Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Injector.GT


  • This topic is locked This topic is locked
2 replies to this topic

#1 prashantsurat

prashantsurat

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:32 PM

Posted 26 February 2010 - 05:38 AM

I have found that I need to post DDS log and do nothing.

I am inserting dds log

Kindly help


DDS (Ver_09-12-01.01) - NTFSx86
Run by Prashant at 15:56:57.35 on Fri 02/26/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.517 [GMT 5.5:30]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
H:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\system32\spoolsv.exe
H:\Program Files\AVG\AVG9\avgrsx.exe
H:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
H:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
H:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
H:\Program Files\AVG\AVG9\avgnsx.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\AVG\AVG9\avgui.exe
C:\Documents and Settings\Prashant\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - h:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - h:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\prashant\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG9_TRAY] h:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - h:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
IE: &Download by Orbit - h:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - h:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - h:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - h:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download all with Free Download Manager - file://h:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://h:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://h:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://h:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - h:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: {7EF5EB74-4D73-4F2A-8A8C-6689E2DEBF38} = 203.187.192.15,203.187.192.12
TCP: {9B5065F6-A9A5-41A9-82A3-D2E851609BCF} = 203.187.192.12 203.187.192.15
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - h:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\prashant\applic~1\mozilla\firefox\profiles\0495isq6.default\
FF - component: h:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\prashant\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: h:\program files\adobe\acrobat 7.0\reader\browser\nppdf32.dll
FF - plugin: h:\program files\google\picasa3\npPicasa3.dll
FF - plugin: h:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: h:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: h:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - h:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
h:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
h:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
h:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
h:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
h:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
h:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
h:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
h:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
h:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
h:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
h:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
h:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
h:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
h:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
h:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
h:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
h:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
h:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
h:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
h:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
h:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
h:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
h:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
h:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
h:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
h:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
h:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
h:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
h:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
h:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
h:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
h:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
h:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 AladdinUsbFilter;AladdinUsbFilterService;c:\windows\system32\drivers\AladdinUsbFilter.sys [2010-1-20 484352]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-21 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-10-21 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-21 360584]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2010-1-20 33824]
R2 avg9wd;AVG Free WatchDog;h:\program files\avg\avg9\avgwdsvc.exe [2009-12-1 285392]
R2 wntpport;wntpport;c:\windows\system32\drivers\WNTPPORT.SYS [2010-1-20 28416]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-2-26 38224]
S3 SydexFDD;Sydex Diskette Driver;c:\windows\system32\drivers\SYDEXFDD.SYS [2010-1-20 13359]

=============== Created Last 30 ================

2010-02-26 09:59:50 0 d-----w- c:\docume~1\prashant\applic~1\Malwarebytes
2010-02-26 09:59:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-26 09:59:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-26 09:59:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-26 09:56:36 0 d-----w- c:\windows\system32\appmgmt
2010-02-25 14:42:25 0 d-----w- c:\windows\pss
2010-02-13 15:19:47 719872 ----a-w- c:\windows\system32\devil.dll
2010-02-13 15:19:47 351744 ----a-w- c:\windows\system32\avisynth.dll
2010-02-13 15:19:47 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-02-13 15:19:47 0 d-----w- c:\program files\common files\Common Share
2010-02-13 15:19:45 1060864 ----a-w- c:\windows\system32\mfc71.dll
2010-01-30 06:48:46 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-01-30 06:48:46 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

==================== Find3M ====================

2010-01-20 12:08:28 33824 ----a-w- c:\windows\system32\drivers\oreans32.sys
2009-11-30 20:40:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll

============= FINISH: 15:57:48.03 ===============


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:02 AM

Posted 28 February 2010 - 05:06 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:02 AM

Posted 05 March 2010 - 07:20 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users