Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

desktoplayer.exe Help!


  • This topic is locked This topic is locked
3 replies to this topic

#1 mzurita8

mzurita8

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 17 August 2010 - 05:33 PM

Hi I was referred here by someone in the "Am I Infected" Forums, I've ran SAS, Malwarebytes and MSSE. Every time I try and delete Desktoplayer.exe it was automatically come back on reboot. It also seems to have gotten in to my registry because every time I boot up the computer I have to manually start explorer.exe. When I run MSSE I get about 100 to 200 ramnit A and B notifications. Any help would be appriciated Thank You.
















DDS (Ver_10-03-17.01) - NTFSx86
Run by Admin at 13:40:52.95 on Tue 08/17/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.337 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Admin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=101676&l=dis
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [{813CDD33-343E-65FC-A097-303C426F41AC}] "c:\documents and settings\admin\application data\poar\isfa.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R3 easytether;easytether;c:\windows\system32\drivers\easytthr.sys [2010-4-18 10496]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-4-3 80384]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2004-9-2 32640]
S0 oyjuayum;oyjuayum; [x]
S0 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2010-5-15 15944]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2010-8-8 24416]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

=============== Created Last 30 ================

2010-08-17 20:40:03 57344 ----a-w- c:\windows\system32\rundll32Srv.exe
2010-08-17 20:35:41 57344 ----a-w- c:\windows\system32\controlSrv.exe
2010-08-17 20:34:29 57344 ----a-w- c:\windows\explorerSrv.exe
2010-08-17 20:29:33 0 ----a-w- c:\documents and settings\admin\defogger_reenable
2010-08-17 04:58:36 57344 ----a-w- c:\windows\system32\taskmgrSrv.exe
2010-08-17 04:58:14 57344 ----a-w- c:\windows\system32\userinitSrv.exe
2010-08-16 05:08:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-16 05:08:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-16 05:08:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-16 04:44:54 0 d-----w- c:\program files\rivi
2010-08-15 03:11:19 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-08-15 03:11:19 0 d-----w- c:\docume~1\admin\applic~1\SUPERAntiSpyware.com
2010-08-15 03:11:10 0 d-----w- c:\program files\SUPERAntiSpyware
2010-08-15 02:15:22 1033728 ----a-w- c:\windows\system32\userinit.exe
2010-08-13 09:24:21 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-08-13 09:22:40 0 d-----w- c:\docume~1\admin\applic~1\GetRightToGo
2010-08-13 07:37:05 0 d-----w- c:\program files\Hitman Pro 3.5
2010-08-13 00:39:53 0 d-s---w- c:\documents and settings\admin\UserData
2010-08-13 00:32:18 0 d-----w- c:\program files\Microsoft Security Essentials
2010-08-09 19:50:59 0 d-----w- c:\program files\riv
2010-08-09 02:21:59 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-09 02:21:59 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-09 02:15:18 0 d--h--w- c:\windows\system32\GroupPolicy
2010-08-09 00:59:49 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-08-08 07:16:34 0 d-----w- c:\program files\Microsoft
2010-08-08 07:11:40 162 ----a-w- c:\windows\system32\Partizan.RRI
2010-08-08 07:10:01 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-08-08 07:06:24 0 d-----r- C:\desktop.ini
2010-08-08 07:06:24 0 d-----r- C:\comment.htt
2010-08-08 07:06:24 0 d-----r- C:\autorun.inf
2010-08-08 07:06:21 2 --shatr- c:\windows\winstart.bat
2010-08-08 07:05:19 57556 ----a-w- c:\windows\guard.bmp
2010-08-08 07:05:09 0 d-----w- c:\program files\Greatis
2010-08-07 09:46:44 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-08-07 09:17:34 768 ----a-w- c:\windows\system32\.crusader
2010-08-07 01:56:40 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2010-08-07 01:56:40 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2010-08-07 01:10:37 0 d-----w- c:\program files\riva
2010-08-01 08:51:59 0 d-----w- c:\docume~1\admin\applic~1\Unukz
2010-07-27 10:47:49 0 d-sha-r- C:\cmdcons
2010-07-27 10:37:33 98816 ----a-w- c:\windows\sed.exe
2010-07-27 10:37:33 77312 ----a-w- c:\windows\MBR.exe
2010-07-27 10:37:33 256512 ----a-w- c:\windows\PEV.exe
2010-07-27 10:37:33 161792 ----a-w- c:\windows\SWREG.exe
2010-07-27 09:25:28 0 d-----w- c:\program files\trend micro
2010-07-26 20:03:47 150 ----a-w- C:\zrpt.xml
2010-07-26 20:03:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Update

==================== Find3M ====================

2010-08-08 06:53:37 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:10:44 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:10:44 667136 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-09 23:01:10 126448 ----a-w- c:\windows\system32\pxinsi64.exe
2010-06-09 23:01:10 123888 ----a-w- c:\windows\system32\pxcpyi64.exe

============= FINISH: 13:42:12.26 ===============

Sorry but I have another update, it seems like my browser is having redirect problems with whatever search engine im using

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 17 August 2010 - 06:56 PM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:09 AM

Posted 18 August 2010 - 10:52 AM

Hello and welcome to Bleeping Computer. smile.gif

*Please Subscribe to this Thread to get immediate notification of replies. See HERE

*It is important not to make any further changes or run any other tools/updates unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.



===============================


Did you run ComboFix on this PC? If yes, can you please post the contents of C:\ComboFix.txt.


===============================


One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterward. Let me know what you decide to do.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 mzurita8

mzurita8
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:09 AM

Posted 25 August 2010 - 12:35 AM

sorry to keep you waiting but i ended up reformatting and reinstalling windows, thank you anyways

#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:12:09 AM

Posted 25 August 2010 - 08:47 AM

Thank you for letting us know.

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users