Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan uses network even when in Safe Mode


  • This topic is locked This topic is locked
4 replies to this topic

#1 expedient

expedient

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 12 January 2009 - 01:02 AM

Cannot install programs
Removed startup entries return
Run from CD under Safe Mode


DDS (Ver_09-01-07.01) - NTFSx86 MINIMAL
Run by Tim at 21:51:38.17 on Sun 01/11/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.766.600 [GMT -8:00]

AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Tim\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com
uWindow Title =
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: Shell=explorer.exe, killer.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRunOnce: [<NO NAME>]
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: immigration.gov\egov
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
Notify: gzipmod - gzipmod.dll

============= SERVICES / DRIVERS ===============

S1 vbagz;VBA2 PnP Driver;c:\windows\system32\vbagz.sys --> c:\windows\system32\vbagz.sys [?]
S3 PID_0960_V;Logitech ClickSmart 420(PID_0960_V);c:\windows\system32\drivers\LVVIMULB.SYS [2007-3-16 163328]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2007-5-18 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2007-5-18 498464]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 Messengerw32time;Messenger Messengerw32time;c:\windows\system32\advpackt.exe srv --> c:\windows\system32\ADVPACKt.exe srv [?]

=============== Created Last 30 ================

2009-01-11 14:45 61,440 a------- c:\windows\system32\flcss.exe
2009-01-11 14:39 <DIR> --d----- C:\anti-virus
2009-01-11 13:13 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2009-01-08 17:39 <DIR> --d----- c:\program files\Trend Micro
2008-12-30 16:45 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-12-30 16:39 32 a--s---- c:\windows\system32\1015456417.dat
2008-12-30 16:33 338 a------- c:\windows\system32\vsconfig.xml
2008-12-30 16:32 2,184 a------- c:\windows\system32\wpa.dbl
2008-12-29 15:26 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-29 14:29 53,248 a--sh--- c:\windows\Thumbs.db
2008-12-29 14:29 6,656 a--sh--- c:\windows\system32\Thumbs.db
2008-12-29 11:51 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-29 11:51 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-29 11:51 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-26 10:41 134,149 a------- c:\windows\reged.exe
2008-12-26 10:41 50,620 a------- c:\windows\sys.com
2008-12-26 10:40 28,677 a------- c:\docume~1\alluse~1\applic~1\svhost.exe
2008-12-25 10:11 120,900 a------- c:\windows\system32]00installer.exe
2008-12-25 03:02 130,560 a------- c:\windows\afijihanotiji.dll
2008-12-25 02:50 38,400 a------- c:\windows\Ogufuqewofehoco.dll
2008-12-23 14:32 7,056 a------- c:\windows\system32\drivers\wanatw4.sys

==================== Find3M ====================

2008-11-24 14:32 34,816 ---shr-- c:\windows\system32\ADVPACKt.exe
2008-10-24 03:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 08:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-06-02 14:33 3,902,784 a------- c:\documents and settings\tim\gosetup.exe
2007-08-20 20:39 64,224 ac------ c:\docume~1\tim\applic~1\GDIPFONTCACHEV1.DAT
2006-09-29 11:58 56,912 a------- c:\documents and settings\tim\g2mdlhlpx.exe

============= FINISH: 21:52:08.06 ===============

BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:11:10 AM

Posted 27 January 2009 - 05:52 PM

Hello expedient,

I'm DocSatan and I'll be helping you with your computer problems. Sorry about your long wait. Please give me some time to analyze your DDS Log :thumbsup:

Reply back to this topic ASAP so that I know you are still interested in receiving assistance. I will not be posting any Fixes until I have heard back from you.


Thanks,

Doc.

#3 expedient

expedient
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 27 January 2009 - 06:24 PM

I managed to delete with Kaspersky on another system by setting up the hard drive as an external using a USB to IDE/SATA adapter from http://www.cablesunlimited.com

#4 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:11:10 AM

Posted 28 January 2009 - 08:10 AM

expedient,

Do you still want help with this computer?

I can't tell from your last post. :thumbsup:

Doc.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:10 AM

Posted 02 February 2009 - 06:35 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users