Quantcast
Channel: Tech Support Forum - Virus/Trojan/Spyware Help
Viewing all articles
Browse latest Browse all 2798

trojan:winNt/Necurs.A found

$
0
0
I've tried a few antivirus programs but none would update or scan, until I tried Windows Essentials, it wouldn't update but did scan and find this trojan, it won't enable.

the gmer.exe had an error when I start to run it.
loadDriver error ("c:\user\Prefer~1\AppData\Local\Temp\pxtafod.sys"): A device attached to the system is not functioning.
It did run and gave me a couple options, most of the boxes are greyed out, but I did run system and registry and attached it.

here is my dds

Thanks
Dan
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.19170
Run by Preferred Customer at 0:18:12 on 2012-12-28
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2047.627 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\DAZ 3D\Content Management Service\ContentManagementServer.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\CursorFX\CursorFX.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\Google\Update\1.3.21.123\GoogleCrashHandler.exe
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Preferred Customer\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2QJBRQU0\aswMBR[1].exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://antwrp.gsfc.nasa.gov/apod/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Presario&pf=desktop
uProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [CursorFX] "c:\cursorfx\CursorFX.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ROC_ROC_NT] "c:\program files\avg secure search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
mRun: [ROC_roc_ssl_v12] "c:\program files\avg secure search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\users\preferred customer\appdata\roaming\microsoft\windows\start menu\programs\startup\Dropbox.lnk.disabled
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\Adobe Gamma Loader.lnk.disabled
uPolicies-Explorer: HideSCAHealth = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Download with &Media Finder - c:\program files\media finder\hook.html
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader57.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 64.233.217.2 64.233.217.3
TCP: Interfaces\{F62C4470-9CA5-4842-A9E8-DDB9838C16BC} : DHCPNameServer = 64.233.217.2 64.233.217.3
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2005\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - LocalServer32 - <no file>
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\preferred customer\appdata\roaming\mozilla\firefox\profiles\5wr2wrxi.default\
FF - prefs.js: browser.startup.homepage - hxxp://antwrp.gsfc.nasa.gov/apod/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\users\preferred customer\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R2 DAZContentManagementService;DAZ Content Management Service;c:\daz 3d\content management service\ContentManagementServer.exe [2012-2-19 18432]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-30 21504]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-6-30 1248256]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe [2007-4-27 316992]
S0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-8-30 193552]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-12-16 26984]
S1 gslaubnu;gslaubnu;c:\windows\system32\drivers\gslaubnu.sys [2012-12-28 43600]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-1-28 1153368]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\drivers\lgandbus.sys [2011-7-25 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\drivers\lganddiag.sys [2011-7-25 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\drivers\lgandgps.sys [2011-7-25 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\drivers\lgandmodem.sys [2011-7-25 25088]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\lgandadb.sys [2011-7-25 25728]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-8-30 99272]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-9-12 287824]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-10-30 21504]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S3 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
S3 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]
S3 SessionLauncher;SessionLauncher;c:\users\prefer~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\prefer~1\appdata\local\temp\dx9\SessionLauncher.exe [?]
S3 StkCMini;Syntek AVStream USB2.0 ATV;c:\windows\system32\drivers\StkCMini.sys [2010-10-23 1579144]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2008-10-30 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2008-10-30 251904]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
FileExt: .reg: Applications\cutehtml.exe="f:\program files\globalscape\cuteftp\cutehtml\cutehtml.exe" "%1" [UserChoice]
FileExt: .ini: Applications\cutehtml.exe="f:\program files\globalscape\cuteftp\cutehtml\cutehtml.exe" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2012-12-28 05:03:00 43600 ----a-w- c:\windows\system32\drivers\gslaubnu.sys
2012-12-28 04:51:24 60872 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6246ebb6-2135-4aea-a8ab-808c2bf6fda7}\offreg.dll
2012-12-28 04:34:07 6812136 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{6246ebb6-2135-4aea-a8ab-808c2bf6fda7}\mpengine.dll
2012-12-28 04:23:29 -------- d-----w- c:\program files\Microsoft Security Client
2012-12-27 02:50:16 -------- d-----w- c:\users\preferred customer\appdata\roaming\Panda Security
2012-12-27 02:46:36 -------- d-----w- c:\programdata\Panda Security
2012-12-27 02:46:36 -------- d-----w- c:\program files\Panda Security
2012-12-23 07:38:55 -------- d-----w- c:\programdata\AVAST Software
2012-12-23 07:38:55 -------- d-----w- c:\program files\AVAST Software
2012-12-18 01:29:29 -------- d-----w- c:\programdata\Avira
2012-12-17 03:39:06 26984 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
.
==================== Find3M ====================
.
2012-12-12 03:03:12 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-12 03:03:12 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-30 00:54:26 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 0:24:37.32 ===============

Attached Files
File Type: zip attached.zip (3.4 KB)

Viewing all articles
Browse latest Browse all 2798

Trending Articles