Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Syazu Trojan


  • This topic is locked This topic is locked
3 replies to this topic

#1 yourmom2161

yourmom2161

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:02 PM

Posted 09 April 2009 - 03:11 AM

Hi, I was told to use DDS and post here. Here is a link to my original topic:

http://www.bleepingcomputer.com/forums/t/217728/computer-infected-by-syazu-trojan/

This is the result of the DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Tim at 3:03:36.07 on Thu 04/09/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3199.2716 [GMT -6:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Tim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tim\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [Google Update] "c:\documents and settings\tim\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SkyTel] SkyTel.EXE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Syazu] rundll32.exe "c:\windows\ezazedes.dll",e
StartupFolder: c:\docume~1\tim\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: + &Mass Downloader: download this file - c:\program files\mass downloader\Add_Url.htm
IE: + Mass Downloader: download &All files - c:\program files\mass downloader\Add_All.htm
IE: {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - c:\program files\mass downloader\massdown.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
DPF: {3D3BF1F8-9696-4A5E-B4F1-49101C997B70} - hxxp://www.earthcaller.com/VaxSIPUserAgentCAB.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {1FBB7DF4-120C-4C0E-8F2E-541D517A5DC6} = 192.168.0.1
TCP: {307D5E59-2607-42FB-BD28-A006B5DC73A5} = 192.168.0.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
LSA: Notification Packages = scecli kbuitr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tim\applic~1\mozilla\firefox\profiles\bsmnl5n8.default\
FF - plugin: c:\documents and settings\tim\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\tim\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\octoshape streaming services\tim\octoprogram-l03-nms0806110_sua_900\npoctoshape.dll
FF - HiddenExtension: XUL Cache: {DE41DF9D-DFD3-4EFB-8EA5-AC9ED11D36ED} - c:\documents and settings\tim\local settings\application data\{DE41DF9D-DFD3-4EFB-8EA5-AC9ED11D36ED}

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-2-20 33800]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-12-14 213008]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2007-12-19 23064]
S2 wowsystemcode123;Remote TCP/IP;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-7-29 206088]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S4 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-2-20 472320]

=============== Created Last 30 ================

2009-04-08 17:32 0 a------- c:\windows\Dhepecujofuloho.bin
2009-04-08 17:31 408 a------- c:\windows\Ohisexaqu.dat
2009-04-08 00:01 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-08 00:01 --d----- c:\program files\SUPERAntiSpyware
2009-04-08 00:01 --d----- c:\docume~1\tim\applic~1\SUPERAntiSpyware.com
2009-04-06 22:28 536,327,271 a------- C:\om
2009-04-06 01:35 --d----- C:\ComboFix
2009-04-05 23:03 210,171 a------- c:\windows\system32\nvapps.xml
2009-03-27 10:03 1,253,376 a------- c:\windows\system32\NvPVEnc.ax
2009-03-27 10:03 401,408 a------- c:\windows\system32\nvcuvid.dll
2009-03-20 02:20 662,288 a------- c:\windows\system32\MSCOMCT2.OCX
2009-03-20 02:20 150,016 a------- c:\windows\system32\Unzip32.dll
2009-03-20 02:20 132,880 a------- c:\windows\system32\msinet.ocx
2009-03-20 02:20 --d----- c:\program files\Bluetack
2009-03-18 15:41 --d----- c:\program files\Emote

==================== Find3M ====================

2009-04-08 05:16 4,752,416 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-08 05:16 327,712 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-08 05:16 38,208 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-08 05:16 2,200 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-08 00:58 4,724 a------- c:\windows\system32\PerfStringBackup.TMP
2009-03-29 19:18 61,440 a--sh--- c:\windows\system32\wavowibi.exe
2009-03-27 14:23 23,064 a------- c:\windows\system32\drivers\ScreamingBAudio.sys
2009-03-27 08:14 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-02-14 21:19 46,080 -------- c:\windows\system32\clickfile.exe
2009-01-24 09:11 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-16 18:24 70,936 a------- c:\windows\system32\PhysXLoader.dll

============= FINISH: 3:03:50.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:02 PM

Posted 23 April 2009 - 01:23 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please post a fresh DDS Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:02 PM

Posted 26 April 2009 - 11:53 AM

yourmom2161? Do you still need help?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:02 PM

Posted 29 April 2009 - 01:27 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

MalWare Removal University Master

Member of ASAP
unite_Invision.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users