Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Re-occuring Trojan Downloader/Agent/Ertfor DDS log included


  • This topic is locked This topic is locked
3 replies to this topic

#1 RunningJumper

RunningJumper

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 05 June 2009 - 09:37 AM

Hello :thumbup2:

I had a problem with browser hijacking which boopme and xblindx were able to help me get rid of. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/228248/google-redirect-problem/ ~ OB There are some trojans however, that keep re-occuring so I have been sent over into this section to see what can be done about them.
I did a scan this morning with Malwarebytes and it showed the Trojans (the ones listed in the thread topic). I have had these exact same trojans recently and they were supposedly removed. I am not convinced though.

Thank you to all in advance for your help !


DDS (Ver_09-05-14.01) - NTFSx86
Run by Guest2 at 9:26:07.07 on Fri 06/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1456 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 090604-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Guest2\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://bontrafic.org/s/in.cgi?5&key=sqp
mSearchAssistant = hxxp://www.google.com/ie
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [] c:\windows\temp\wi6tb.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autorunsdisabled\bluetooth.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\microsoft office\office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241440839734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\guest2\application data\mozilla\firefox\profiles\8my9fe73.default\
FF - plugin: c:\program files\microsoft\office live\npOLW.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-22 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2009-5-29 95592]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-22 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-22 138680]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2009-5-24 17408]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2009-5-24 39424]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-3-27 9472]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [2007-3-26 20352]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2009-5-24 114688]
S3 ACGPRS;Sierra Wireless 3G Adapter;c:\windows\system32\drivers\acgprs.sys [2007-3-26 103936]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-22 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-22 352920]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2009-3-28 100992]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]

=============== Created Last 30 ================

2009-06-05 08:48 --d----- c:\docume~1\guest2\application data\Malwarebytes
2009-06-01 18:31 --dsh--- c:\documents and settings\guest2\PrivacIE
2009-06-01 18:29 --d----- c:\docume~1\guest2\application data\StarBurn
2009-06-01 12:51 --dsh--- c:\documents and settings\guest2\IETldCache
2009-06-01 12:49 --d----- c:\documents and settings\Guest2
2009-06-01 12:21 --d----- c:\docume~1\alluse~1\applic~1\Sprint
2009-05-29 14:32 --d----- c:\docume~1\alluse~1\applic~1\GARMIN
2009-05-29 14:31 --d----- C:\Garmin
2009-05-29 13:39 --d----- c:\program files\Garmin GPS Plugin
2009-05-29 13:30 --d----- c:\program files\Garmin
2009-05-29 09:51 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-29 09:50 95,592 a------- c:\windows\system32\drivers\StarPortLite.sys
2009-05-29 09:50 --d----- c:\program files\Give Away Of The Day
2009-05-27 12:34 --d----- c:\program files\SpywareBlaster
2009-05-24 19:17 --d----- c:\program files\Stardock
2009-05-24 19:17 --d----- c:\program files\common files\Stardock
2009-05-24 19:09 4 a------- C:\Fade.ini
2009-05-24 19:08 --d----- c:\program files\Texas Instruments Inc
2009-05-24 08:31 --d----- c:\program files\ATI Technologies
2009-05-24 08:30 --d----- C:\ATI
2009-05-24 08:23 10 a------- c:\windows\WININIT.INI
2009-05-24 07:15 114,688 a------- c:\windows\system32\drivers\ubohci.sys
2009-05-24 07:15 100,352 a------- c:\windows\system32\drivers\UB1394.sys
2009-05-24 07:15 39,424 a------- c:\windows\system32\drivers\UBUMAPI.sys
2009-05-24 07:15 17,408 a------- c:\windows\system32\drivers\UBSBM.sys
2009-05-23 12:31 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-23 12:31 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-23 12:31 18,944 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-05-23 12:31 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-05-23 12:31 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2009-05-23 12:31 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2009-05-23 12:31 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2009-05-23 12:31 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2009-05-23 12:30 19,200 ac------ c:\windows\system32\dllcache\wstcodec.sys
2009-05-23 12:30 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2009-05-23 12:30 8,192 ac------ c:\windows\system32\dllcache\wshirda.dll
2009-05-23 12:30 154,624 ac------ c:\windows\system32\dllcache\wlluc48.sys
2009-05-23 12:30 34,890 ac------ c:\windows\system32\dllcache\wlandrv2.sys
2009-05-23 12:30 771,581 ac------ c:\windows\system32\dllcache\winacisa.sys
2009-05-23 12:30 53,760 ac------ c:\windows\system32\dllcache\wiamsmud.dll
2009-05-23 12:30 87,040 ac------ c:\windows\system32\dllcache\wiafbdrv.dll
2009-05-23 12:30 701,386 ac------ c:\windows\system32\dllcache\wdhaalba.sys
2009-05-23 12:30 23,615 ac------ c:\windows\system32\dllcache\wch7xxnt.sys
2009-05-23 12:30 31,744 ac------ c:\windows\system32\dllcache\wceusbsh.sys
2009-05-23 12:28 113,762 ac------ c:\windows\system32\dllcache\usrpda.sys
2009-05-23 12:27 36,736 ac------ c:\windows\system32\dllcache\ultra.sys
2009-05-23 12:26 28,232 ac------ c:\windows\system32\dllcache\tos4mo.sys
2009-05-23 12:25 28,384 ac------ c:\windows\system32\dllcache\sym_hi.sys
2009-05-23 12:24 99,328 ac------ c:\windows\system32\dllcache\srusd.dll
2009-05-23 12:24 24,660 ac------ c:\windows\system32\dllcache\spxupchk.dll
2009-05-23 12:24 61,824 ac------ c:\windows\system32\dllcache\speed.sys
2009-05-23 12:24 106,584 ac------ c:\windows\system32\dllcache\spdports.dll
2009-05-23 12:24 19,072 ac------ c:\windows\system32\dllcache\sparrow.sys
2009-05-23 12:24 37,040 ac------ c:\windows\system32\dllcache\sonypi.sys
2009-05-23 12:24 114,688 ac------ c:\windows\system32\dllcache\sonypi.dll
2009-05-23 12:24 20,752 ac------ c:\windows\system32\dllcache\sonync.sys
2009-05-23 12:24 9,600 ac------ c:\windows\system32\dllcache\sonymc.sys
2009-05-23 12:24 7,552 ac------ c:\windows\system32\dllcache\sonyait.sys
2009-05-23 12:22 11,136 ac------ c:\windows\system32\dllcache\slip.sys
2009-05-23 12:21 386,560 ac------ c:\windows\system32\dllcache\sgiul50.dll
2009-05-23 12:20 179,264 ac------ c:\windows\system32\dllcache\s3sav3d.dll
2009-05-23 12:19 19,584 ac------ c:\windows\system32\dllcache\rasirda.sys
2009-05-23 12:18 17,664 ac------ c:\windows\system32\dllcache\ppa3.sys
2009-05-23 12:17 86,016 ac------ c:\windows\system32\dllcache\pctspk.exe
2009-05-23 12:16 54,186 ac------ c:\windows\system32\dllcache\otcsercb.sys
2009-05-23 12:15 60,480 ac------ c:\windows\system32\dllcache\neo20xx.dll
2009-05-23 12:14 12,416 ac------ c:\windows\system32\dllcache\msriffwv.sys
2009-05-23 12:13 8,320 ac------ c:\windows\system32\dllcache\memcard.sys
2009-05-23 12:12 37,376 ac------ c:\windows\system32\dllcache\kousd.dll
2009-05-23 12:11 372,824 ac------ c:\windows\system32\dllcache\iconf32.dll
2009-05-23 12:10 702,845 ac------ c:\windows\system32\dllcache\i81xdnt5.dll
2009-05-23 12:10 58,592 ac------ c:\windows\system32\dllcache\i740nt5.sys
2009-05-23 12:10 353,184 ac------ c:\windows\system32\dllcache\i740dnt5.dll
2009-05-23 12:10 18,560 ac------ c:\windows\system32\dllcache\i2omp.sys
2009-05-23 12:10 8,576 ac------ c:\windows\system32\dllcache\i2omgmt.sys
2009-05-23 12:08 31,232 ac------ c:\windows\system32\dllcache\hpgt42tk.dll
2009-05-23 12:07 455,680 ac------ c:\windows\system32\dllcache\fus2base.sys
2009-05-23 12:06 174,464 ac------ c:\windows\system32\dllcache\es198x.sys
2009-05-23 12:05 28,062 ac------ c:\windows\system32\dllcache\dp83820.sys
2009-05-23 12:04 117,760 ac------ c:\windows\system32\dllcache\d100ib5.sys
2009-05-23 12:03 17,024 ac------ c:\windows\system32\dllcache\ccdecode.sys
2009-05-23 12:02 89,952 ac------ c:\windows\system32\dllcache\b1cbase.sys
2009-05-23 11:53 101,888 ac------ c:\windows\system32\dllcache\adpu160m.sys
2009-05-23 11:53 46,112 ac------ c:\windows\system32\dllcache\adptsf50.sys
2009-05-23 11:53 10,880 ac------ c:\windows\system32\dllcache\admjoy.sys
2009-05-23 06:53 --d----- c:\program files\Innovative Solutions
2009-05-21 10:18 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 10:18 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 10:18 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-21 07:59 --d----- c:\program files\common files\Windows Live
2009-05-20 11:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-20 11:19 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-18 18:59 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-18 18:59 --d----- c:\program files\SUPERAntiSpyware
2009-05-18 18:58 --d----- c:\program files\common files\Wise Installation Wizard
2009-05-18 18:43 --d----- C:\VundoFix Backups
2009-05-18 18:39 a-dshr-- C:\autorun.inf
2009-05-18 18:08 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-17 15:41 --d----- c:\program files\MediaMonkey
2009-05-17 14:36 --d----- c:\program files\Trend Micro
2009-05-17 14:35 --d----- c:\windows\Performance
2009-05-15 08:43 --d----- c:\program files\PdaNet for iPhone
2009-05-06 16:26 --d----- c:\program files\DivX

==================== Find3M ====================

2009-05-21 07:44 75,068 ac--h--- c:\windows\system32\mlfcache.dat
2009-05-01 19:25 2,682,880 a------- c:\windows\system32\vcredist_x86.exe
2009-05-01 19:25 2,670,592 a------- c:\windows\system32\WLBCGCBPRO731.DLL
2009-05-01 19:25 1,871,872 a------- c:\windows\system32\WLTRAY.EXE
2009-05-01 19:25 1,613,824 a------- c:\windows\system32\BCMWLTRY.EXE
2009-05-01 19:25 753,664 a------- c:\windows\system32\bcm1xsup.dll
2009-05-01 19:25 729,088 a------- c:\windows\system32\BCMLogon.dll
2009-05-01 19:25 200,704 a------- c:\windows\system32\bcmwlu00.exe
2009-05-01 19:25 143,360 a------- c:\windows\system32\preflib.dll
2009-05-01 19:25 69,632 a------- c:\windows\system32\bcmwlpkt.dll
2009-05-01 19:25 65,536 a------- c:\windows\system32\wltrynt.dll
2009-05-01 19:25 33,664 a------- c:\windows\system32\drivers\BCMWLNPF.SYS
2009-05-01 19:25 24,064 a------- c:\windows\system32\WLTRYSVC.EXE
2009-05-01 18:13 23,348 ac------ c:\windows\system32\emptyregdb.dat
2009-03-26 15:23 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2008-09-25 10:18 476,752 ac------ c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
2009-01-03 03:01 88 ac-shr-- c:\windows\system32\39BA7EB1D3.sys

============= FINISH: 9:26:38.32 ===============

Edited by Orange Blossom, 05 June 2009 - 06:22 PM.


BC AdBot (Login to Remove)

 


m

#2 RunningJumper

RunningJumper
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 08 June 2009 - 08:54 AM

Thank you for the edit Orange Blossom :thumbup2:

#3 RunningJumper

RunningJumper
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:09:17 AM

Posted 11 June 2009 - 03:46 AM

Please close this thread. I went ahead and installed Windows 7 after reformatting the drive in my laptop. Thank you!

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,702 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:17 AM

Posted 15 June 2009 - 07:37 PM

Thank you for letting us know. This topic shall now be closed. I case you experience computer issues again, please start a new topic.

Happy computing,

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users