Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with malware.sillydc & rootkit.tdss as well as other beasties


  • This topic is locked This topic is locked
2 replies to this topic

#1 punter_121

punter_121

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 03 January 2010 - 09:54 PM

Task Manager is disabled
IE is redirecting
Only 1 out of 4 reboots go through
Could only run DDS in safe mode
Could not run RootRepeal at all (including safe mode)
-Initializing please wait..., virtual memory too low, and then the computer locks up
Can no longer run MBAM
PC Tools spyware Doctor tells me that I have
-Malware.SillyDC,
-rootkit.tdss
-rogueantispyware.coregaurdantivirus2009,
-spyware.known_bad_sites

DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL
Run by Administrator at 22:59:25.23 on Sat 01/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.341 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\system32\svchost.exe -k netsvcs
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uStart Page = https://www.google.com/accounts/ServiceLogi...mp;ltmplcache=2
uInternet Settings,ProxyServer = 10.1.1.1:8080
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Internet Explorer Plugin: {209a54af-418a-4b1e-a68d-21fc33494303} - nnurri9.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
{5ca3d70e-1895-11cf-8e15-001234567890}
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [ares] "c:\program files\ares\Ares.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [DLA] c:\winnt\system32\dla\DLACTRLW.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRunServices: [iexplore] iexplore.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventr~1.lnk - c:\program files\broderbund\printmaster\PMremind.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130954407421
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130954393406
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37545.3508680556
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5186/mcfscan.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll
mASetup: {C9FBFE79-30DD-4CA2-A434-F0201AC64C27} - rundll32 nnurri9.dll,laspi

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\winnt\system32\drivers\PCTCore.sys [2009-12-29 207792]
S0 yoih;yoih;c:\winnt\system32\drivers\imvoj.sys --> c:\winnt\system32\drivers\imvoj.sys [?]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-29 112592]
S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-12-30 312592]
S2 Microsoft NetWork FireWall Services;Microsoft NetWork FireWall Services;NetServices.exe --> NetServices.exe [?]
S2 Microsoft;Microsoft Framework;c:\winnt\system32\svchost.exe -k audiosrvc [2001-8-23 14336]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-29 359624]
S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-29 1141712]

=============== Created Last 30 ================

2010-01-03 02:34:58 0 d-----w- c:\program files\Cobian Backup 9
2010-01-02 15:25:55 0 d-----w- c:\winnt\system32\CatRoot_bak
2010-01-02 15:15:29 886 ----a-w- c:\winnt\system32\krl32mainweq.dll
2009-12-30 14:27:03 221184 ----a-w- c:\winnt\system32\wmpns.dll
2009-12-30 07:56:08 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2009-12-30 07:56:00 0 d-----w- c:\program files\IObit
2009-12-30 06:25:51 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-12-30 06:19:33 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-12-30 06:19:30 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-12-30 06:19:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-30 05:51:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-29 07:49:25 1060864 ----a-w- c:\winnt\system32\MFC71.dll
2009-12-29 06:53:42 883 ----a-w- c:\winnt\RegSDImport.xml
2009-12-29 06:53:42 880 ----a-w- c:\winnt\RegISSImport.xml
2009-12-29 06:53:42 767952 ----a-w- c:\winnt\BDTSupport.dll
2009-12-29 06:53:42 149456 ----a-w- c:\winnt\SGDetectionTool.dll
2009-12-29 06:53:42 131 ----a-w- c:\winnt\IDB.zip
2009-12-29 06:53:41 165840 ----a-w- c:\winnt\PCTBDRes.dll
2009-12-29 06:53:41 1640400 ----a-w- c:\winnt\PCTBDCore.dll
2009-12-29 06:53:41 1152444 ----a-w- c:\winnt\UDB.zip
2009-12-29 06:50:25 7387 ----a-w- c:\winnt\system32\drivers\pctgntdi.cat
2009-12-29 06:50:25 233136 ----a-w- c:\winnt\system32\drivers\pctgntdi.sys
2009-12-29 06:49:50 7383 ----a-w- c:\winnt\system32\drivers\pctcore.cat
2009-12-29 06:49:49 87784 ----a-w- c:\winnt\system32\drivers\PCTAppEvent.sys
2009-12-29 06:49:49 7412 ----a-w- c:\winnt\system32\drivers\PCTAppEvent.cat
2009-12-29 06:49:49 207792 ----a-w- c:\winnt\system32\drivers\PCTCore.sys
2009-12-29 06:49:36 7383 ----a-w- c:\winnt\system32\drivers\pctplsg.cat
2009-12-29 06:49:36 70408 ----a-w- c:\winnt\system32\drivers\pctplsg.sys
2009-12-29 06:49:17 0 d-----w- c:\program files\Spyware Doctor
2009-12-29 06:49:17 0 d-----w- c:\program files\common files\PC Tools
2009-12-29 06:49:17 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-12-29 06:49:17 0 d-----w- c:\docume~1\admini~1\applic~1\PC Tools
2009-12-29 05:43:31 440 --sha-r- c:\documents and settings\administrator\ntuser.pol
2009-12-29 04:42:31 0 d-----w- c:\winnt\SxsCaPendDel
2009-12-29 03:12:36 202 ----a-w- c:\winnt\system32\srcr.dat
2009-12-21 20:44:10 43520 ----a-w- c:\winnt\system32\nnurri9.dll
2009-12-21 20:44:10 2726 ----a-w- c:\winnt\system32\ijq
2009-12-21 04:20:13 0 d-----w- c:\docume~1\alluse~1\applic~1\WEBREG
2009-12-21 04:05:37 16496 ----a-r- c:\winnt\system32\drivers\HPZipr12.sys
2009-12-21 04:05:24 49920 ----a-r- c:\winnt\system32\drivers\HPZid412.sys
2009-12-21 04:04:51 121344 ----a-w- c:\winnt\system32\hpf3l083.dll
2009-12-21 04:04:50 271704 ----a-r- c:\winnt\system32\hpzids01.dll
2009-12-21 04:04:12 21568 ----a-r- c:\winnt\system32\drivers\HPZius12.sys
2009-12-21 04:03:36 372736 ----a-r- c:\winnt\system32\hppldcoi.dll
2009-12-21 04:03:36 309760 ----a-r- c:\winnt\system32\difxapi.dll
2009-12-21 04:03:35 974848 ----a-r- c:\winnt\system32\hpost_p02b.dll
2009-12-21 04:03:35 737280 ----a-r- c:\winnt\system32\hposwia_p02b.dll
2009-12-21 04:03:35 307200 ----a-r- c:\winnt\system32\hposc_p02a.dll
2009-12-21 04:01:09 652 ------w- c:\winnt\hpomdl36.dat.temp
2009-12-21 02:56:42 0 d-----w- c:\program files\common files\HP
2009-12-21 02:34:07 164075 ----a-w- c:\winnt\hpoins36.dat
2009-12-21 02:34:06 652 ------w- c:\winnt\hpomdl36.dat
2009-12-15 00:54:28 43520 ----a-w- c:\winnt\system32\dxqjdxal04.dll
2009-12-15 00:54:28 2611 ----a-w- c:\winnt\system32\kpzu
2009-12-04 05:07:26 0 d-----w- c:\program files\iPod
2009-12-04 05:06:59 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-01-02 01:46:06 68424 ---ha-w- c:\winnt\system32\mlfcache.dat
2009-12-29 04:37:31 87608 ----a-w- c:\docume~1\admini~1\applic~1\inst.exe
2009-12-29 04:37:31 47360 ----a-w- c:\docume~1\admini~1\applic~1\pcouffin.sys
2009-12-11 04:03:00 47360 ----a-w- c:\winnt\system32\drivers\pcouffin.sys
2002-10-12 17:47:59 271 --sh--w- c:\program files\desktop.ini
2002-10-12 17:47:59 21952 -c-ha-w- c:\program files\folder.htt

============= FINISH: 23:02:16.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:10 AM

Posted 11 January 2010 - 07:15 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:10 AM

Posted 17 January 2010 - 02:08 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users