Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with W32: Trojan-gen {other} and WMA:Wimad [Drp]


  • This topic is locked This topic is locked
7 replies to this topic

#1 jeepers67

jeepers67

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 17 March 2009 - 01:05 PM

Hello,
I have had several blue screens appear and now there is an issue of bandwidth being used especially with uploads. Not too mention our credit card was used in another state (fraudulent) and we are also worried that our roboform could be compromised. Is this possible? I scanned with updated Avast and spyware terminator and avast found the names mentioned above with 2 (Sys vol Info) and 6 (C:\Doc and Settings) affected but no virus name on the (C:\Doc and Settings) that were considered infected. They have been put in the chest, but i believe my wife may have deleted other viruses that were quaratined a year ago. I would greatly appreciate some help with this. I wish i could tell you more but unless i am directed towards what you need, i wouldn't no where to start.

Here is the DDS log!


DDS (Ver_09-03-16.01) - NTFSx86
Run by Mark at 14:35:49.45 on Tue 03/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.388 [GMT -3:00]

AV: avast! antivirus 4.8.1335 [VPS 090317-0] *On-access scanning enabled* (Updated)
FW: COMODO Firewall Pro *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WDC\SetIcon.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comodo\VEngine\VEngine.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MicroStar\WLANUtility\WlanUtility.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MicroStar\WLANUtility\WLAN_Service.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Crawler\CToolbar.exe
C:\Program Files\LaCie\Backup Software\LacieBackup.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Cobian Backup 9\Cobian.exe
C:\Program Files\Cobian Backup 9\cbInterface.exe
C:\Documents and Settings\Mark\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: Comodo VerificationEngine: {a968a4b4-c492-4834-b651-17602c3885c8} - c:\program files\comodo\vengine\VEngineIE.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Apoint] "c:\program files\apoint2k\Apoint.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SetIcon] "\Program Files\WDC\SetIcon.exe"
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\CPF.exe" /background
mRun: [Atipta] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [VEngine] c:\program files\comodo\vengine\VEngine.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobe acrobat speed launcher.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wlanutility.lnk - c:\program files\microstar\wlanutility\WlanUtility.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Crawler Search - tbr:iemenu
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\ctbr.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mark\applic~1\mozilla\firefox\profiles\vegydcb4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20004&gct=&gc=1&q=
FF - component: c:\documents and settings\mark\application data\mozilla\firefox\profiles\vegydcb4.default\extensions\{22119944-ed35-4ab1-910b-e619ea06a115}\components\rfproxy_27.dll
FF - component: c:\program files\comodo\vengine\verificationengine_ff3\components\VEngine.dll
FF - component: c:\program files\crawler\firefox\components\xcomm.dll
FF - component: c:\program files\crawler\firefox\components\xshared.dll
FF - component: c:\program files\crawler\firefox\components\xsupport.dll
FF - component: c:\program files\crawler\firefox\components\xwsg.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-21 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-1-19 141312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-21 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2006-2-2 138680]
R2 CmdAgent;Comodo Application Agent;c:\program files\comodo\firewall\cmdagent.exe [2007-3-9 361040]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2006-2-2 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2006-2-2 352920]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R3 WB528MS;Winbond PCI Memory Stick PRO Storage (MSPRO) Device Driver;c:\windows\system32\drivers\wb528ms.sys [2006-1-25 38400]
R3 WB528SD;Winbond PCI Secure Digital Storage (SD/MMC) Device Driver;c:\windows\system32\drivers\WB528SD.sys [2006-1-25 35712]
R3 WLAN(WLAN);802.11g USB 2.0 WLAN Dongle(WLAN);c:\windows\system32\drivers\ZD1211U.sys [2004-8-3 237568]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2006-10-13 18864]
S3 inibtmgr;WD Bridge Controller Driver;c:\windows\system32\drivers\inibtmgr.sys [2007-3-31 9728]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;c:\windows\system32\ZDBRGSYS.sys [2004-6-30 19200]

=============== Created Last 30 ================

2009-03-17 14:14 <DIR> --d----- c:\program files\Cobian Backup 9
2009-03-15 16:41 <DIR> --d----- c:\docume~1\mark\applic~1\Malwarebytes
2009-03-15 16:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-15 16:01 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-15 16:01 <DIR> --d----- c:\docume~1\mark\applic~1\SUPERAntiSpyware.com
2009-03-15 15:58 <DIR> --d----- c:\program files\VS Revo Group
2009-03-15 15:58 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-02-09 08:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-12-20 20:15 826,368 a------- c:\windows\system32\wininet.dll
2007-07-28 10:01 87,608 a------- c:\docume~1\mark\applic~1\inst.exe
2007-07-28 10:01 47,360 a------- c:\docume~1\mark\applic~1\pcouffin.sys
2007-06-05 09:40 24,192 a------- c:\documents and settings\mark\usbsermptxp.sys
2007-06-05 09:40 22,768 a------- c:\documents and settings\mark\usbsermpt.sys
2007-03-26 20:31 5 a--sh--- c:\windows\system32\cafdfddec_s.dll
2008-10-22 14:27 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102220081023\index.dat

============= FINISH: 14:36:17.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:52 AM

Posted 28 March 2009 - 02:16 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 jeepers67

jeepers67
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 28 March 2009 - 03:12 PM

Hi.
It did take a bit of time for a response but without you guys we would have no hope. So thanks anyway, i ended up doing a clean install.
I 'am however, trying to clean the ext drive w/backups and of course the same viruses was found in the backup.zip file(Cobian Backup used) and my avast cannot delete a/o move to chest on my personal laptop (my wife's was the DDS log you received.) Is it possible to infect my machine while trying to disinfect the backup.zip files?

side note: the ext hd used was reformatted to clean it before the backup.zip files were added - just in case you're wondering...

>So far I scanned the backup.zip files (actually both .zip and extracted files - extracted to same ext hd) with Spyware Terminator, SuperAntispyware, Malwarebytes's Anti-Malware without anything found. Used Avast and found the original few viruses. as mentioned above my avast cannot delete a/o move to chest.
>Next, took the already extracted files and narrowed down the folder that was containing the culprits and used HJthis "delete file on reboot" option. Repeated the processes for the original zip files too.
>Then rescanned and voila, there was nothing to be found by avast again. Was this process ok to do? Was it thorough enough? I haven't scanned my personal computer files since this procedure, but i certainly will now and get back too you. Also, do you think that the extracted backup files are now safe to put back on to my wife's laptop?

thanks again

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:52 AM

Posted 28 March 2009 - 04:00 PM

Please post as I instructed above and I will alert our HJT team you are here again.

You will get help, as as we ignore no onel
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 jeepers67

jeepers67
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 28 March 2009 - 05:01 PM

At this point do you want a DDS log my wife's comp that i did the clean install on? Or, my comp as i am trying to disinfect her old backups?
Or both?

#6 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:52 AM

Posted 29 March 2009 - 02:35 AM

Logs for the same system as above, or is this the one you did a clean install on?
If it is the same then there is no reason for logs.

You'll need to start a new topic for the other system if you're having problems.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#7 jeepers67

jeepers67
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 29 March 2009 - 10:09 AM

Then i should be good since i did a clean install. If I start having problems with my comp then i will start a new topic. Hopefully all will go well. Thanks for your time.

#8 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:52 AM

Posted 29 March 2009 - 10:11 AM

Your are welcome.

Thanks for informing us too.

Good luck.

This thread is closed.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users