Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dotdr.exe - Trojen.generic.dux


  • This topic is locked This topic is locked
6 replies to this topic

#1 Blithe

Blithe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 04 July 2006 - 07:54 PM

Dear Friends,

Have been having trouble with this trojan stuff over the last few days. I have run spybot, adaware, sting, bitdefender, updated avg, and the like. It keeps coming back to the same problem. On the face of it, AVG does identify it apparently, but can't do anything more!

At the beginning, it totally hijacked my internet connection, and was sending information from my computer. At the moment that seems to have ceased, but it still seems to replicate itself every time I restart the comp. For the record I am using XP, and am running Kerio firewall atm.

The HJT log is as below. Your help is greatly appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 6:03:21 AM, on 7/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\System32\hkcmd.exe
D:\WINDOWS\sm56hlpr.exe
D:\WINDOWS\vsnpstd.exe
D:\Program Files\Winamp\winampa.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
D:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\System32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: (no name) - {7B34B61B-6A21-4743-B042-4CDFB9C6B5DD} - D:\WINDOWS\System32\ddayy.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [snpstd] D:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MS DLL Library Manager] D:\WINDOWS\System32\dllsys64.exe
O4 - HKLM\..\Run: [utasvc] rundll32.exe D:\WINDOWS\System32\utasvc.dll,start
O4 - HKLM\..\Run: [Microsoft ® Windows Update Manager Tool] D:\WINDOWS\update\updmangr.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrb_3.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdb_3.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmb_3.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Ad Hunter - F:\Wxp\MYIE2\config/blacklist.htm
O8 - Extra context menu item: Download using Download &Express - F:\Wxp\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {BADA82CB-BF48-4D76-9611-78E2C6F49F03} (BolDownloader Control) - http://messenger.rediff.com/newbol/Bol.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{046A8BB6-87A3-4DB1-919C-631857ED6950}: NameServer = 203.197.12.42 203.197.12.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{046A8BB6-87A3-4DB1-919C-631857ED6950}: NameServer = 203.197.12.42 203.197.12.30
O20 - Winlogon Notify: ddayy - D:\WINDOWS\System32\ddayy.dll
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IPConfTSP - D:\WINDOWS\system32\irpul5791.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - D:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: sysmgr64 - Unknown owner - D:\WINDOWS\sysmgr64.exe (file missing)
O23 - Service: Windows Update Manager Tool (UpdateManagerTool) - Unknown owner - D:\WINDOWS\update\updmangr.exe (file missing)

Many Thanks
Blithe

BC AdBot (Login to Remove)

 


#2 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 04 July 2006 - 10:50 PM

Hi,

Welcome to BleepingComputer. I will be more than happy to help you work on your problems.
Please give me some time to review your log as this can be a lengthy process. As soon as a BleepingComputer Staff Expert reviews my fix, I will post it for you.
In the mean time, if any problems occur. Please let me know.
Please only use this topic to reply to. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.
If you’re unsure of anything at all please stop and ask!
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 Blithe

Blithe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 04 July 2006 - 11:52 PM

Thanks a ton for looking into the issue. You have made yourself perfectly clear, and I
shall wait to hear from you as and when you finish the fix. Just one more thing which will hopefully be of assistance in understanding the issue, since this virus has come on board
I get a message saying "utasvc.dll module missing" on startup. I have no idea if this is
related to the virus/trojan directly, but it started happening from the day I found the trojan was on board.

Many Thanks,
Blithe

Edited by Blithe, 04 July 2006 - 11:53 PM.


#4 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 05 July 2006 - 03:01 AM

One or more of the identified infections is a backdoor trojan.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 Blithe

Blithe
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 05 July 2006 - 07:51 AM

Thanks for letting me know, appreciate it. Highly unfortunate, but c'est la vie? :thumbsup:

Thankfully that computer is not used for financial transactions or business purposes, and the only thing that would be personal information is possibly personal mail account passwords, which I have now changed from a separate pc.

A couple of questions though.... have some music files and docs I need to back up before reformating, how will I make sure these are not infected? I need to be careful not to let the trojan back in after reformating, shouldn't I?

Also once reformatted, is a combination of kerio firewall (free version) and AVG anitvirus enough for safety in the future? IN addition I plan to use Spybot and Adaware.

Cheers,
Blithe.

#6 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 05 July 2006 - 10:45 AM

Sometimes the best solution is to format and reinstall Windows. You will have the reassurance that the system is clean after you do.

If you decide to go this route, start the format, and make sure you are not connected to the Internet (unplug dial-up, DSL, cable, wireless ) when you install the Operating System. After the OS is on board, install an Antivirus program and a Firewall (if you have a CD for them), reboot, then connect to the Internet, and install Service Pack 2.

If you do not have a CD, and need to download an AntiVirus program and a Firewall from the Internet, let that be the first step so that the system is protected right after the Operating System is installed.

There are free AntiVirus programs you can download:

Grisoft’s AVG Anti-virus Free Edition: http://free.grisoft.com/freeweb.php

avast! 4 Home: http://www.avast.com/eng/avast_4_home.html

AntiVir Personal Edition: http://www.free-av.com/


Some free Firewall choices are:

ZoneAlarm:
http://www.zonelabs.com/store/content/cata...lid=dbtopnav_za

Sunbelt Kerio:
http://www.sunbelt-software.com/Kerio.cfm

OutPost:
http://www.agnitum.com/products/outpostfree/download.php


Then, make sure that the AntiVirus program installed in your system is always kept up to date!

Last, install whatever other programs you wish after the computer has protection.

If data was backed up prior to the format, before placing that data back into a clean hard drive, have it scanned with AntiVirus programs. Use more than one program, since AntiVirus scanners use databases that are not identical, and one may find malware that another does not. If the data is reported as clean after running a few virus scans (IMO would use three or more), it should be safe to place it in the clean hard drive.

====
Some of the best suggestions and programs to remain malware free are contained in the following:
Tony Klein’s article 'How Did I Get Infected In The First Place'
http://castlecops.com/postlite7736-.html
Take a look at what the article has to offer and select the programs that suit your needs.

Also, the following is an excellent program that you may want to run on a regular basis:

AdAware SE:
http://www.majorgeeks.com/download506.html

Every so often, also perform an online virus scan.
AntiVirus scanners use databases which are not identical, and one may find malware that another does not.

Some online scanners:
TrendMicro HouseCall:
http://uk.trendmicro-europe.com/consumer/h...call_launch.php

Panda ActiveScan:
http://www.pandasoftware.com/products/activescan.htm

Kaspersky Online Scanner (using Internet Explorer):
http://www.kaspersky.com/virusscanner

BitDefender:
http://www.bitdefender.com/scan8/

If you have any questions or comments, do not hesitate to post back.
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#7 agrarianmonk

agrarianmonk

  • Members
  • 522 posts
  • OFFLINE
  •  
  • Local time:12:27 PM

Posted 20 July 2006 - 10:33 AM

Sorry you had to reformat.

Since this issue appears to be resolved ... this Topic has been closed.

If you are the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
agrarianmonk

Posted Image

Requests for help via PM will be ignored. Please post on the forums instead :)
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users