Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by some sort of Trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 sean84

sean84

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 31 May 2009 - 07:25 AM

Hello, i've tried everything that was suggested to me in the Infected forum, however, since nothing has worked i have come here to solve the problem. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/229973/slow-and-noisy-computer-more-advice-needed/ ~ OB I have used MBAM and
spyware doctor as my software. When scanned MBAM numerous files were detected as infected but none were shown for spyware doctor. However, as suggested from Infected forum, i scanned with SUPERantispyware repair, which found a trojan virus, unfortunately it was not able to remove it properly or it has morphed onto other files.



here is my log


DDS (Ver_09-05-14.01) - NTFSx86
Run by Sean An at 13:10:27.68 on 31/05/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.44.1033.18.3582.1451 [GMT 1:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
SP: Spyware Doctor *enabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\vsnp2std.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Vtune\TBPANEL.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Sean An\AppData\Local\Apps\2.0\7P280LO3.7BL\ARKWV7J8.BAL\ohca..tion_8bf0de2455b78356_0002.0000_379f39a7278a6399\OhCASTra.exe
c:\program files\steam\steamapps\common\football manager 2009\fm.exe
C:\Program Files\Steam\GameOverlayUI.exe
C:\Windows\System32\fscagent.exe
C:\Windows\system32\grdmgr.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
D:\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dailymail.co.uk/sport/football/index.html
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: H - No File
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Gom Search: {375a6ab2-feec-445d-b853-2139fb561f80} - c:\program files\gretech\gomsearch\gsearch.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {61539ecd-cc67-4437-a03c-9aaccbd14326} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {620395C9-5C2B-4474-89B6-D2A63CEA2EF8} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [TBPanel] c:\program files\vtune\TBPanel.exe /A
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [tsnp2std] c:\windows\tsnp2std.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Toolbar Search - c:\programdata\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {013BCEA5-8309-448b-8604-85F23D7861A5} - {375A6AB2-FEEC-445D-B853-2139FB561F80} - c:\program files\gretech\gomsearch\gsearch.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - hxxp://www.clubbox.co.kr/neo.fld/NowStarter.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\seanan~1\appdata\roaming\mozilla\firefox\profiles\rf5q6m83.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/sport1/hi/football/default.stm
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPGomtvx_nie.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-2-24 51520]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-2-24 38208]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-11-29 160792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-11-29 356920]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-14 24652]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-2-24 33088]
R3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S2 gupdate1c99ccd635849af;Google Update Service (gupdate1c99ccd635849af);c:\program files\google\update\GoogleUpdate.exe [2009-3-4 133104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 TridVidx86;Trident TVMaster TM6000 Analog plus Digital Video Service x86;c:\windows\system32\drivers\TridVidx86.sys [2007-7-31 163456]
S4 RelevantKnowledge;RelevantKnowledge;c:\program files\relevantknowledge\rlservice.exe /service --> c:\program files\relevantknowledge\rlservice.exe [?]

=============== Created Last 30 ================

2009-05-29 16:22 --d----- c:\programdata\SUPERAntiSpyware.com
2009-05-29 16:22 --d----- c:\progra~2\SUPERAntiSpyware.com
2009-05-29 16:22 --d----- c:\users\seanan~1\appdata\roaming\SUPERAntiSpyware.com
2009-05-29 16:22 --d----- c:\program files\SUPERAntiSpyware
2009-05-28 17:32 380,928 a------- c:\windows\system32\ac3filter.acm
2009-05-28 17:32 --d----- c:\program files\AC3Filter
2009-05-28 11:47 --d----- c:\program files\Microsoft
2009-05-28 11:47 --d----- c:\program files\Windows Live SkyDrive
2009-05-07 15:40 167,936 a----r-- c:\windows\system32\fscagent.exe
2009-05-07 15:36 155,648 a----r-- c:\windows\system32\downengine.dll

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-04-19 16:21 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-04-16 20:49 1,626,112 a----r-- c:\windows\system32\clubbox.exe
2009-04-15 22:52 1,712,128 a----r-- c:\windows\system32\pdbox28.exe
2009-04-10 19:10 21,764 a------- c:\windows\system32\CoreAAC-uninstall.exe
2009-03-17 04:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-17 04:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-17 04:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-09 06:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-04 11:16 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-04 11:16 51,200 a------- c:\windows\inf\infpub.dat
2009-03-04 11:16 86,016 a------- c:\windows\inf\infstor.dat
2009-03-03 05:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-03 05:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-03 05:40 499,200 a------- c:\windows\system32\wbem\WmiPrvSD.dll
2009-03-03 05:40 129,024 a------- c:\windows\system32\wbem\WmiDcPrv.dll
2009-03-03 05:40 827,392 a------- c:\windows\system32\wininet.dll
2009-03-03 05:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-03 05:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-03 05:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 05:37 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-03 05:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-03 05:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-03 05:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-03 05:36 615,424 a------- c:\windows\system32\wbem\fastprox.dll
2009-03-03 04:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 03:38 17,408 a------- c:\windows\system32\iashost.exe
2009-03-03 03:28 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-03-03 03:16 247,296 a------- c:\windows\system32\wbem\WmiPrvSE.exe
2008-12-06 21:12 56 a---h--- c:\programdata\ezsidmv.dat
2008-12-06 21:12 56 a---h--- c:\progra~2\ezsidmv.dat
2008-12-01 15:10 174 a--sh--- c:\program files\desktop.ini
2008-12-01 14:54 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-02-21 20:49 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 13:12:03.67 ===============

Thank you :thumbup2:

Attached Files


Edited by Orange Blossom, 31 May 2009 - 03:18 PM.


BC AdBot (Login to Remove)

 


#2 sean84

sean84
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 10 June 2009 - 06:05 AM

this has now been resolved by running otl and scanning again with superantispyware.

u can close this thread now. :thumbup2:

#3 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 11 June 2009 - 09:00 PM

Ok, sorry for the delay :thumbup2:

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users