Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/ wsnpoem, PWS.LDPinchIE, maybe others


  • This topic is locked This topic is locked
2 replies to this topic

#1 JH_astroman

JH_astroman

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:05 PM

Posted 17 April 2009 - 02:44 PM

Ran Spybot and it was not able to remove 3 entries that included "wsnpoem" and 1 entry from PWS.LDPinchIE (HKEY_USERS....../idstrf). I am also getting redirected from google by poiskin.ru. A lot of Internet Explorer ads keep popping up and I do not even use IE. (FYI: I have already run SDFix once.) Thank you for the help that is to come!

DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Administrator at 14:24:48.92 on Fri 04/17/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.300 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated)
FW: Norton Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Documents and Settings\HP_Administrator\Application Data\pidle\pidle.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
svchost.exe C:\WINDOWS\TEMP\VRT23.tmp
C:\WINDOWS\System32\reader_s.exe
svchost.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\427470414.exe
C:\WINDOWS\TEMP\792470414.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: {32b944ef-d821-44a3-9f3c-e8fa8b6c059c} - c:\windows\system32\vukajuse.dll
BHO: c:\windows\system32\yaubfh983ind.dll: {a5af42a3-94f3-42bd-f634-0604832c897d} - c:\windows\system32\yaubfh983ind.dll
BHO: c:\windows\system32\jh9fgo4ksdgf.dll: {d7bf4552-94f1-42bd-f434-3604812c856d} - c:\windows\system32\jh9fgo4ksdgf.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [klz08fcwlj5t5f] c:\docume~1\hp_adm~1\locals~1\temp\crasos.exe
uRun: [Windows Resurections] c:\docume~1\hp_adm~1\locals~1\temp\f8pu104.exe
uRun: [Diagnostic Manager] c:\docume~1\hp_adm~1\locals~1\temp\427470414.exe
uRun: [pidle] "c:\documents and settings\hp_administrator\application data\pidle\pidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [<NO NAME>] c:\docume~1\hp_adm~1\locals~1\temp\f8pu104.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [PCDrProfiler]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNOTIFY.EXE
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [MAFWTaskbarApp] c:\windows\system32\MAFWTray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [warapozewu] Rundll32.exe "c:\windows\system32\nupakeyo.dll",s
mRun: [CPM771682a8] Rundll32.exe "c:\windows\system32\soyafogi.dll",a
mRun: [reader_s] c:\windows\system32\reader_s.exe
dRun: [<NO NAME>] c:\windows\temp\n55fvdwp.exe
dRun: [Windows Resurections] c:\windows\temp\n55fvdwp.exe
dRun: [Diagnostic Manager] c:\windows\temp\792470414.exe
dRun: [reader_s] c:\documents and settings\hp_administrator\reader_s.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: hotmail.com\www
Trusted Zone: live.com\login
Trusted Zone: msn.com\autoupdate
Trusted Zone: myspace.com\home
Trusted Zone: myspace.com\www
Trusted Zone: trymedia.com
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\soyafogi.dll
STS: c:\windows\system32\sdfgerfgf3f.dll: {e2ba40a2-74f3-42bd-f434-2604812c8953} - c:\windows\system32\sdfgerfgf3f.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\soyafogi.dll
STS: c:\windows\system32\yaubfh983ind.dll: {a5af42a3-94f3-42bd-f634-0604832c897d} - c:\windows\system32\yaubfh983ind.dll
STS: c:\windows\system32\jh9fgo4ksdgf.dll: {d7bf4552-94f1-42bd-f434-3604812c856d} - c:\windows\system32\jh9fgo4ksdgf.dll
LSA: Notification Packages = scecli c:\windows\system32\zatafigi.dll monb320.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\s60mcvsu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-2-4 53896]
R2 BRC_Services;BlackHole Remote Control Services;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 34304]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-3-4 185968]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-3-4 239216]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-3-4 161392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2007-4-8 33792]
S1 tsn819b;tsn819b;c:\windows\system32\drivers\tsn819b.sys [2009-4-17 17376]
S2 ΞΆΘν2007;ΞΆΘν;c:\windows\inter.exe [2004-5-19 388096]
S2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2005-3-24 127088]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-3-4 83568]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060426.019\NAVENG.Sys [2006-4-26 77864]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060426.019\NavEx15.Sys [2006-4-26 799208]
S3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-2-4 324232]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-2-17 198368]

=============== Created Last 30 ================

2009-04-17 14:12 408,576 a------- c:\windows\system32\CF30905.exe
2009-04-17 14:12 <DIR> --d----- C:\ComboFix
2009-04-17 14:12 408,576 a------- c:\windows\system32\CF30827.exe
2009-04-17 13:54 408,576 a------- c:\windows\system32\CF27388.exe
2009-04-17 13:45 36,352 a------- c:\windows\system32\reader_s.exe
2009-04-17 13:45 36,352 a------- c:\documents and settings\hp_administrator\reader_s.exe
2009-04-17 13:45 0 a------- c:\windows\system32\29.tmp
2009-04-17 13:45 17,376 a------- c:\windows\system32\drivers\tsn819b.sys
2009-04-17 13:44 84 a------- c:\windows\system32\24.tmp
2009-04-17 12:14 2,098 ---sh--- c:\windows\system32\bewiseru.exe
2009-04-17 03:36 408,576 a------- c:\windows\system32\CF4513.exe
2009-04-17 02:53 408,576 a------- c:\windows\system32\CF27282.exe
2009-04-17 02:12 38 a------- C:\1A.tmp
2009-04-17 01:42 <DIR> --d----- c:\windows\ERUNT
2009-04-17 01:21 0 a------- C:\7.tmp
2009-04-17 01:21 0 a------- C:\6.tmp
2009-04-17 01:21 38 a------- C:\5.tmp
2009-04-17 01:21 52,736 a------- C:\4.tmp
2009-04-17 01:15 <DIR> --d----- C:\SDFix
2009-04-16 22:24 0 a------- C:\F.tmp
2009-04-16 22:24 0 a------- C:\E.tmp
2009-04-16 22:24 0 a------- C:\D.tmp
2009-04-16 22:24 0 a------- C:\C.tmp
2009-04-16 22:24 0 a------- C:\B.tmp
2009-04-16 22:23 38 a------- C:\9.tmp
2009-04-16 22:23 52,736 a------- C:\8.tmp
2009-04-16 18:38 155 a------- c:\windows\system32\SelfDel.bat
2009-04-16 18:38 106,496 a------- c:\windows\system32\ftp_non_crp.exe
2009-04-16 18:23 15,000 a------- c:\windows\system32\jh9fgo4ksdgf.dll
2009-04-16 18:23 57,856 a------- c:\windows\system32\ak1.exe
2009-04-16 18:22 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\pidle
2009-04-16 18:13 102,126 a------- c:\windows\system32\drivers\a6a28ef1.sys
2009-04-16 18:13 55,296 a------- C:\ptrf.exe
2009-04-16 18:13 30,208 a------- C:\cpjopaid.exe
2009-04-16 18:13 15,000 a------- c:\windows\system32\sdfgerfgf3f.dll
2009-04-16 18:13 68,096 a------- C:\tqpxlyy.exe

==================== Find3M ====================

2009-04-17 02:12 15,000 a------- c:\windows\system32\yaubfh983ind.dll
2009-04-16 18:13 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-04-16 18:13 182,912 a------- c:\windows\system32\dllcache\ndis.sys
2009-04-16 18:13 34,304 a------- c:\windows\system32\svchost.exe
2009-04-16 18:13 14,336 a------- c:\windows\system32\dllcache\svchost.exe
2009-04-16 18:13 87,552 a--sh--- c:\windows\system32\soyafogi.dll
2009-04-16 18:13 79,872 a--sh--- c:\windows\system32\dafazudu.dll
2009-04-12 13:58 591,360 a------- c:\windows\inter.DLL
2006-07-06 19:54 772 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat

============= FINISH: 14:25:09.56 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 18 April 2009 - 05:20 PM

Hi,

I have bad news for you :thumbup2:

I see you're dealing with Virut on top of the other nasty malware you are dealing with. In that case, it's unfortunately a lost case - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why: Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html

#3 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 23 April 2009 - 06:35 AM

This Topic is now closed.

If you need this topic reopened, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users