Active Got A Trojan, and won't go away.

[Active] Got A Trojan, and won't go away.

Well I might have picked it up when installing Win XP w/SP1, or because I went to HP's website before downloading a Virus scanner. Either way it is here and even tho Avast says it got rid of it I don't think so. Reason? When I first got this virus it would pop-up every 8 seconds. It came in the form of a box to send Microsoft an error report. It listed as MSDCT.EXE . C:\WINDOWS\system\1sass.exe & C:\WINDOWS\fonts\unwise.exe . Also, I thought Avast got rid of it yesterday, but it is here again. Now it shows up on boot into Windows.

Avast lists it as: C:\WINDOWS\system\msdct.exe (WIN32trojen-gen) .

Later. Pepse.

 

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 13:31:37.96 on Tue 05/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.275 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090505-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\5yhlymd8.default\
FF - prefs.js: browser.startup.homepage - google.com

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-1 114768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-1 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-1 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-1 352920]
R3 cwrwdm;SoundFusion(tm) WDM Driver;c:\windows\system32\drivers\cwrwdm.sys [2009-5-5 48640]

=============== Created Last 30 ================

2009-05-05 13:17 145,792 ac------ c:\windows\system32\dllcache\portcls.sys
2009-05-05 13:17 4,096 ac------ c:\windows\system32\dllcache\ksuser.dll
2009-05-05 13:17 145,792 a------- c:\windows\system32\drivers\portcls.sys
2009-05-05 13:17 4,096 a------- c:\windows\system32\ksuser.dll
2009-05-05 13:17 60,288 ac------ c:\windows\system32\dllcache\drmk.sys
2009-05-05 13:17 60,288 a------- c:\windows\system32\drivers\drmk.sys
2009-05-05 13:17 130,048 ac------ c:\windows\system32\dllcache\ksproxy.ax
2009-05-05 13:17 48,640 ac------ c:\windows\system32\dllcache\cwrwdm.sys
2009-05-05 13:17 130,048 a------- c:\windows\system32\ksproxy.ax
2009-05-05 13:17 48,640 a------- c:\windows\system32\drivers\cwrwdm.sys
2009-05-04 22:33 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-05-04 22:22 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-05-04 22:22 333,184 -c------ c:\windows\system32\dllcache\srv.sys
2009-05-04 22:22 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-05-04 22:22 683,520 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-05-04 22:21 247,326 -c------ c:\windows\system32\dllcache\strmdll.dll
2009-05-04 22:21 332,800 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-05-04 22:21 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-05-04 22:20 1,193,414 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-05-04 22:20 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-05-04 21:51 <DIR> --d----- c:\windows\system32\PreInstall
2009-05-04 21:51 <DIR> --d-h--- c:\windows\$hf_mig$
2009-05-04 20:43 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-05-02 02:38 316,640 a------- c:\windows\WMSysPr9.prx
2009-05-02 02:35 <DIR> --d----- c:\windows\ServicePackFiles
2009-05-02 02:31 2,897,920 -------- c:\windows\system32\xpsp2res.dll
2009-05-02 02:30 19,528 a------- c:\windows\002012_.tmp
2009-05-02 02:30 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-05-02 02:30 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-05-02 02:26 <DIR> --d----- c:\windows\EHome
2009-05-02 01:46 <DIR> --d----- C:\Downloads
2009-05-02 01:02 0 a------- c:\windows\system32\wmsoft47463.exe
2009-05-01 18:51 80 a------- c:\windows\system32\i
2009-05-01 18:50 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-05-01 18:50 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-05-01 18:50 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-05-01 18:34 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-05-01 18:34 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-01 18:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 18:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-01 18:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-01 18:28 163,840 a------- c:\windows\system32\igfxres.dll
2009-05-01 18:27 <DIR> --ds---- c:\windows\system32\Microsoft
2009-05-01 18:26 192,000 a------- c:\windows\system32\iuengine.dll
2009-05-01 18:23 78 a------- c:\windows\system32\asr_wceam
2009-05-01 18:09 <DIR> --dsh--- c:\windows\Installer
2009-05-01 18:09 <DIR> --d----- c:\documents and settings\Owner
2009-05-01 18:07 8,192 a------- c:\windows\REGLOCS.OLD
2009-05-01 18:05 92,416 ac------ c:\windows\system32\dllcache\mga.sys
2009-05-01 18:04 <DIR> --d----- c:\windows\system32\xircom
2009-05-01 18:03 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-05-01 18:03 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-05-01 18:03 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-05-01 18:03 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-05-01 18:03 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-05-01 18:03 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-05-01 18:03 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-05-01 18:03 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-05-01 18:03 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-05-01 18:03 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-05-01 18:03 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-05-01 18:03 4,399,505 ac------ c:\windows\system32\dllcache\nls302en.lex
2009-05-01 18:02 <DIR> --d----- c:\program files\common files\MSSoap
2009-05-01 18:00 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-05-01 18:00 <DIR> --d----- c:\program files\Online Services
2009-05-01 18:00 <DIR> --d----- c:\program files\Messenger
2009-05-01 18:00 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-05-01 18:00 <DIR> --d----- c:\program files\Windows NT
2009-05-01 13:50 <DIR> --d----- c:\program files\common files\ODBC
2009-05-01 13:50 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-05-01 13:50 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-05-02 02:40 98,578 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-05-02 02:40 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-01 18:01 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-03-06 09:44 283,648 a------- c:\windows\system32\pdh.dll
2009-02-20 03:30 659,456 a------- c:\windows\system32\wininet.dll
2009-02-20 03:30 81,920 -------- c:\windows\system32\ieencode.dll
2009-02-09 05:20 723,456 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:20 399,360 a------- c:\windows\system32\rpcss.dll
2009-02-09 05:20 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:20 616,960 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-06 12:24 2,180,480 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 12:14 110,592 a------- c:\windows\system32\services.exe
2009-02-06 11:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 11:49 2,057,728 a------- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 13:32:05.90 ===============

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 5/1/2009 6:06:46 PM
System Uptime: 5/5/2009 1:16:12 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4G-LA
Processor: Intel(R) Celeron(R) CPU 1.80GHz | PGA 478 | 1793/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 33.263 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 5/1/2009 6:09:46 PM - System Checkpoint
RP2: 5/2/2009 2:30:46 AM - Installed Windows XP Service Pack 2.
RP3: 5/4/2009 9:04:25 PM - System Checkpoint
RP4: 5/4/2009 9:51:17 PM - Software Distribution Service 3.0
RP5: 5/5/2009 1:45:53 AM - Software Distribution Service 3.0

==== Installed Programs ======================

avast! Antivirus
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics Driver
Malwarebytes' Anti-Malware
Mozilla Firefox (3.0.10)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Update for Windows XP (KB898461)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
Windows XP Service Pack 2

==== Event Viewer Messages From Past Week ========

5/1/2009 6:50:47 PM, error: Service Control Manager [7031] - The WM System Decode Application service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
5/1/2009 6:50:38 PM, error: Service Control Manager [7031] - The WM System Decode Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
5/1/2009 6:50:28 PM, error: Service Control Manager [7031] - The WM System Decode Application service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
5/1/2009 6:50:19 PM, error: Service Control Manager [7031] - The WM System Decode Application service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
5/1/2009 6:43:44 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
5/1/2009 6:34:32 PM, error: Service Control Manager [7031] - The WM System Decode Application service terminated unexpectedly. It has done this 6 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
5/1/2009 6:34:23 PM, error: Service Control Manager [7031] - The WM System Decode Application service terminated unexpectedly. It has done this 5 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
5/1/2009 6:31:55 PM, error: Service Control Manager [7031] - The WM System Decode Application service terminated unexpectedly. It has done this 7 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.

==== End Of File ===========================

 

Hi and welcome

If you still need assistance follow the below.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html

Please leave the flash drive plugged in while completing the following.

Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.