AVG scan keeps reporting TROJAN.Lmir.ayr

BullGuard Antivirus Forum > Virus Removal > Removal Help > AVG scan keeps reporting TROJAN.Lmir.ayr

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

danny-boy
New Member

Date Joined Aug 2007
Total Posts : 37

Posted 5-5-2008 3:51 (GMT +2)

Hi again guys, on a routine AVG antivirus scan I have got the following reports, I havent noticed any odd PC behavior yet but wanted you guys to have a quick look at the logs and let me know if I need to take any further action.

I have included a rootlog report as well.

Thanks in advance guys:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 13:56:51 05/05/2008

+ Scan result:

C:\System Volume Information\_restore{39280BAA-0595-4F26-AEAA-F37CB353FFC7}\RP255\A0108057.exe -> Trojan.Lmir.ayr : Cleaned with backup (quarantined).

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 14:25:31, on 05/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Shoot and Surf\Desktop\alternativ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware\avgas.exe" /minimized
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169548038590
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185915687807
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ComboFix 07-08-04.3 - "Shoot and Surf" 2008-05-05 14:06:23.12 [GMT 1:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True

((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))

2008-04-29 14:41 <DIR> d-------- C:\Program Files\DivX
2008-04-22 10:19 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-04-22 10:14 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-04-14 20:44 <DIR> d-------- C:\Program Files\uTorrent
2008-04-14 20:44 <DIR> d-------- C:\DOCUME~1\SHOOTA~1\APPLIC~1\uTorrent
2008-04-10 20:09 <DIR> d-------- C:\DOCUME~1\SHOOTA~1\APPLIC~1\BitTorrent

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-05-05 14:09 4751392 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-05 13:57 --------- d-------- C:\Program Files\YouTube Video Converter
2008-05-05 10:29 --------- d-------- C:\Program Files\SpywareGuard
2008-05-05 10:28 --------- d-------- C:\Program Files\SpywareBlaster
2008-05-04 22:56 56432 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-22 10:19 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-02 17:59 --------- d-------- C:\Program Files\Music Rescue
2008-03-31 22:25 161096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-03-29 18:45 1146232 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-29 18:35 94544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-29 18:35 20560 --a------ C:\WINDOWS\system32\drivers\aswFsBlk.sys
2008-03-29 18:31 75856 --a------ C:\WINDOWS\system32\drivers\aswSP.sys
2008-03-29 18:29 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-29 18:27 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-29 18:26 26944 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-29 18:23 95608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-19 10:47 1845248 --a------ C:\WINDOWS\system32\win32k.sys
2008-03-19 10:47 1845248 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-15 18:40 --------- d-------- C:\DOCUME~1\SHOOTA~1\APPLIC~1\Real
2008-03-15 18:38 --------- d-------- C:\Program Files\Common Files\xing shared
2008-03-15 18:38 --------- d-------- C:\Program Files\Common Files\Real
2008-03-15 18:36 --------- d-------- C:\Program Files\Real
2008-03-13 23:11 75248 --a------ C:\WINDOWS\zllsputility.exe
2008-03-05 17:29 --------- d-------- C:\Program Files\SopCast
2008-03-01 18:36 3591680 -----c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2008-03-01 14:06 826368 -----c--- C:\WINDOWS\system32\dllcache\wininet.dll
2008-03-01 14:06 671232 -----c--- C:\WINDOWS\system32\dllcache\mstime.dll
2008-03-01 14:06 63488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-01 14:06 6066176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-01 14:06 52224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-01 14:06 478208 -----c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2008-03-01 14:06 459264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-01 14:06 44544 --a--c--- C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-03-01 14:06 44544 -----c--- C:\WINDOWS\system32\dllcache\iernonce.dll
2008-03-01 14:06 384512 -----c--- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2008-03-01 14:06 383488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-01 14:06 347136 --a--c--- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2008-03-01 14:06 27648 -----c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2008-03-01 14:06 267776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-01 14:06 233472 -----c--- C:\WINDOWS\system32\dllcache\webcheck.dll
2008-03-01 14:06 230400 -----c--- C:\WINDOWS\system32\dllcache\ieaksie.dll
2008-03-01 14:06 214528 -----c--- C:\WINDOWS\system32\dllcache\dxtrans.dll
2008-03-01 14:06 193024 -----c--- C:\WINDOWS\system32\dllcache\msrating.dll
2008-03-01 14:06 153088 -----c--- C:\WINDOWS\system32\dllcache\ieakeng.dll
2008-03-01 14:06 133120 -----c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2008-03-01 14:06 124928 -----c--- C:\WINDOWS\system32\dllcache\advpack.dll
2008-03-01 14:06 1159680 -----c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2008-03-01 14:06 105984 -----c--- C:\WINDOWS\system32\dllcache\url.dll
2008-03-01 14:06 102912 -----c--- C:\WINDOWS\system32\dllcache\occache.dll
2008-02-29 09:55 70656 -----c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 09:55 625664 -----c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 11:00 13824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 07:51 282624 --a------ C:\WINDOWS\system32\gdi32.dll
2008-02-20 07:51 282624 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 06:32 45568 --a------ C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:32 45568 -----c--- C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 06:32 148992 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 06:44 161792 -----c--- C:\WINDOWS\system32\dllcache\ieakui.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-04-22 10:19 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-22 10:19 262144]

[HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 17:16]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 18:37]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware\avgas.exe" [2007-06-11 10:25]
"LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.exe" [2002-08-15 04:56]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-15 18:36]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2008-03-25 10:48]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\Shoot and Surf\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoClose"=0 (0x0)

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
R3 cmuda;C-Media WDM Audio Interface;C:\WINDOWS\system32\drivers\cmuda.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\ngrpci.sys
S3 nmwcd;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys
S3 nmwcdc;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 nmwcdcm;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys
S3 Pcouffin;Low level access layer for CD devices;C:\WINDOWS\system32\Drivers\Pcouffin.sys
S3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##B2P1#CD]
AutoRun\command- Z:\setup.exe

Contents of the 'Scheduled Tasks' folder
2008-04-24 19:45:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 14:09:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2008-05-05 14:13:11
C:\ComboFix2.txt ... 2008-04-16 15:37
C:\ComboFix3.txt ... 2008-03-16 20:34

--- E O F ---

********************************* ROOTCHK-(21-07-07)-LOG, by ejvindh
05/05/2008 14:15:10.73

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-05 14:15:11
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden files: 0

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13071

Posted 5-5-2008 7:23 (GMT +2)

Hello

Looks like AVG Anti-Spyware get rid of it ?

The other log files looks clean to Me

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

danny-boy
New Member

Date Joined Aug 2007
Total Posts : 37

Posted 5-5-2008 9:43 (GMT +2)

It says it quarantined it, but computer freezin up alot, dont know if the 2 are related??

danny-boy
New Member

Date Joined Aug 2007
Total Posts : 37

Posted 5-6-2008 8:02 (GMT +2)

All seems to be ok now......

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13071

Posted 5-7-2008 8:45 (GMT +2)

Sounds good

Please read Tony Klein's excellent article about how to prevent against spyware/hijackers in the future
www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Forum Information

Currently it is Tuesday, October 07, 2008 1:49 AM (GMT +2)
There are a total of 62.539 posts in 15.594 threads.
In the last 3 days there were 12 new threads and 47 reply posts. View Active Threads