Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with packed.win32.tdss.f


  • This topic is locked This topic is locked
2 replies to this topic

#1 yh73090

yh73090

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 07 March 2009 - 06:38 PM

My Shield Deluxe software 2008 has indicated I have a Trojan and specified "Global\root\systemroot\system32\UACuoeqqwul.dll" I have not been able to successfully open the internet until today.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Yolanda at 15:26:27.77 on Sat 03/07/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.402 [GMT -8:00]

AV: The Shield Deluxe 2008 *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Yolanda\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~1\tools\iesdpb.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [Sonic RecordNow!]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Spyware Doctor] "c:\program files\spyware doctor\swdoctor.exe" /Q
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [dwStart]
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [bacstray] BacsTray.exe
mRun: [AVP] "c:\program files\pcsecurityshield\the shield deluxe 2008\avp.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
uExplorerRun: [svcho] c:\windows\svcho.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\PartyPoker.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\pcsecurityshield\the shield deluxe 2008\scieplugin.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
Trusted Zone: taxsoftware.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
LSA: Notification Packages = :\windows\system32\srrstr.dll cecli

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-3-3 110360]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-1-27 175888]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2006-1-16 14336]
S2 AVP;The Shield Deluxe 2008;c:\program files\pcsecurityshield\the shield deluxe 2008\avp.exe [2007-8-23 200768]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\fardrive.sys --> c:\windows\system32\drivers\FarDrive.sys [?]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys --> c:\windows\system32\drivers\rcvpn.sys [?]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-03-06 21:52 <DIR> --d----- C:\fixwareout
2009-03-06 21:50 <DIR> --d----- C:\!KillBox
2009-03-05 20:14 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-03-05 20:14 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-03-05 20:14 <DIR> --d----- c:\program files\PCSecurityShield
2009-03-05 20:14 2,114,592 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-05 20:14 29,396 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-05 20:14 32 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-03-05 20:14 32 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-03-03 08:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSecurityShield
2009-03-03 06:16 21 a------- c:\windows\BCMSM.DMR
2009-03-01 19:55 <DIR> --d----- c:\program files\CCleaner
2009-02-28 08:40 1,170 a------- c:\windows\system32\WPA.DBL
2009-02-28 08:36 <DIR> --d----- c:\program files\Prisma Firewall
2009-02-28 08:25 11,383 a------- c:\windows\system32\nvModes.001
2009-02-27 18:24 <DIR> --d----- c:\program files\common files\The Shield Firewall
2009-02-25 02:22 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-02-21 08:09 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-21 08:07 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-21 08:07 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-02-21 08:07 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-21 08:07 117,760 -------- c:\windows\system32\prntvpt.dll
2009-02-21 08:07 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-21 08:07 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-02-21 08:07 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-21 08:06 <DIR> --d----- c:\windows\SxsCaPendDel
2009-02-20 19:19 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-03-03 22:37 11,383 a------- c:\windows\system32\nvModes.dat
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 01:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 01:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 21:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 21:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-09-15 19:03 60,744 a------- c:\documents and settings\yolanda\g2mdlhlpx.exe
2006-12-15 05:36 774,144 ac------ c:\program files\RngInterstitial.dll
2005-09-10 17:56 8 a------- c:\docume~1\yolanda\applic~1\usb.dat.bin
2008-09-29 15:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092920080930\index.dat

============= FINISH: 15:27:07.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:01 PM

Posted 17 March 2009 - 01:48 AM

Hi,

Welcome to BleepingComputer HijackThis Logs and Malware Removal,yh73090. :thumbup2:
My name is sundavis, I will be helping you to deal with your Malware problems today.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times. and we are trying our best to keep up.
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not, then please do the following.


Step1

Please download GMER Rootkit Scanner from Here or Here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Step2
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

In your next reply, please post back:


1.GMER log
2.RSIT log.txt and info.txt.Thanks.

#3 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:01 PM

Posted 10 April 2009 - 01:23 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users