Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


trojans galore on baby sister's pc

  • Please log in to reply
1 reply to this topic

#1 tonygil


  • Members
  • 2 posts
  • Local time:08:44 AM

Posted 05 November 2009 - 02:40 PM

first and foremost: you guys ROCK. whoever takes their time to help me (and others) out is a blessed soul. since i can't pay you back, i can pay you forward: i will therefore plant 5 trees, feed 5 homeless people a decent meal and give clothes to 5 other homeless persons. hope that helps. thanx again.

btw: pc completely asymptomatic, working perfectly well, except for the fact that it's got a bug or two and is backdoored wider than the Holland Tunnel...

G-Buster seems to be part of the problem (though it was once originally legit - brazilian online banking services)

DDS (Ver_09-10-26.01) - NTFSx86
Run by tony at 17:13:00,73 on qui 05/11/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.55.1046.18.2046.1322 [GMT -2:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! antivirus 4.8.1356 [VPS 091105-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Arquivos de programas\Tools\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Lavasoft\Ad-Aware\AAWService.exe
C:\Arquivos de programas\Tools\Alwil Software\Avast4\ashServ.exe
C:\Arquivos de programas\Tools\Avira\AntiVir Desktop\sched.exe
C:\Arquivos de programas\Tools\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Arquivos de programas\Lavasoft\Ad-Aware\AAWTray.exe
C:\Arquivos de programas\Tools\Avira\AntiVir Desktop\avgnt.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\108Mbps Wireless LAN Adapter\WLANPRO.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\tony\Meus documentos\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = file:///C:/Documents%20and%20Settings/tony/Desktop/Fazenda%20Santo%20Antonio%20e%20Natal%205b.htm
uInternet Connection Wizard,ShellNext = iexplore
BHO: ssh2 Class: {2e3c3651-b19c-4dd9-a979-901ec3e930af} - c:\arquivos de programas\scpad\scpsssh2.dll
BHO: GbIehObj Class: {c41a1c0e-ea6c-11d4-b1b8-444553540000} - c:\arquiv~1\gbplugin\gbieh.dll
uRun: [Skype] "c:\arquivos de programas\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\arquivos de programas\windows live\messenger\msnmsgr.exe" /background
mRun: [Ad-Watch] c:\arquivos de programas\lavasoft\ad-aware\AAWTray.exe
mRun: [avgnt] "c:\arquivos de programas\tools\avira\antivir desktop\avgnt.exe" /min
mRun: [avast!] c:\arquiv~1\tools\alwils~1\avast4\ashDisp.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\arquivos de programas\tools\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\tony\menuin~1\progra~1\inicia~1\adobeg~1.lnk - c:\arquivos de programas\arquivos comuns\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\108mbp~1.lnk - c:\arquivos de programas\108mbps wireless lan adapter\WLANPRO.exe
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\reg.lnk - c:\arquivos de programas\108mbps wireless lan adapter\Reg.exe
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\arquivos de programas\skype\toolbars\internet

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: 1filmes.com.br\www
Trusted Zone: bradesco.com.br\www
Trusted Zone: santanderbanespa.com.br\www
Trusted Zone: skype.com\www
Trusted Zone: youtube.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {86416327-33BE-48E8-B5E2-42FD4562ECB7} =
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\arquiv~1\arquiv~1\skype\SKYPE4~1.DLL
Notify: GbPluginBb - c:\arquiv~1\gbplugin\gbieh.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - c:\arquivos de programas\scpad\scpLIB.dll
STS: compIB Class: {a3717295-941d-416f-9384-ed1736729f1c} - c:\arquivos de programas\scpad\scpLIB.dll
SEH: GbPluginObj Class: {e37cb5f0-51f5-4395-a808-5fa49e399f83} - c:\arquiv~1\gbplugin\gbieh.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkHXoLd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tony\dadosd~1\mozilla\firefox\profiles\psi2696i.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/tony/Desktop/Fazenda%20Santo%20Antonio%20e%20Natal%205b.htm
FF - plugin: c:\arquivos de programas\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll

c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-21 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-4 114768]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\tools\avira\antivir desktop\sched.exe [2009-11-4 108289]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-4 20560]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\arquivos de programas\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2002-6-10 31232]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\eappkt.sys --> c:\windows\system32\drivers\EAPPkt.sys [?]
S2 gupdate1c93de2b4e75032;Google Update Service (gupdate1c93de2b4e75032);c:\arquivos de programas\google\update\GoogleUpdate.exe [2008-11-3 133104]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-7-16 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-7-16 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-7-16 42112]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2007-12-7 207616]
UnknownUnknown GbpSv;GbpSv; [x]

=============== Created Last 30 ================

2009-11-04 19:30:25 0 d-----w- c:\docume~1\tony\dadosd~1\Malwarebytes
2009-11-04 19:30:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 19:29:58 0 d-----w- c:\docume~1\alluse~1\dadosd~1\Malwarebytes
2009-11-04 19:29:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 17:10:54 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-04 17:06:29 0 dc-h--w- c:\docume~1\alluse~1\dadosd~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-04 15:16:53 0 d-----w- c:\docume~1\alluse~1\dadosd~1\Avira
2009-11-03 20:36:31 0 d-----w- c:\arquivos de programas\Speedy
2009-10-11 13:21:44 0 d-----w- c:\arquivos de programas\arquivos comuns\Apple
2009-10-11 13:00:42 0 d-----w- c:\temp\DVD Architect Studio 4.5
2009-10-10 21:45:16 54156 ---ha-w- c:\windows\QTFont.qfn
2009-10-10 21:45:16 1409 ----a-w- c:\windows\QTFont.for

==================== Find3M ====================

2028-11-03 22:25:54 35104 ----a-w- c:\windows\fonts\ataques.ttf
2028-10-05 03:42:58 55232 ----a-w- c:\windows\fonts\taquesau.ttf
2009-11-04 17:10:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-03 18:19:16 75230 ----a-w- c:\windows\system32\perfc016.dat
2009-11-03 18:19:16 460722 ----a-w- c:\windows\system32\perfh016.dat
2009-09-23 12:55:23 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-21 23:49:25 10402 --sha-w- c:\windows\system32\dLoXHkkj.ini2
2004-10-01 17:00:16 40960 ----a-w- c:\arquivos de programas\Uninstall_CDS.exe

============= FINISH: 17:13:24,54 ===============

Attached Files

BC AdBot (Login to Remove)


#2 kahdah


  • Security Colleague
  • 11,138 posts
  • Gender:Male
  • Location:Florida
  • Local time:06:44 AM

Posted 10 November 2009 - 07:41 AM

Hello tonygil

Welcome to BleepingComputer :(
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users