan Horse Generic16.ALUX

[Blade81]

Hi,

Let's see if there's something that was hiding from logs.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[ILLZNIK31]

ComboFix 10-02-18.07 - Stephanie 02/18/2010 19:52:35.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1013.302 [GMT -5:00]
Running from: c:\users\Stephanie\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3243829120-3873577764-3776027936-500
c:\$recycle.bin\S-1-5-21-3833665739-4154496780-627808274-500

.
((((((((((((((((((((((((( Files Created from 2010-01-19 to 2010-02-19 )))))))))))))))))))))))))))))))
.

2010-02-19 01:07 . 2010-02-19 01:08 -------- d-----w- c:\users\Stephanie\AppData\Local\temp
2010-02-19 01:07 . 2010-02-19 01:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-16 22:09 . 2010-02-16 22:10 -------- d-----w- c:\users\Stephanie\AppData\Local\Adobe
2010-02-15 14:51 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\32424132.sys
2010-02-15 14:51 . 2009-10-10 03:31 311312 ----a-w- c:\windows\system32\drivers\3242413.sys
2010-02-15 14:51 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\32424131.sys
2010-02-14 22:34 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\34947832.sys
2010-02-14 22:34 . 2009-10-10 03:31 311312 ----a-w- c:\windows\system32\drivers\3494783.sys
2010-02-14 22:34 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\34947831.sys
2010-02-14 18:41 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\93328472.sys
2010-02-14 18:41 . 2009-10-10 03:31 311312 ----a-w- c:\windows\system32\drivers\9332847.sys
2010-02-14 18:41 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\93328471.sys
2010-02-09 23:16 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-09 23:16 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-09 23:16 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-09 23:16 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-09 23:16 . 2009-12-08 20:01 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-09 23:16 . 2009-12-08 17:26 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-09 23:15 . 2009-12-04 18:29 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-09 23:15 . 2009-12-04 18:30 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-09 23:15 . 2009-12-04 18:28 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-09 23:15 . 2009-12-04 18:28 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-09 23:15 . 2009-12-04 18:28 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-09 23:15 . 2009-12-04 18:28 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-09 23:15 . 2009-12-04 18:28 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-09 23:15 . 2009-12-04 18:28 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-09 23:15 . 2009-12-04 18:27 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-09 23:15 . 2009-12-04 15:56 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-09 23:15 . 2009-12-04 15:56 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-09 18:58 . 2010-02-09 18:58 -------- d-----w- c:\program files\TrendMicro
2010-02-09 18:52 . 2010-02-09 18:53 -------- d-----w- c:\program files\ERUNT
2010-02-09 16:12 . 2010-02-09 16:12 -------- d-----w- c:\program files\iPod
2010-02-09 16:12 . 2010-02-09 16:13 -------- d-----w- c:\program files\iTunes
2010-02-09 16:07 . 2010-02-09 16:07 -------- d-----w- c:\program files\Apple Software Update
2010-02-09 15:30 . 2010-02-09 15:30 -------- d-----w- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 15:35 . 2007-08-26 21:08 -------- d-----w- c:\programdata\Kaspersky Lab
2010-02-15 14:45 . 2007-06-08 23:33 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-10 08:19 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-09 18:58 . 2010-02-09 18:58 388096 ----a-r- c:\users\Stephanie\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-09 16:26 . 2009-11-23 14:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-09 16:24 . 2010-02-09 16:24 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-09 16:12 . 2009-01-26 02:13 -------- d-----w- c:\program files\Common Files\Apple
2010-02-09 15:47 . 2007-06-08 23:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-09 15:41 . 2007-06-09 00:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-09 15:30 . 2007-06-09 01:15 -------- d-----w- c:\program files\Java
2010-02-09 15:25 . 2007-08-27 06:05 87320 ----a-w- c:\users\Stephanie\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-09 15:23 . 2007-08-26 20:51 -------- d-----w- c:\program files\Common Files\AOL
2010-02-09 15:23 . 2007-08-26 20:51 -------- d-----w- c:\programdata\AOL
2010-02-09 15:19 . 2007-06-08 23:40 -------- d-----w- c:\program files\CONEXANT
2010-02-09 15:16 . 2007-06-08 23:51 -------- d-----w- c:\program files\Hewlett-Packard
2010-02-09 15:15 . 2007-06-08 23:54 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-09 15:15 . 2007-06-09 00:31 -------- d-----w- c:\programdata\CyberLink
2010-02-09 15:15 . 2007-06-08 23:55 -------- d-----w- c:\program files\Hp
2010-02-09 15:14 . 2007-06-09 00:40 -------- d-----w- c:\programdata\HP
2010-02-09 15:07 . 2009-03-12 02:00 -------- d-----w- c:\users\Stephanie\AppData\Roaming\Move Networks
2010-02-09 15:04 . 2007-06-09 00:51 -------- d-----w- c:\program files\Common Files\muvee Technologies
2010-02-09 15:02 . 2007-06-09 00:00 -------- d-----w- c:\program files\Roxio
2010-01-23 00:51 . 2010-01-23 00:51 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-07 21:07 . 2009-11-23 14:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-11-23 14:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 06:38 . 2010-01-22 06:36 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-22 06:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-01-22 06:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-01-22 06:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-17 22:14 . 2009-04-04 15:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-23 13:46 . 2009-11-23 13:46 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-23 13:46 . 2009-11-23 13:46 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-23 13:46 . 2009-11-23 13:46 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-23 13:46 . 2009-11-23 13:46 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-30 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-30 151552]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-30 126976]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\users\Stephanie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
setup_9.0.0.722_14.02.2010_21-27.lnk - c:\users\Stephanie\Desktop\Virus Removal Tool\setup_9.0.0.722_14.02.2010_21-27\startup.exe [2010-2-15 72208]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\windows\Installer\{8C3AE2D1-854D-4650-A73D-C7CC7EE36B80}\NewShortcut2_DB7E00C96DEF489A8112D8F81614F45A.exe [2007-6-8 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):26,76,18,00,e9,51,ca,01

R0 32424132;32424132 Boot Guard Driver;c:\windows\System32\drivers\32424132.sys [2/15/2010 9:51 AM 37392]
R0 34947832;34947832 Boot Guard Driver;c:\windows\System32\drivers\34947832.sys [2/14/2010 5:34 PM 37392]
R0 93328472;93328472 Boot Guard Driver;c:\windows\System32\drivers\93328472.sys [2/14/2010 1:41 PM 37392]
R1 32424131;32424131;c:\windows\System32\drivers\32424131.sys [2/15/2010 9:51 AM 128016]
R1 34947831;34947831;c:\windows\System32\drivers\34947831.sys [2/14/2010 5:34 PM 128016]
R1 93328471;93328471;c:\windows\System32\drivers\93328471.sys [2/14/2010 1:41 PM 128016]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [11/23/2009 8:46 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [11/23/2009 8:46 AM 360584]
R1 setup_9.0.0.722_14.02.2010_21-27drv;setup_9.0.0.722_14.02.2010_21-27drv;c:\windows\System32\drivers\3242413.sys [2/15/2010 9:51 AM 311312]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [11/23/2009 8:45 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/23/2009 8:44 AM 285392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-18 20:08
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-18 20:18:09
ComboFix-quarantined-files.txt 2010-02-19 01:18

Pre-Run: 97,723,105,280 bytes free
Post-Run: 97,786,408,960 bytes free

- - End Of File - - 7E58DA5B62C64BCCEA844EF71369AED0

[Blade81]

Hi,

Please upload these files to http://www.virustotal.com and post back the results:
c:\windows\System32\drivers\93328472.sys
c:\windows\System32\drivers\32424131.sys

[ILLZNIK31]

Hi, thanks for all the help.

Both files came back clean. Is this computer really virus/malware free?

[Blade81]

Hi,

Is this computer really virus/malware free?

Logs are indicating that.

You could try to run IE with add-ons disabled to see if it makes any difference:
Click the Start button, click All Programs, click Accessories, click System Tools, and then click Internet Explorer (No Add-ons).

[ILLZNIK31]

Great, thanks. You've been a tremendous help. I guess there are only 2 more issues that I'd like an opinion on, if you can. Firstly, minimized windows are still going to the right of the tray by the clock. I've downloaded Firefox and it's still an issue. Secondly, the fan is still running and the computer is noticeably hot to the touch. Is that an indication that there are too many programs running?

[Blade81]

Hi,

Right-click taskbar and select unlock. Then see if you can drag left boundary (on the right side of quick launch buttons beside start button) left. If the icons are still appearing on the right side of taskbar then attach a screenshot, please.

Access task manager (ctrl+alt+del) and on processes tab see what items have big CPU %-values (system idle process is always near 100, it can be ignored).

[ILLZNIK31]

Unlocking the task bar fixed that problem, thanks.

As for CPU usage... nothing is more than 05, and most are 00 or 01. There are about 60 processes running total.

[Blade81]

Hi,

As for CPU usage... nothing is more than 05, and most are 00 or 01

Then that fan issue sounds a bit odd. Might be hardware related issue too. You could ask on some forum, like Tech Support Guy, that has area for general computer issues too.

Before that, let's remove tools we used.

Now lets uninstall ComboFix:

• Click START then RUN
• Now copy-paste Combofix /uninstall in the runbox and click OK

Please download OTC and save it to desktop.

• Double-click OTC.exe.
• Click the CleanUp! button.
• Select Yes when the
  Begin cleanup Process?
  prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

[Blade81]

Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.