Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

generic trojan dialer & backdoor trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 justchillinnm

justchillinnm

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 28 April 2009 - 07:03 PM

Uncontrolable pop-ups, conflicker worm, slow start-up, unable to access web pages, AVG anti virus software not working, this is a teenagers computer no telling what was downloaded or when.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 17:49:29.59 on Tue 04/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.195 [GMT -6:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\116177960.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Internet Explorer\iexplore.exe
\\?\globalroot\systemroot\system32\lmppcsetup.exe
\\?\globalroot\systemroot\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page =
uSearch Bar =
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant =
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: c:\windows\system32\yhs783ijfo3fe.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\yhs783ijfo3fe.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
TB: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Weather] c:\progra~1\aws\weathe~1\Weather.exe 1
uRun: [QdrModule9] "c:\program files\qdrmodule\QdrModule9.exe"
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Diagnostic Manager] c:\docume~1\admini~1\locals~1\temp\116177960.exe
uRun: [autochk] rundll32.exe c:\docume~1\admini~1\protect.dll,_IWMPEvents@16
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRun: [<NO NAME>] c:\windows\temp\z4kbtehvo.exe
dRun: [Windows Resurections] c:\windows\temp\z4kbtehvo.exe
dRun: [A00F37070A3.exe] c:\windows\temp\_A00F37070A3.exe
dRun: [autochk] rundll32.exe c:\windows\system32\config\system~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/CursorManiaInitialSetup1.0.1.1.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176757164062
DPF: {77829F14-D911-40FF-A2F0-D11DB8D6D0BC} - hxxp://activex.microsoft.com/objects/ocget.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
Notify: __c00877B0 - c:\windows\system32\__c00877B0.dat
SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - c:\windows\system32\fafb.dll
STS: DCOM Server 25319: {2c1cd3d7-86ac-4068-93bc-a02304b25319} - c:\windows\system32\fafb.dll
STS: c:\windows\system32\yhs783ijfo3fe.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\yhs783ijfo3fe.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\2j46sxxl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.sweetim.com/search.asp?src=2&q=
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.sweetim.com/search.asp?src=2&q=

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-4-18 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-4-18 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-4-18 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-4-18 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-4-18 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-4-18 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-4-18 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-4-18 4960]
S0 Mwo56;Mwo56; [x]
S2 Microsoft Inet Service;Microsoft Inet Service;c:\windows\system32\_svchost.exe -a --> c:\windows\system32\_svchost.exe -A [?]
S2 NdisWon;NdisWon; [x]

=============== Created Last 30 ================

2009-04-28 17:46 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-04-28 17:46 24,064 a--sh--- c:\documents and settings\administrator\protect.dll
2009-04-28 17:46 27,648 a------- c:\windows\system32\lmppcsetup.exe
2009-04-28 17:27 <DIR> --d----- c:\windows\system32\NtmsData
2009-04-28 17:12 110 a------- C:\xcrashdump.dat
2009-04-28 11:54 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-04-28 08:20 27,648 a------- c:\windows\system32\__c00877B0.dat
2009-04-27 16:06 46 a------- c:\windows\system32\p2hhr.bat
2009-04-27 16:05 21,504 a------- c:\windows\system32\ak1.exe
2009-04-26 15:44 10,752 a------- c:\windows\system32\iehelper.dll
2009-04-15 22:08 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 22:08 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 22:08 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 22:08 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 22:08 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 22:08 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 22:08 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 22:08 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 22:08 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 21:59 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 21:59 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 21:59 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-03-06 08:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 18:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 12:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-13 14:14 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 06:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 06:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 06:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 06:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 05:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 05:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 04:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 13:59 56,832 a------- c:\windows\system32\secur32.dll
2008-11-04 17:41 20,888 a------- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT
2007-11-18 16:56 40,183 ---sh--- c:\program files\common files\Yazzle1552OinUninstaller.exe

============= FINISH: 17:50:55.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 29 April 2009 - 04:05 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 03 May 2009 - 05:54 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users