Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with WIN32.Worm.KdCrypt


  • This topic is locked This topic is locked
21 replies to this topic

#1 darrod64

darrod64

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 02 February 2009 - 02:25 PM

I've been getting a "DWWIN.exe" "C:\WINDOWS\system32\RASAPI32.dll not a valid Windows image when trying to run anti-spyware, malware virus programs, as well as several other error messages related to dll and bad image when trying to open outlook express.


Started computer in safe mode and ran sdfix, fixwareout, ATF cleaner, Spybot S&D, and Ad-aware which came up with the WIN32.Worm.KdCrypt as well as 13 suspicious object files but I am still getting error messages.




DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Owner at 13:49:41.71 on Mon 02/02/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.407 [GMT -5:00]

AV: Sympatico Security Manager Anti-Virus *On-access scanning enabled* (Updated)
FW: Sympatico Security Manager Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Bell\Security Manager\Fws.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Personal Vault\VaultClientUpgrade.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BellCanada\McciTrayApp.exe
C:\Program Files\Bell\Security Manager\Rps.exe
C:\Program Files\Process Lasso\processgovernor.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
C:\Program Files\Process Lasso\ProcessLasso.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\bell\security manager\pkR.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [ProcessSupervisorGUI] c:\program files\process lasso\ProcessLasso.exe /tray
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [IndexCleaner] "c:\program files\bell\security manager\IdxClnR.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [BellCanada_McciTrayApp] c:\program files\bellcanada\McciTrayApp.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [Security Manager] "c:\program files\bell\security manager\Rps.exe"
mRun: [ProcessGovernor] c:\program files\process lasso\processgovernor.exe
mRun: [SSA.exe] "c:\program files\bell\sympatico security advisor\SSA.exe" /AUTORUN
mRun: [Sympatico Security Manager] "c:\program files\bell\security manager\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\bell\security manager\ZkRunOnceR.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRunOnce: [IndexCleaner] "c:\program files\bell\security manager\IdxClnR.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: &Viewpoint Search
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\office
DPF: Microsoft XML Parser for Java
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} - hxxp://maps.city.peterborough.on.ca/CFIDE/classes/CFJava.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2DFA3F5C-C7D8-44C2-A420-EC11E00C3F28} - hxxp://www1.city.peterborough.on.ca/eForms/DisplayListX.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://maps.city.peterborough.on.ca/MapGuide/ver6313/mgaxctrl.cab
DPF: {63BAECA2-9E3C-45DE-B2B1-BBC5FA99958E} - ftp://download.sympatico.ca/OnlineNA/BellCanadaPortalAX.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120248019054
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120306208406
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {850F23ED-AC36-4E9D-A5BB-B0AAE453FEAE} - hxxp://upgradecentre.sympatico.ca/controls/emcconfig.cab
DPF: {88DF27F7-EA51-4314-A08B-901A05D2B690} - hxxp://eserv.sympatico.ca/netassistant/controls/BellCanadaPortalAX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38535.2385300926
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15033/CTPID.cab
Handler: intu-qt2006 - {13834D94-C631-4cd1-963D-9B5F4593B127} - c:\quicktax 2006\qt2006\ic2006pp.dll
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\qvi002zk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nfl.com/
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npEMCClntCfg6x.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-26 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 942416]
R2 VaultClientUpgrade;Personal Vault Upgrade Service;c:\program files\personal vault\VaultClientUpgrade.exe [2008-3-7 53248]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 hitmanpro2;Hitman Pro 2 Driver;\??\c:\program files\hitman pro\hitmanpro2.sys --> c:\program files\hitman pro\hitmanpro2.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-7-10 42112]
S3 Radialpoint Security Services;Sympatico Security Manager;c:\program files\bell\security manager\RpsSecurityAware.exe [2008-3-10 67824]
S4 Atporm06af;Atporm06af; [x]

=============== Created Last 30 ================

2009-01-31 07:42 <DIR> --d----- c:\documents and settings\hp_owner\OTScanIt2
2009-01-29 19:57 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-29 19:51 <DIR> --d----- c:\windows\ERUNT
2009-01-29 19:42 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2009-01-29 19:37 <DIR> --d----- C:\SDFix
2009-01-29 19:27 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-29 19:26 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-29 19:26 117,760 -------- c:\windows\system32\prntvpt.dll
2009-01-29 19:26 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-01-29 19:26 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-29 19:26 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-29 19:26 <DIR> --d----- C:\4b37533c751055d7264c1336
2009-01-29 19:26 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-01-29 19:26 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-01-29 19:08 <DIR> --d-hr-- C:\AHCache
2009-01-27 06:04 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-26 14:57 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-26 14:48 <DIR> --d----- c:\docume~1\hp_owner\applic~1\VersionTracker Pro
2009-01-26 14:39 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-12 16:24 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2009-01-29 19:30 472,034 a------- c:\windows\system32\PerfStringBackup.TMP
2009-01-03 06:23 3,248 a------- c:\program files\INSTALL.LOG
2008-12-15 08:49 71,048 a---h--- c:\windows\system32\mlfcache.dat
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-06 13:19 37,152 a------- c:\windows\DIIUnin.dat
2008-10-29 08:34 32 a----r-- c:\documents and settings\all users\hash.dat
2006-11-02 16:43 92,064 a------- c:\documents and settings\hp_owner\mqdmmdm.sys
2006-11-02 16:43 79,328 a------- c:\documents and settings\hp_owner\mqdmserd.sys
2006-11-02 16:43 66,656 a------- c:\documents and settings\hp_owner\mqdmbus.sys
2006-11-02 16:43 25,600 a------- c:\documents and settings\hp_owner\usbsermptxp.sys
2006-11-02 16:43 22,768 a------- c:\documents and settings\hp_owner\usbsermpt.sys
2006-11-02 16:43 9,232 a------- c:\documents and settings\hp_owner\mqdmmdfl.sys
2006-11-02 16:43 6,208 a------- c:\documents and settings\hp_owner\mqdmcmnt.sys
2006-11-02 16:43 5,936 a------- c:\documents and settings\hp_owner\mqdmwhnt.sys
2006-11-02 16:43 4,048 a------- c:\documents and settings\hp_owner\mqdmcr.sys
2005-06-12 19:15 774,144 ac------ c:\program files\RngInterstitial.dll

============= FINISH: 13:50:37.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 darrod64

darrod64
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 03 February 2009 - 06:13 AM

I ran an ad-aware scan last night in normal mode and it came up clean, but I am still concerned about these bad image errors that I am getting. Also I almost forgot, when I try to run spybot s&d immunize something weird is happening. I updated the files then ran a check in the immunize, there were some unprotected files so I clicked immunize and when it was finished the unprotected files had increased dramatically. Any thoughts on this?


thanks Darren

Edited by darrod64, 03 February 2009 - 06:36 AM.


#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:06 AM

Posted 15 February 2009 - 10:01 AM

Hello darrod64

Welcome to BleepingComputer :thumbup2:
========================
Please post an updated dds log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#4 darrod64

darrod64
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 15 February 2009 - 12:24 PM

Hello Kahdah

Here is the new DDS log


DDS (Ver_09-02-01.01) - NTFSx86
Run by HP_Owner at 12:19:19.93 on 15/02/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.297 [GMT -5:00]

AV: Sympatico Security Manager Anti-Virus *On-access scanning disabled* (Updated)
FW: Sympatico Security Manager Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Bell\Security Manager\Fws.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Personal Vault\VaultClientUpgrade.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BellCanada\McciTrayApp.exe
C:\Program Files\Bell\Security Manager\Rps.exe
C:\Program Files\Process Lasso\processgovernor.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Process Lasso\ProcessLasso.exe
C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\bell\security manager\pkR.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [ProcessSupervisorGUI] c:\program files\process lasso\ProcessLasso.exe /tray
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [IndexCleaner] "c:\program files\bell\security manager\IdxClnR.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [BellCanada_McciTrayApp] c:\program files\bellcanada\McciTrayApp.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [Security Manager] "c:\program files\bell\security manager\Rps.exe"
mRun: [ProcessGovernor] c:\program files\process lasso\processgovernor.exe
mRun: [SSA.exe] "c:\program files\bell\sympatico security advisor\SSA.exe" /AUTORUN
mRun: [Sympatico Security Manager] "c:\program files\bell\security manager\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\bell\security manager\ZkRunOnceR.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRunOnce: [IndexCleaner] "c:\program files\bell\security manager\IdxClnR.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: &Viewpoint Search
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\office
DPF: Microsoft XML Parser for Java
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} - hxxp://maps.city.peterborough.on.ca/CFIDE/classes/CFJava.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2DFA3F5C-C7D8-44C2-A420-EC11E00C3F28} - hxxp://www1.city.peterborough.on.ca/eForms/DisplayListX.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://maps.city.peterborough.on.ca/MapGuide/ver6313/mgaxctrl.cab
DPF: {63BAECA2-9E3C-45DE-B2B1-BBC5FA99958E} - ftp://download.sympatico.ca/OnlineNA/BellCanadaPortalAX.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120248019054
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120306208406
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {850F23ED-AC36-4E9D-A5BB-B0AAE453FEAE} - hxxp://upgradecentre.sympatico.ca/controls/emcconfig.cab
DPF: {88DF27F7-EA51-4314-A08B-901A05D2B690} - hxxp://eserv.sympatico.ca/netassistant/controls/BellCanadaPortalAX.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38535.2385300926
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15033/CTPID.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: intu-qt2006 - {13834D94-C631-4cd1-963D-9B5F4593B127} - c:\quicktax 2006\qt2006\ic2006pp.dll
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\qvi002zk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nfl.com/
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdrmv2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdsplay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npEMCClntCfg6x.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwmsdrm.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-26 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 VaultClientUpgrade;Personal Vault Upgrade Service;c:\program files\personal vault\VaultClientUpgrade.exe [2008-3-7 53248]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 hitmanpro2;Hitman Pro 2 Driver;\??\c:\program files\hitman pro\hitmanpro2.sys --> c:\program files\hitman pro\hitmanpro2.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-7-10 42112]
S3 Radialpoint Security Services;Sympatico Security Manager;c:\program files\bell\security manager\RpsSecurityAware.exe [2008-3-10 67824]
S4 Atporm06af;Atporm06af; [x]

=============== Created Last 30 ================

2009-02-15 10:39 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-14 17:53 <DIR> --d----- c:\program files\common files\LogiShared
2009-02-14 17:53 127,034 -----r-- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2009-02-14 17:50 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-02-14 17:49 163,840 a------- c:\windows\system32\kemutb.dll
2009-02-14 17:49 135,168 a------- c:\windows\system32\KemUtil.dll
2009-02-14 17:49 110,592 a------- c:\windows\system32\KemWnd.dll
2009-02-14 17:49 69,632 a------- c:\windows\system32\KemXML.dll
2009-02-02 18:33 <DIR> --d----- c:\program files\SD EnterNET
2009-01-31 07:42 <DIR> --d----- c:\documents and settings\hp_owner\OTScanIt2
2009-01-29 19:57 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-29 19:51 <DIR> --d----- c:\windows\ERUNT
2009-01-29 19:37 <DIR> --d----- C:\SDFix
2009-01-29 19:27 <DIR> --d----- c:\windows\system32\XPSViewer
2009-01-29 19:26 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-01-29 19:26 117,760 -------- c:\windows\system32\prntvpt.dll
2009-01-29 19:26 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-01-29 19:26 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-01-29 19:26 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-01-29 19:26 <DIR> --d----- C:\4b37533c751055d7264c1336
2009-01-29 19:26 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-01-29 19:26 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-01-29 19:08 <DIR> --d-hr-- C:\AHCache
2009-01-27 06:04 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-26 14:57 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-26 14:48 <DIR> --d----- c:\docume~1\hp_owner\applic~1\VersionTracker Pro
2009-01-26 14:39 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-29 19:30 472,034 a------- c:\windows\system32\PerfStringBackup.TMP
2009-01-03 06:23 3,248 a------- c:\program files\INSTALL.LOG
2008-12-15 08:49 71,048 a---h--- c:\windows\system32\mlfcache.dat
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-06 13:19 37,152 a------- c:\windows\DIIUnin.dat
2008-10-29 08:34 32 a----r-- c:\documents and settings\all users\hash.dat
2006-11-02 16:43 92,064 a------- c:\documents and settings\hp_owner\mqdmmdm.sys
2006-11-02 16:43 79,328 a------- c:\documents and settings\hp_owner\mqdmserd.sys
2006-11-02 16:43 66,656 a------- c:\documents and settings\hp_owner\mqdmbus.sys
2006-11-02 16:43 25,600 a------- c:\documents and settings\hp_owner\usbsermptxp.sys
2006-11-02 16:43 22,768 a------- c:\documents and settings\hp_owner\usbsermpt.sys
2006-11-02 16:43 9,232 a------- c:\documents and settings\hp_owner\mqdmmdfl.sys
2006-11-02 16:43 6,208 a------- c:\documents and settings\hp_owner\mqdmcmnt.sys
2006-11-02 16:43 5,936 a------- c:\documents and settings\hp_owner\mqdmwhnt.sys
2006-11-02 16:43 4,048 a------- c:\documents and settings\hp_owner\mqdmcr.sys
2005-06-12 19:15 774,144 ac------ c:\program files\RngInterstitial.dll

============= FINISH: 12:20:58.17 ===============

Attached Files



#5 darrod64

darrod64
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 15 February 2009 - 12:28 PM

Also Last night I did another online kaspersky scan and came up with two Trojan-Downloaders Win32.Agent.bfrf and also WMA.GetCodec.c

Unfortunately I was unable to save the scan results, but I did write down the files that were infected.

Thanks Darren

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:06 AM

Posted 15 February 2009 - 12:47 PM

Hi can you tell me he files that are infected please.

ALso what is giving you the alert > WIN32.Worm.KdCrypt
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 darrod64

darrod64
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 15 February 2009 - 02:04 PM

The files are C:\Documents and Settings\Ryan\Desktop\Programs Files\VirtualVillagers2Setup.exe (Trojan-Downloader.Win32.Agent.bfrf)

C:\Documents and Settings\Ryan\Shared\its pitch dark mc frontalot.mp3 (Trojan-Downloader.WMA.GetCodec.c)

I got the WIN32.Worm.KdCrypt from an AdAware scan that I ran in safe mode.

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:06 AM

Posted 15 February 2009 - 03:13 PM

Please delete those 2 files then also see if you can get me the file location of the file that Ad-Aware found.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 darrod64

darrod64
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 15 February 2009 - 04:21 PM

kahdah

I deleted those two files.

I can not find the file location that ad-aware found that Win32Worm.KdCrypt in, although in the statistics it has it as quarantined.

When this first started happening I was having problems doing any spyware, malware or anti-virus scans without them freezing up. I also was unable to save logs.

Even now I cannot run spybot correctly to immunize.

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:06 AM

Posted 15 February 2009 - 06:15 PM

Have you tried to uninstall Spybot?
If not then try to uninstall it and re-install it.
'
Also As a final check - perform next online scan:

* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 darrod64

darrod64
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 16 February 2009 - 12:23 AM

Kahdah

I have uninstalled and reinstalled spybot but it did not make a difference. I will try again tomorrow (Mon.).

I tried to do the eset scan but was unable to download the activex control, kept getting a message that Windos had blocked the download because it was from an unknown publisher.

I tried changing the internet option settings to allow the download but couldn't seem to find the correct ones.

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:06 AM

Posted 16 February 2009 - 07:31 AM

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post that log in your next reply.
(Note if you cannot open the log it produces then right click on it and choose rename.
Rename it to .txt and you will be able to open it)

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 darrod64

darrod64
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 17 February 2009 - 06:32 AM

Tried to do the Dr.Web scan twice three times yesterday and overnight but it crashed each time.

The first time it was about six hours in (3\4th of the way through) when it crashed. It had turned up some more things and cured some but was not able to cure all.

I will try to do this scan again on the weekend as I will be working the rest of the week and would like to do this will
I can keep an eye on it and record the results manually, in case of another crash.

Thanks

#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:06 AM

Posted 17 February 2009 - 07:48 AM

Ok let me know.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#15 darrod64

darrod64
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:06 AM

Posted 19 February 2009 - 08:57 AM

Kahdah

Ran the DrWeb scan, took about 30 hrs. Here's the log (actually two logs)

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users