Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Downloader and Malware Packer


  • This topic is locked This topic is locked
2 replies to this topic

#1 soopd

soopd

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:37 PM

Posted 26 February 2010 - 12:21 AM

Internet Refrehes every 2 seconds on its own.


DDS (Ver_09-12-01.01) - NTFSX64
Run by DAVIS at 22:19:30.10 on Thu 02/25/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4862.2967 [GMT -6:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\PROGRA~2\Borland\INTERB~1\Bin\ibguard.exe
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~2\Borland\INTERB~1\Bin\ibserver.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RAVCpl64.exe
C:\Windows\System32\nvraidservice.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\wpcumi.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWWSC.exe
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Program Files (x86)\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe
J:\HijackThis.exe
C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\DAVIS\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files (x86)\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files (x86)\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files (x86)\java\jre1.6.0_01\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files (x86)\yontoo layers client for internet explorer\YontooIEClient.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files (x86)\spybot - search & destroy\TeaTimer.exe
mRun: [<NO NAME>]
mRun: [Ad-Watch] "c:\program files (x86)\lavasoft\ad-aware\AAWTray.exe"
mRun: [Monitor] "c:\program files (x86)\leapfrog\leapfrog connect\Monitor.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~2\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files (x86)\pokerstars\PokerStarsUpdate.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files (x86)\java\jre1.6.0_01\bin\ssv.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files (x86)\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files (x86)\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files (x86)\spybot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: line6.net
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files (x86)\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files (x86)\superantispyware\SASSEH.DLL
TB-X64: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [RtHDVCpl] RAVCpl64.exe
mRun-x64: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun-x64: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun-x64: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun-x64: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun-x64: [WPCUMI] c:\windows\system32\WpcUmi.exe

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-21 69152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
R3 CAXHWBS3;CAXHWBS3;c:\windows\system32\drivers\CAXHWBS3.sys [2008-5-21 286208]
R3 netr28ux;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28ux.sys [2007-12-14 709632]
S1 SASDIFSV;SASDIFSV;c:\program files (x86)\superantispyware\sasdifsv.sys [2009-1-15 8944]
S1 SASKUTIL;SASKUTIL;c:\program files (x86)\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
S2 gupdate1c9ff8867b0c150;Google Update Service (gupdate1c9ff8867b0c150);c:\program files (x86)\google\update\GoogleUpdate.exe [2009-7-7 133104]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\spybot - search & destroy\SDWinSec.exe [2010-2-25 1153368]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-9-10 89920]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-11-10 24576]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
S3 GPWADrv;Service for L6 GuitarPort Driver (WDM);c:\windows\system32\drivers\GPWADrv64.sys [2008-10-23 830592]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S3 SASENUM;SASENUM;c:\program files (x86)\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2010-02-26 04:18:28 0 ----a-w- c:\users\davis\defogger_reenable
2010-02-26 03:02:17 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-02-26 03:02:17 0 d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-02-22 00:27:28 69152 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-22 00:27:26 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-22 00:26:29 0 dc-h--w- c:\programdata\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-10 00:26:56 1425480 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-10 00:26:55 40448 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-10 00:26:51 4698184 ----a-w- c:\windows\system32\ntoskrnl.exe

==================== Find3M ====================

2010-02-24 15:16:06 212864 ------w- c:\windows\system32\MpSigStub.exe
2010-02-22 00:27:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-25 12:10:22 538624 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:10:22 160768 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:10:22 160768 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:10:03 539136 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 12:08:59 460288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 12:00:35 471552 ----a-w- c:\windows\syswow64\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\syswow64\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\syswow64\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\syswow64\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\syswow64\msdrm.dll
2010-01-25 08:29:35 413696 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:29:31 600576 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:29:31 409600 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-25 08:29:28 599552 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:20 526336 ----a-w- c:\windows\syswow64\RMActivate_isv.exe
2010-01-25 08:21:20 346624 ----a-w- c:\windows\syswow64\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 518144 ----a-w- c:\windows\syswow64\RMActivate.exe
2010-01-25 08:21:18 347136 ----a-w- c:\windows\syswow64\RMActivate_ssp.exe
2010-01-23 09:44:17 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-23 09:26:13 2048 ----a-w- c:\windows\syswow64\tzres.dll
2010-01-07 22:07:06 22104 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 16:00:02 1927680 ----a-w- c:\windows\system32\gameux.dll
2010-01-06 15:58:36 32256 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-01-06 15:39:38 1696256 ----a-w- c:\windows\syswow64\gameux.dll
2010-01-06 15:38:47 28672 ----a-w- c:\windows\syswow64\Apphlpdm.dll
2010-01-06 14:03:28 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-01-06 13:30:41 4240384 ----a-w- c:\windows\syswow64\GameUXLegacyGDFs.dll
2009-12-26 00:40:56 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-26 00:40:56 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-26 00:40:55 86016 ----a-w- c:\windows\inf\infstor.dat
2009-12-18 13:08:01 86528 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 13:01:56 78336 ----a-w- c:\windows\syswow64\ieencode.dll
2009-12-16 12:16:02 1032192 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 11:44:23 834048 ----a-w- c:\windows\syswow64\wininet.dll
2009-12-16 11:44:14 1176064 ----a-w- c:\windows\syswow64\urlmon.dll
2009-12-16 11:42:38 3600896 ----a-w- c:\windows\syswow64\mshtml.dll
2009-12-16 11:42:09 6079488 ----a-w- c:\windows\syswow64\ieframe.dll
2009-12-16 11:42:09 193024 ----a-w- c:\windows\syswow64\iepeers.dll
2009-12-16 11:42:09 180736 ----a-w- c:\windows\syswow64\ieui.dll
2009-12-16 11:42:08 380928 ----a-w- c:\windows\syswow64\ieapfltr.dll
2009-12-12 09:18:45 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-11 05:35:44 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-12-04 18:52:22 14848 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-04 18:51:44 1570816 ----a-w- c:\windows\system32\quartz.dll
2009-12-04 18:50:40 25600 ----a-w- c:\windows\system32\msyuv.dll
2009-12-04 18:50:37 38400 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-04 18:50:33 15872 ----a-w- c:\windows\system32\msrle32.dll
2009-12-04 18:49:49 54272 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-04 18:30:05 12288 ----a-w- c:\windows\syswow64\tsbyuv.dll
2009-12-04 18:29:41 1314816 ----a-w- c:\windows\syswow64\quartz.dll
2009-12-04 18:28:52 22528 ----a-w- c:\windows\syswow64\msyuv.dll
2009-12-04 18:28:51 31744 ----a-w- c:\windows\syswow64\msvidc32.dll
2009-12-04 18:28:51 123904 ----a-w- c:\windows\syswow64\msvfw32.dll
2009-12-04 18:28:49 13312 ----a-w- c:\windows\syswow64\msrle32.dll
2009-12-04 18:28:27 82944 ----a-w- c:\windows\syswow64\mciavi32.dll
2009-12-04 18:28:21 50176 ----a-w- c:\windows\syswow64\iyuv_32.dll
2009-12-04 18:27:12 91136 ----a-w- c:\windows\syswow64\avifil32.dll
2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-12-03 00:09:19 22 --sha-w- c:\windows\sminst\HPCD.sys
2008-12-02 04:41:44 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-12-02 04:41:44 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-12-02 04:41:44 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 22:20:08.03 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 28 February 2010 - 05:05 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:37 AM

Posted 05 March 2010 - 07:19 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users