Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I believe I've been infected by some nasty horrible Trojans


  • This topic is locked This topic is locked
2 replies to this topic

#1 rurbelis

rurbelis

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:57 PM

Posted 13 January 2009 - 12:05 AM

I very unfortunately have stumbled upon what seem to be some absolutely awful viruses. I think it was from a video streaming site but I'm not exactly sure. At first it started with zillions of IE pop-ups (I never use IE, I use firefox). I then ran ad-aware and it seemed to catch some things, but not nearly everything. I now have a scary warning as my wallpaper saying, "Warning: Dangerous Spyware: Many viruses were found on your computer such as : Trogan horse, Passcapture etc. Your personal information can fall into "third hands". Please check up the computer with a special software. Thank" (word for word)

I'm really not good at this type of thing (probably precisely why this happened...) so I'm not sure what to do. Thank you so much for any and all assistance in advance!

DDS (Ver_09-01-07.01) - NTFSx86
Run by Owner at 23:34:24.06 on Mon 01/12/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.360 [GMT -5:00]

AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)
AV: avast! antivirus 4.8.1296 [VPS 090112-0] *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Spyware Guard 2009\spywareguard.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Owner.Happy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winscenter.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.Happy\My Documents\downloads\dds(2).scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.gatewaybiz.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.gatewaybiz.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=userinit.exe
BHO: {5589fb23-27d5-212b-c134-232da7b5fb42}: {24bf5b7a-d232-431c-b212-5d7232bf9855} - c:\windows\system32\wvgfjw.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6625f1c2-d029-440c-8f89-fbf798e3f11a} - c:\windows\system32\awtqnlLd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {BBFA4086-AE89-41F3-BB95-F9C74BE72735} - No File
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\owner.happy\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [_AntiSpyware] c:\progra~1\mcafee\mcafee~1\masalert.exe
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Lbafajapimogud] rundll32.exe "c:\windows\owiwusuy.dll",e
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [647ae62c] rundll32.exe "c:\windows\system32\ymqvkodm.dll",b
mRun: [BDAgent] "c:\program files\softwin\bitdefender10\bdagent.exe"
mRun: [spywareguard] c:\program files\spyware guard 2009\spywareguard.exe
mRunOnce: [wextract_cleanup0] rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\docume~1\owner~1.hap\locals~1\temp\ixp000.tmp\"
StartupFolder: c:\docume~1\owner~1.hap\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: antimalwareguard.com
Notify: AtiExtEvent - Ati2evxx.dll
Notify: wvUnNDTL - wvUnNDTL.dll
AppInit_DLLs: neerfj.dll wvgfjw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: ieModule - {9BEAFC1D-B220-422F-9CCF-D097DC2D65D6} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\ieModule.dll
SSODL: InternetConnection - {971965C9-9B40-4185-AEC2-9FCFF35E9C58} - c:\documents and settings\all users\application data\microsoft\internet explorer\dlls\gozypdptub.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\awtqnlLd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.hap\applic~1\mozilla\firefox\profiles\h3unv8c8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\owner.happy\application data\mozilla\firefox\profiles\h3unv8c8.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\owner.happy\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {E57A90F5-BCAA-4DA7-978C-B8C43940CC1A} - c:\documents and settings\owner.happy\local settings\application data\{E57A90F5-BCAA-4DA7-978C-B8C43940CC1A}
FF - HiddenExtension: XUL Cache: {2B3AD37F-42CA-4542-B229-78DFBDB32EF2} - c:\windows\system32\config\systemprofile\local settings\application data\{2b3ad37f-42ca-4542-b229-78dfbdb32ef2}\

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-10 111184]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-10 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-10 352920]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-10 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-10 155160]
R4 McAfee AntiSpyware Service;McAfee AntiSpyware Service;c:\progra~1\mcafee\mcafee antispyware\massrv.exe [2005-11-7 876544]
R4 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-11-7 126976]
R4 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-11-7 122368]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2005-11-23 69692]
S3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-1-15 221184]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-1-15 245760]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-11-8 114464]

=============== Created Last 30 ================

2009-01-11 18:07 <DIR> --d----- c:\docume~1\owner~1.hap\applic~1\MSNInstaller
2009-01-10 15:19 <DIR> --d----- c:\docume~1\owner~1.hap\applic~1\Bitdefender
2009-01-10 14:42 384,512 a------- c:\windows\system32\winscenter.exe
2009-01-10 14:09 1,003,957 a------- c:\windows\sysexplorer.exe
2009-01-10 14:09 134,149 a------- c:\windows\reged.exe
2009-01-10 14:09 51,197 a------- c:\windows\spoolsystem.exe
2009-01-10 14:09 50,620 a------- c:\windows\sys.com
2009-01-10 14:09 47,872 a------- c:\windows\syscert.exe
2009-01-10 14:09 18,941 a------- c:\windows\vmreg.dll
2009-01-10 14:09 <DIR> --d----- c:\program files\Spyware Guard 2009
2009-01-10 13:46 81,984 a------- c:\windows\system32\bdod.bin
2009-01-10 13:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-01-10 13:37 <DIR> --d----- c:\program files\Softwin
2009-01-10 13:31 <DIR> --d----- c:\program files\common files\Softwin
2009-01-10 13:29 <DIR> --d----- c:\program files\Trend Micro
2009-01-10 12:06 97 a------- c:\windows\system32\mcrh.tmp
2009-01-09 18:03 14,336 a------- c:\windows\system32\senekapnwnsbtb.dll
2009-01-09 18:01 133,120 a------- c:\windows\system32\wvgfjw.dll
2009-01-09 18:01 133,120 a------- c:\windows\system32\bfpvqjgb.dll
2009-01-09 18:01 1,334,189 a--sh--- c:\windows\system32\itpfnyyf.ini
2009-01-08 02:12 0 a------- c:\windows\system32\Xxy10BB5.exe.a_a
2009-01-08 01:25 1,334,189 a--sh--- c:\windows\system32\mdokvqmy.ini
2009-01-08 01:20 59,904 a------- c:\windows\system32\drivers\TDSSmqlt.sys
2009-01-06 03:02 491 a------- c:\windows\system32\win32hlp.cnf
2009-01-06 02:39 1,347 a------- c:\windows\system32\ahtn.htm
2009-01-06 02:39 4,785 a------- c:\windows\system32\warning.gif
2009-01-06 02:38 111,616 a------- c:\windows\system32\ntdll64.exe
2009-01-06 01:04 1 a------- c:\windows\system32\uniq.tll
2009-01-05 14:06 137,216 a------- c:\windows\owiwusuy.dll
2009-01-05 13:42 1,306,349 a--sh--- c:\windows\system32\krqenljl.ini
2009-01-05 13:29 695,197 a--sh--- c:\windows\system32\dLlnqtwa.ini2
2009-01-05 13:29 695,197 a--sh--- c:\windows\system32\dLlnqtwa.ini
2009-01-05 13:28 3 a------- c:\windows\system32\senekadf.dat
2009-01-05 13:28 59 a------- c:\windows\system32\seneka.dat
2009-01-05 13:23 41,321 a------- c:\windows\system32\senekalog.dat
2008-12-23 20:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Soulseek
2008-12-23 20:02 <DIR> --d----- c:\program files\SoulseekNS
2008-12-19 02:20 5,632 a------- c:\windows\system32\ptpusb.dll
2008-12-19 02:20 159,232 a------- c:\windows\system32\ptpusd.dll
2008-12-19 02:20 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2008-12-19 02:20 15,104 a------- c:\windows\system32\drivers\usbscan.sys

==================== Find3M ====================

2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-16 05:20 667,648 a------- c:\windows\system32\wininet.dll
2007-05-31 23:30 142 ac------ c:\docume~1\owner~1.hap\applic~1\wklnhst.dat

============= FINISH: 23:34:46.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:57 AM

Posted 13 January 2009 - 05:58 AM

Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.


I notice from your log that there's more than 1 Antivirus installed. Avast, McAfee and Bitdefender
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.

Then, 1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Edited by miekiemoes, 13 January 2009 - 05:58 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:57 AM

Posted 26 January 2009 - 06:39 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users