Jump to content

Antivirus live and a trojan

thekoopa

By thekoopa
in Resolved Malware Removal Logs

 Share

Recommended Posts

thekoopa

thekoopa

Posted
Posted

Please excuse my first post. This one has all of the information from the sticky.

DDS (Ver_09-12-01.01) - NTFSx86

Run by Owner at 9:59:28.26 on Tue 01/05/2010

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.221 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 100105-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Owner.CITY-SANTAMARIA\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

mDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [A Verizon App] c:\progra~1\verizo~1\helpsu~1\VERIZO~1.EXE

mRun: [Motive SmartBridge] c:\progra~1\verizo~1\helpsu~1\smartb~1\MotiveSB.exe

mRun: [VerizonServicepoint.exe] c:\program files\verizon\servicepoint\VerizonServicepoint.exe

mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe

mRun: [Qjagedekosub] rundll32.exe "c:\windows\urisogik.dll",Startup

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

dRun: [AntiVirus Plus] "c:\windows\system32\rundll32.exe" "c:\documents and settings\owner.city-santamaria\application data\antivirus plus\AntiVirus Plus.70367201.dll", start 70367201

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE

mPolicies-system: EnableLUA = 0 (0x0)

dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

dPolicies-explorer: NoFolderOptions = 1 (0x1)

dPolicies-system: DisableTaskMgr = 1 (0x1)

dPolicies-system: DisableRegistryTools = 1 (0x1)

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Trusted Zone: samsungportal.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {08BCD971-A13B-4D6E-A2A5-E9B2324FC00D} - hxxp://service.samsungportal.com/EP/web/common/cabfiles/CM_ClientEXE.cab

DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}

DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153777608889

DPF: {714E667D-360C-4BFB-8C1A-E4812B608CC1} - hxxp://service.samsungportal.com/EP/web/common/cabfiles/ACUBETrustChecker.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {C4D88B8E-352B-11D6-BF77-0080C740A177} - hxxp://service.samsungportal.com/EP/web/common/cabfiles/ActiveXSetup.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: misavamer - {b9708e2c-daab-4234-96f1-b35be7493381} - c:\windows\system32\gemewoda.dll

STS: gahurihor: {b9708e2c-daab-4234-96f1-b35be7493381} - c:\windows\system32\gemewoda.dll

LSA: Notification Packages = scecli todomeko.dll nefavega.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.cit\applic~1\mozilla\firefox\profiles\pv773hhr.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.marcone.com/

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {1E1F4FEC-C9E6-41CE-9350-8FADDE714452} - c:\documents and settings\owner.city-santamaria\local settings\application data\{1E1F4FEC-C9E6-41CE-9350-8FADDE714452}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-8 114768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-8 20560]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-8 138680]

R2 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~2\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~2\QBDBMgrN.exe -hvQuickBooksDB18 [?]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-8 254040]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-8 352920]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\belkin\belkin~1.11g\DNINDIS5.SYS [2006-5-15 17149]

S3 NAVAP;NAVAP;\??\c:\windows\system32\drivers\navap.sys --> c:\windows\system32\drivers\NAVAP.SYS [?]

S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]

=============== Created Last 30 ================

2010-01-04 21:59:05 40960 ----a-w- c:\documents and settings\owner.city-santamaria\rundll32.exe

2010-01-04 21:59:05 40960 ----a-w- c:\documents and settings\owner.city-santamaria\rundll32 .exe

2010-01-04 21:24:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-04 21:24:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-30 17:00:16 61952 ---h--w- c:\windows\system32\BIT2.tmp

2009-12-29 22:03:38 773120 ----a-w- c:\windows\system32\drivers\hiquj.sys

2009-12-29 18:03:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-29 17:08:54 40960 ----a-w- c:\documents and settings\owner.city-santamaria\rundll32.exe.delme128

2009-12-29 17:08:38 40960 ----a-w- c:\documents and settings\owner.city-santamaria\bcmsmmsg.exe

2009-12-29 17:08:29 40960 ----a-w- c:\documents and settings\owner.city-santamaria\msblast.exe

2009-12-29 17:08:29 40960 ----a-w- c:\documents and settings\owner.city-santamaria\msblast .exe

2009-12-29 15:00:33 40960 ----a-w- c:\windows\system32\bcmsmmsg.exe

2009-12-29 15:00:33 40960 ----a-w- c:\windows\system32\bcmsmmsg .exe

2009-12-29 15:00:26 40960 ----a-w- c:\windows\system32\msblast.exe

2009-12-29 15:00:26 40960 ----a-w- c:\windows\system32\msblast .exe

2009-12-28 17:13:06 0 ----a-w- c:\windows\Opuxacanarigapuq.bin

2009-12-28 17:13:03 120 ----a-w- c:\windows\Ffuqejiq.dat

2009-12-17 00:56:08 0 d-----w- c:\docume~1\owner~1.cit\applic~1\Malwarebytes

2009-12-17 00:55:57 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes

2009-12-17 00:47:53 0 d-----w- c:\windows\pss

2009-12-16 20:46:05 4301 ----a-w- c:\windows\wininit.ini

2009-12-16 19:41:44 0 d-----w- c:\program files\Spybot - Search & Destroy

2009-12-16 19:41:44 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2010-01-05 01:11:04 40960 ----a-w- c:\windows\system32\hkcmd.exe

============= FINISH: 10:02:06.78 ===============

ark.zip

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

Hello thekoopa

Welcome to Malwarebytes.

=====================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Link to post
Share on other sites
thekoopa

thekoopa

Posted
  • Author
Posted
Hello thekoopa

Welcome to Malwarebytes.

=====================

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

I would rather format the computer. Thanks for the reply!

Link to post
Share on other sites
kahdah

kahdah

Posted
Posted

You are welcome :D

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :D

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.