Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Formatted computer, trojan is coming back!


  • Please log in to reply
2 replies to this topic

#1 jlxyz

jlxyz

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 19 January 2009 - 05:42 PM

So my computer was infected badly. Reluctantly I backed up my music and files and formatted the C drive then re-installed XP pro. The trojan is back though, because if I leave it idling weird things will pop up like the IE security thing asking me if I want to continue. I come to you asking for your help in removing this nasty thing, as I'm usually wary about what sites I visit and filenames and such. So my computer doesn't get infected on a regular basis like some people I know. I deleted csrscc and winlogun before scanning, so they might not be in the log files.

DDS (Ver_09-01-18.01) - NTFSx86
Run by Jory at 16:48:11.15 on Mon 01/19/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.759.412 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Jory\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: c:\windows\system32\hsjefi8wunkmdf.dll: {c5af42a3-94f3-42bd-f634-3604832c897d} - c:\windows\system32\hsjefi8wunkmdf.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [jsg8jfgfdfhfhf] c:\windows\temp\winlogun.exe
uRun: [tezrtsjhfr84iusjfo84f] c:\windows\temp\csrssc.exe
uRun: [Aim6]
uRunOnce: [MPlayer2_FixUp] c:\windows\inf\unregmp2.exe /Fixups
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [jsg8jfgfdfhfhf] c:\windows\temp\winlogun.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRunOnce: [WMC_RebootCheck] c:\windows\inf\unregmp2.exe /FixUps
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: igfxcui - igfxsrvc.dll
STS: c:\windows\system32\hsjefi8wunkmdf.dll: {c5af42a3-94f3-42bd-f634-3604832c897d} - c:\windows\system32\hsjefi8wunkmdf.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jory\applic~1\mozilla\firefox\profiles\rh60p5x6.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-19 24652]

=============== Created Last 30 ================

2009-01-19 11:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2009-01-19 11:46 <DIR> --d----- c:\program files\Viewpoint
2009-01-19 11:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-01-19 11:45 <DIR> --d----- c:\program files\common files\AOL
2009-01-19 11:45 <DIR> --d----- c:\program files\AIM6
2009-01-19 11:45 392 a---h--- C:\IPH.PH
2009-01-19 11:16 <DIR> --d----- c:\windows\RegisteredPackages
2009-01-19 11:05 15,000 a------- c:\windows\system32\hsjefi8wunkmdf.dll
2009-01-19 11:05 <DIR> --d----- c:\program files\Microsoft Common
2009-01-18 04:49 146,048 ac------ c:\windows\system32\dllcache\portcls.sys
2009-01-18 04:43 <DIR> --d----- c:\program files\ABC
2009-01-18 03:09 316,640 a------- c:\windows\WMSysPr9.prx
2009-01-18 01:49 <DIR> --d----- c:\program files\VideoLAN
2009-01-18 00:48 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-18 00:48 33,792 -c------ c:\windows\system32\dllcache\custsat.dll
2009-01-18 00:43 19,569 a------- c:\windows\002706_.tmp
2009-01-18 00:39 <DIR> --d----- c:\windows\EHome
2009-01-18 00:23 163,840 a------- c:\windows\system32\igfxres.dll
2009-01-18 00:22 <DIR> --ds---- c:\windows\system32\Microsoft
2009-01-18 00:21 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-01-18 00:16 <DIR> --d----- c:\windows\system32\PreInstall
2009-01-18 00:16 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-01-18 00:16 <DIR> --d-h--- c:\windows\$hf_mig$
2009-01-18 00:15 <DIR> --d----- c:\windows\system32\bits
2009-01-18 00:15 354,304 a------- c:\windows\system32\winhttp.dll
2009-01-18 00:15 18,944 a------- c:\windows\system32\qmgrprxy.dll
2009-01-18 00:15 438,784 -------- c:\windows\system32\xpob2res.dll
2009-01-18 00:15 8,192 -------- c:\windows\system32\bitsprx2.dll
2009-01-18 00:15 7,168 -------- c:\windows\system32\bitsprx3.dll
2009-01-18 00:12 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-01-18 00:12 213,528 a------- c:\windows\system32\wuaucpl.cpl
2009-01-18 00:12 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-01-18 00:12 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-01-18 00:12 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-01-18 00:11 <DIR> --ds---- c:\documents and settings\jory\UserData
2009-01-18 00:10 <DIR> --d----- C:\WUTemp
2009-01-18 00:10 191,488 a------- c:\windows\system32\iuengine.dll
2009-01-18 00:09 <DIR> --dsh--- c:\windows\Installer
2009-01-18 00:09 <DIR> --d----- c:\documents and settings\Jory
2009-01-18 00:08 8,192 a------- c:\windows\REGLOCS.OLD
2009-01-18 00:06 185,344 ac------ c:\windows\system32\dllcache\thawbrkr.dll
2009-01-18 00:05 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
2009-01-18 00:04 2,577 a------- c:\windows\system32\CONFIG.NT
2009-01-18 00:04 0 a------- c:\windows\control.ini
2009-01-18 00:04 25,065 a------- c:\windows\system32\wmpscheme.xml
2009-01-18 00:04 23,392 a------- c:\windows\system32\nscompat.tlb
2009-01-18 00:04 16,832 a------- c:\windows\system32\amcompat.tlb
2009-01-18 00:04 299,552 a------- c:\windows\WMSysPrx.prx
2009-01-18 00:03 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-01-18 00:03 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-01-18 00:03 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-01-18 00:03 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-01-18 00:03 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-01-18 00:03 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-01-18 00:03 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-18 00:03 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-01-18 00:03 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-01-18 00:03 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-01-18 00:03 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-01-18 00:03 4,399,505 ac------ c:\windows\system32\dllcache\nls302en.lex
2009-01-18 00:03 <DIR> --d----- c:\windows\system32\DirectX
2009-01-18 00:02 <DIR> --d----- c:\program files\common files\MSSoap
2009-01-18 00:00 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-01-18 00:00 <DIR> --d----- c:\program files\Online Services
2009-01-18 00:00 <DIR> --d----- c:\program files\Messenger
2009-01-18 00:00 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-01-17 23:59 <DIR> --d----- c:\program files\Windows NT
2009-01-17 18:53 <DIR> --d----- c:\program files\common files\ODBC
2009-01-17 18:52 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-01-17 18:52 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-01-18 00:53 80,007 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-18 00:04 2,678 a------- c:\windows\java\packages\data\IBBHB5RH.DAT
2009-01-18 00:04 558,142 a------- c:\windows\java\packages\P7JHZZFB.ZIP
2009-01-18 00:04 2,678 a------- c:\windows\java\packages\data\TVNP77PJ.DAT
2009-01-18 00:04 155,995 a------- c:\windows\java\packages\2TV3VVH7.ZIP
2009-01-18 00:04 2,678 a------- c:\windows\java\packages\data\VLBLZF57.DAT
2009-01-18 00:04 2,678 a------- c:\windows\java\packages\data\QECPRBZH.DAT
2009-01-18 00:04 2,678 a------- c:\windows\java\packages\data\7BBDBVNN.DAT
2009-01-18 00:01 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 16:48:47.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jlxyz

jlxyz
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:08 AM

Posted 22 January 2009 - 01:45 PM

bump. It's also producing blank emails addressed to bogus web sites too.

#3 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:08 AM

Posted 24 January 2009 - 09:31 AM

hi,


So my computer doesn't get infected on a regular basis

theres no magic involved, you need to modify your computing habits

I deleted csrscc and winlogun before scanning

i woudnt delete anything just yet


your log is several days old. If you still need help we will start with MBAM. Link and directions:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
*** Be sure that everything is checked, and click Remove Selected.***
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users