Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit - tdssinit.dll (Trojan.Agent) removal


  • Please log in to reply
11 replies to this topic

#1 sunshah

sunshah

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 03 January 2009 - 02:13 PM

Hi there

I had tojan melware which was removed with help of this forum moderators Rigel , quiteman7 . below is the thread for that

http://www.bleepingcomputer.com/forums/ind...p;#entry1073945

one of the infection removed was at C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) on my XP machine
which i understand is the rootkit melware & formatting & re-installing OS is best solution to remove any traces of it . but is there any way this can be further cleaned/secured without formatting the laptop .

as per the advice from previous thread i am posting DDS HJT log . also have attached Attach.txt
please review & help me



DDS (Version 1.1.0) - NTFSx86
Run by Sanjay at 14:01:19.68 on Sat 01/03/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1407 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\Mercury\QUALIT~1\jboss\bin\QCJavaService.exe
C:\Program Files\Mercury\Quality Center\msdeBinn\MSSQL\Binn\sqlservr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Sanjay\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071120
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: {00C6482D-C502-44C8-8409-FCE54AD9C208} - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: BHOManager Class: {474264bc-9571-47c1-85b9-780f756dc9ce} - c:\windows\system32\BHOManager.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
{7a68f767-9855-4e2f-8325-d6e81c0895f9}
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-CEC4-75A487FD6484} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [msiexec.exe] msiconf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\DELLNE~1.LNK -
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: mlfp - {C4F82295-31F1-11D2-8E50-006008CB5184} - c:\program files\common files\mercury interactive\astra\bin\ielpview.dll
Handler: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} -
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: MicIPCU.dll piknch.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - No File
SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - c:\windows\system32\ShellHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sanjay\applic~1\mozilla\firefox\profiles\5jpxqppo.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\mozilla firefox\components\nsoffersfortoday.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\yahoo!\shared\npYState.dll

============= SERVICES / DRIVERS ===============

R4 Mercury Quality Center;Mercury Quality Center;c:\progra~1\mercury\qualit~1\jboss\bin\QCJavaService.exe [2007-12-23 65536]
R4 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2007-12-10 10951]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S4 0301341230823906mcinstcleanup;McAfee Application Installer Cleanup (0301341230823906);c:\docume~1\sanjay\locals~1\temp\030134~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\sanjay\locals~1\temp\030134~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-01-03 12:39 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-03 11:54 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 08:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-03 08:38 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 20:47 <DIR> --d----- C:\KAV
2009-01-02 19:50 250 a------- c:\windows\gmer.ini
2009-01-01 22:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2009-01-01 21:24 249,856 a------- c:\windows\system32\dllcache\ctmasetp.dll
2009-01-01 21:23 8,192 a------- c:\windows\system32\dllcache\changer.sys
2009-01-01 21:23 121,856 a------- c:\windows\system32\dllcache\camext30.dll
2009-01-01 21:22 18,432 a------- c:\windows\system32\dllcache\bdaplgin.ax
2009-01-01 21:22 11,776 a------- c:\windows\system32\dllcache\bdasup.sys
2009-01-01 21:21 13,696 a------- c:\windows\system32\dllcache\avcstrm.sys
2009-01-01 21:21 38,912 a------- c:\windows\system32\dllcache\avc.sys
2009-01-01 21:20 48,128 a------- c:\windows\system32\dllcache\61883.sys
2009-01-01 21:20 12,288 a------- c:\windows\system32\dllcache\4mmdat.sys
2009-01-01 14:24 <DIR> --d----- C:\Net-client
2009-01-01 14:15 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-01 13:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-01 13:41 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-01 13:41 <DIR> --d----- c:\docume~1\sanjay\applic~1\SUPERAntiSpyware.com
2008-12-31 20:55 <DIR> --d----- c:\docume~1\sanjay\applic~1\Twain
2008-12-30 23:25 <DIR> --d----- c:\program files\Spyware & Adware Removal
2008-12-30 20:43 126,976 a------- c:\windows\system32\piknch.dll
2008-12-30 20:43 126,976 a------- c:\windows\system32\dkabncga.dll
2008-12-30 04:49 <DIR> --d----- C:\GHATOTKATCH
2008-12-29 08:48 <DIR> --d----- c:\program files\WinEMS_2812
2008-12-28 19:50 <DIR> --d----- c:\program files\SiteAdvisor
2008-12-28 19:50 <DIR> --d----- c:\docume~1\sanjay\applic~1\SiteAdvisor
2008-12-25 00:52 39,322 -------- C:\www.picturepeople.com-promotion-email-holiday_2008-web_l.mdi
2008-12-25 00:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\UDL
2008-12-25 00:33 <DIR> --d----- c:\program files\Epson Software
2008-12-25 00:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EPSON
2008-12-25 00:28 <DIR> --d----- c:\program files\epson
2008-12-21 10:43 <DIR> --d----- c:\program files\DVD Decrypter
2008-12-21 10:41 <DIR> --d----- C:\DVD-Decrypter
2008-12-04 19:11 <DIR> --d----- c:\program files\common files\Symantec Shared

==================== Find3M ====================

2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-24 14:50 60,744 a------- c:\documents and settings\sanjay\g2mdlhlpx.exe
2008-11-09 23:07 79,085 a------- c:\windows\system32\cpxmuaozjpaccx.exe
2008-10-28 17:55 77,803 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-24 06:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 07:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 11:34 337,408 a------- c:\windows\system32\dllcache\netapi32.dll
2008-08-13 12:37 27,351 a------- c:\documents and settings\sanjay\Start Menu.zip
2008-07-26 08:04 25,755,448 a------- c:\program files\wmp11-windowsxp-x86-enu.exe
2008-06-20 07:45 86,016 a------- c:\documents and settings\sanjay\IDHWTSS1.dll
2008-06-20 07:45 81,920 a------- c:\documents and settings\sanjay\hobjni.dll
2008-05-22 20:17 386,560 a------- c:\program files\justzipit.exe
2008-05-22 20:08 16,448,632 a------- c:\program files\speeditupFree.exe
2008-05-22 19:33 23,686,528 a------- c:\program files\OnTimeV80WindowsSetup.zip
2007-12-13 13:49 36,868 a------- c:\documents and settings\sanjay\PrtDLL.dll
2008-06-14 17:04 473,345 a--sh--- c:\windows\system32\kQsCLkkj.ini2
2008-06-14 12:18 469,867 a--sh--- c:\windows\system32\waKlmnpo.ini2

============= FINISH: 14:01:57.00 ===============

Attached Files


Edited by sunshah, 03 January 2009 - 02:17 PM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:36 PM

Posted 03 January 2009 - 03:46 PM

Hello sunshah

Welcome to BleepingComputer :thumbsup:
========================
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 sunshah

sunshah
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 03 January 2009 - 11:01 PM

Thanks Kahdah

Ran the comboFix.exe as per the instruction. attached is the generated combofix.txt log for your review

Attached Files



#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:36 PM

Posted 04 January 2009 - 08:39 AM

Please submit the following file to one of these online file scanners.
(All you have to do is copy and paste it in)

c:\documents and settings\Sanjay\hobjni.dll
Jotti File Scan
VirusTotal File Scan
This will produce a report after the scan is complete, please copy and paste those results in your next post.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 sunshah

sunshah
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 04 January 2009 - 09:56 AM

result of Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

Service load: 0% 100%

File: hobjni.dll
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 9e64e0fcade1e0eeccd15797e6822954
Packers detected: -


Scan taken on 04 Jan 2009 14:43:46 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

----------------------------------------------------------------------------------
for Virus Total

File hobjni.dll received on 01.04.2009 15:49:21 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)


Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.04 -
AhnLab-V3 2008.12.31.0 2009.01.04 -
AntiVir 7.9.0.45 2009.01.04 -
Authentium 5.1.0.4 2009.01.03 -
Avast 4.8.1281.0 2009.01.04 -
AVG 8.0.0.199 2009.01.03 -
BitDefender 7.2 2009.01.04 -
CAT-QuickHeal 10.00 2009.01.03 -
ClamAV 0.94.1 2009.01.04 -
Comodo 874 2009.01.04 -
DrWeb 4.44.0.09170 2009.01.04 -
eTrust-Vet 31.6.6289 2009.01.02 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.03 -
F-Secure 8.0.14470.0 2009.01.04 -
Fortinet 3.117.0.0 2009.01.04 -
GData 19 2009.01.04 -
Ikarus T3.1.1.45.0 2009.01.03 -
K7AntiVirus 7.10.575 2009.01.03 -
Kaspersky 7.0.0.125 2009.01.04 -
McAfee 5483 2009.01.03 -
McAfee+Artemis 5483 2009.01.03 -
Microsoft 1.4205 2009.01.04 -
NOD32 3735 2009.01.04 -
Norman 5.80.02 2009.01.02 -
Panda 9.0.0.4 2009.01.04 -
PCTools 4.4.2.0 2009.01.04 -
Prevx1 V2 2009.01.04 -
Rising 21.10.62.00 2009.01.04 -
SecureWeb-Gateway 6.7.6 2009.01.04 -
Sophos 4.37.0 2009.01.04 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.04 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2009.01.04 -
VBA32 3.12.8.10 2009.01.03 -
ViRobot 2009.1.3.1541 2009.01.03 -
VirusBuster 4.5.11.0 2009.01.03 -

Additional information
File size: 81920 bytes
MD5...: 9e64e0fcade1e0eeccd15797e6822954
SHA1..: 088aca47230a978ca2ecc80104088ad6d0760194
SHA256: 173b105469c2c159423bbf2ef7344949869ded870ef3ac611c2aecf5454a5479
SHA512: 4adf2f01e0f0b7d14f198f05a7158e3d344dad2fc8f61719b534598831cae5b7
5b54f258977f2608d0add180a764678b601d88fd394722843d95b6af4c9c0a10

ssdeep: 1536:20CVgblXb/mmYxSMzHdSXUZpT1GYnF5x5JIdJy8o6tPQMe1Qb:2VYA3SMzp
WiJIdJy8o6tPLe1Qb

PEiD..: Armadillo v1.xx - v2.xx
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10006f54
timedatestamp.....: 0x41b6cb76 (Wed Dec 08 09:37:58 2004)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xbe16 0xc000 6.45 b0c015c8e7780c85f87a89878faecb7d
.rdata 0xd000 0x1e1e 0x2000 5.40 7d3969c7f8d330dd450ed6715a5fa652
.data 0xf000 0x30a8 0x2000 3.33 0f2774143136ed5a961495c7700f55a7
.rsrc 0x13000 0x3a0 0x1000 0.95 19b0b34b27057f1fc4bd28e340feee17
.reloc 0x14000 0x1238 0x2000 3.07 10dbd4a8b3542d2f50fc5e759fbe3bf2

( 7 imports )
> KERNEL32.dll: GetTimeZoneInformation, FormatMessageA, LoadLibraryA, GetDateFormatA, GetProcAddress, GetLocalTime, GetModuleFileNameA, WideCharToMultiByte, VirtualAlloc, FreeLibrary, UnmapViewOfFile, GetLastError, CloseHandle, GetCurrentThreadId, lstrlenA, GetVersion, LocalAlloc, LocalHandle, LocalFree, GetProfileStringA, VirtualFree, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, SetEnvironmentVariableA, GetEnvironmentVariableA, GetEnvironmentStrings, FreeEnvironmentStringsA, GetVersionExA, CreateFileMappingA, lstrcpynA, CreateMutexA, WaitForSingleObject, lstrcmpiA, OpenFileMappingA, MapViewOfFile, GetTimeFormatA, ExitProcess, GetCommandLineA, HeapDestroy, SetFilePointer, GetStringTypeW, GetComputerNameA, ReadFile, SetEndOfFile, RtlUnwind, InterlockedIncrement, InterlockedDecrement, MultiByteToWideChar, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetFileType, GetStdHandle, GetStartupInfoA, GetCurrentProcess, TerminateProcess, SetHandleCount, LCMapStringW, LCMapStringA, CreateFileA, SetStdHandle, HeapFree, HeapAlloc, GetStringTypeA, TlsAlloc, HeapCreate, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, TlsGetValue, SetLastError, HeapReAlloc, TlsSetValue, TlsFree, GetACP, GetOEMCP, GetModuleHandleA, FlushFileBuffers, WriteFile, GetCPInfo
> USER32.dll: GetParent, GetKeyState, AttachThreadInput, GetAsyncKeyState, GetWindowThreadProcessId, GetForegroundWindow, FindWindowA, keybd_event, SetWindowPos, wsprintfA, SetCursorPos, MessageBoxA, GetWindowRect, SetForegroundWindow, GetDesktopWindow, GetSystemMetrics, GetWindowLongA
> GDI32.dll: GetDeviceCaps, TextOutA, StartDocA, StartPage, EndDoc, DeleteDC, CreateDCA, CreateFontIndirectA, SelectObject, DeleteObject, GetTextMetricsA, SetMapMode, LPtoDP, EndPage, AbortDoc, GetTextExtentPoint32A, ResetDCA, SetBkMode
> WINSPOOL.DRV: DeviceCapabilitiesA, DocumentPropertiesA, EndPagePrinter, WritePrinter, StartDocPrinterA, StartPagePrinter, EndDocPrinter, EnumPrintersA, ClosePrinter, OpenPrinterA
> comdlg32.dll: PrintDlgA
> ADVAPI32.dll: RegSetValueExA, GetUserNameA, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyExA, RegCreateKeyExA, RegDeleteValueA, RegFlushKey, DeregisterEventSource, ReportEventA, RegisterEventSourceA
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 43 exports )
_Java_hob_comm_Hobjni_dummy@@YGXPAUJNIEnv_@@PAV_jobject@@PAV_jstring@@JJJJJ@Z, _Java_hob_comm_Hobjni_getCharWidth@@YGJPAUJNIEnv_@@PAV_jobject@@PAV_jstring@@@Z, _Java_hob_comm_Hobjni_hPhysicalOffset@@YGPAV_jintArray@@PAUJNIEnv_@@PAV_jobject@@J@Z, _Java_hob_comm_Hobjni_GetUserPath@12, _Java_hob_comm_Hobjni_argetNativePrtDlg@12, _Java_hob_comm_Hobjni_delRegistryValue@20, _Java_hob_comm_Hobjni_getAsyncKeyState@12, _Java_hob_comm_Hobjni_getComputerName@8, _Java_hob_comm_Hobjni_getDefaultPrt@8, _Java_hob_comm_Hobjni_getEnvironment@8, _Java_hob_comm_Hobjni_getEnvironmentValue@12, _Java_hob_comm_Hobjni_getKeyState@12, _Java_hob_comm_Hobjni_getProductDHOMPort@16, _Java_hob_comm_Hobjni_getPrtList@8, _Java_hob_comm_Hobjni_getRegObjValue@20, _Java_hob_comm_Hobjni_getRegistrySubkeys@16, _Java_hob_comm_Hobjni_getRegistryValue@20, _Java_hob_comm_Hobjni_getSSO@8, _Java_hob_comm_Hobjni_getSysUserPw@8, _Java_hob_comm_Hobjni_getTimeZoneInfo@8, _Java_hob_comm_Hobjni_getVersion@12, _Java_hob_comm_Hobjni_hAbortPrinterGdi@12, _Java_hob_comm_Hobjni_hClosePrinterEsc@12, _Java_hob_comm_Hobjni_hClosePrinterGdi@12, _Java_hob_comm_Hobjni_hEndPageGdi@12, _Java_hob_comm_Hobjni_hGetPhysicalEdge@12, _Java_hob_comm_Hobjni_hLoadFont@32, _Java_hob_comm_Hobjni_hOpenPrinterEsc@16, _Java_hob_comm_Hobjni_hOpenPrinterGdi@16, _Java_hob_comm_Hobjni_hOpenPrinterGdiDlg@12, _Java_hob_comm_Hobjni_hPrintEsc@20, _Java_hob_comm_Hobjni_hPrintGdi@28, _Java_hob_comm_Hobjni_hSetDrawer@16, _Java_hob_comm_Hobjni_hSetOrientation@16, _Java_hob_comm_Hobjni_hStartPageGdi@12, _Java_hob_comm_Hobjni_keybdEvent@16, _Java_hob_comm_Hobjni_putRegistryValue@24, _Java_hob_comm_Hobjni_removeProductDHOMPort@12, _Java_hob_comm_Hobjni_setCursorPos@16, _Java_hob_comm_Hobjni_setEnvironmentValue@16, _Java_hob_comm_Hobjni_setProductDHOMPort@16, _Java_hob_comm_Hobjni_setRegObjValue@24, _Java_hob_comm_Hobjni_setWindowPos@32

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:36 PM

Posted 04 January 2009 - 10:01 AM

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 sunshah

sunshah
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 04 January 2009 - 10:38 AM

Thanks . here is the log details

Malwarebytes' Anti-Malware 1.31
Database version: 1610
Windows 5.1.2600 Service Pack 3

1/4/2009 10:37:23 AM
mbam-log-2009-01-04 (10-37-23).txt

Scan type: Quick Scan
Objects scanned: 67691
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:36 PM

Posted 04 January 2009 - 12:46 PM

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 sunshah

sunshah
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 04 January 2009 - 11:47 PM

Thanks . here is the scan report

KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 4, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, January 05, 2009 01:18:46
Records in database: 1560717
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 67616
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:31:03


File name / Threat name / Threats count
C:\Documents and Settings\Sanjay\Desktop\Dokumente und EinstellungenAll UsersStartmenuProgrammeAutostartoffice.exe
Infected: Trojan.Win32.Agent.acir 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dkabncga.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fpf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\piknch.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fpf 1

The selected area was scanned.

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:36 PM

Posted 05 January 2009 - 08:28 AM

PLease delete this file it shouod be on your desktop:
C:\Documents and Settings\Sanjay\Desktop\Dokumente und EinstellungenAll UsersStartmenuProgrammeAutostartoffice.exe

Empty your recycle bin then let me know how everything is running?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 sunshah

sunshah
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 05 January 2009 - 08:54 AM

I have deleted the file
C:\Documents and Settings\Sanjay\Desktop\Dokumente und EinstellungenAll UsersStartmenuProgrammeAutostartoffice.exe & emptied the recyle bin

now everything seems to be runing just fine .

is there anything i should do so as to avoid such virus issues in future . please provide any advice/suggestions

again Thank you for all your help . keep up the great work you guys are doing . wish you all the hearty good wishes & god bless

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:36 PM

Posted 05 January 2009 - 09:21 AM

Cleanup:

Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart your computer when prompted.
This will remove what tools we used.
===============
Use a Firewall:

Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Sunbelt Free Firewall or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.


=============================
Delete\uninstall anything else that we have used.

Including this folder C:\Rsit

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingcomputer.com/tutorials/...143.html#manual
=====================================
After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

Edited by kahdah, 05 January 2009 - 09:22 AM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users