Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

infected by malware [resolved]


  • This topic is locked This topic is locked

#16
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Hi madbomber,

Please download TDS-3 from http://tds.diamondcs...p?page=download
and update it following the instructions here:
http://tds.diamondcs...php?page=update
Then click System Testing > Full System scan.
Have it remove everything it gives you a positive identification of.

In the botttom part of the Window rightclick one of the found items and choose save log as textfile.
Copy and paste the content of the scanreport to here.

Regards,

Pieter
  • 0

Advertisements


#17
madbomber

madbomber

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks again for all the help so far. <_< Here is the log as requested. [bleep] that took a LONG time. How we going now?

Scan Control Dumped @ 00:50:58 04-12-04
(DELETED) Live trojan found (in process memory): DCOM RPC Exploit
File: C:\WINDOWS\System32\msass43.exe

(Deleted) RegVal Trace: DDoS.RAT.rBot: HKEY_CURRENT_USER
File: Software\Microsoft\Windows\CurrentVersion\Run [Windows Media Player=msass43.exe]

(Deleted) RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Windows Media Player=msass43.exe]

(Deleted) RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\RunServices [Windows Media Player=msass43.exe]

(DELETED) Positive identification: Adware.BargainBuddy.n5
File: c:\windows\system32\angelex.exe

(DELETED) Positive identification: Adware.BargainBuddy.n5
File: c:\windows\zeta.exe

(DELETED) Positive identification: Adware.BargainBuddy.n5
File: c:\windows\zeta.exe

(DELETED) Positive identification: TrojanDownloader.Win32.Small.qd3
File: c:\windows\system\yoursitebars.exe

(DELETED) Positive identification (embedded in file): TrojanDownloader.Win32.Keenval.e Dropper
File: c:\windows\system32\in10b6.dll

(DELETED) Positive identification (embedded in file): Adware.WebRebates.b Dropper
File: c:\windows\system32\splwbr.dll

(DELETED) Positive identification: TrojanDownloader.Win32.Small.uy
File: c:\windows\system32\videocntl.exe

(DELETED) Positive identification: TrojanDownloader.Win32.Small.uy
File: c:\windows\system32\dvraudio.exe

(DELETED) Positive identification: TrojanDownloader.Win32.Small.uy
File: c:\windows\system32\audiocntl.exe

(DELETED) Positive identification (embedded in file): Adware.SyncroAd
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\np2yrcq2\sbc[1].exe

(DELETED) Positive identification (embedded in file): Adware.SyncroAd.a
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\np2yrcq2\sbc[1].exe

(DELETED) Positive identification: Adware.WebRebates.d Dropper
File: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\np2yrcq2\webrebates_europe[1].exe

(DELETED) Positive identification (embedded in file): Adware.SyncroAd
File: c:\windows\config\loudcs.exe

(DELETED) Positive identification (embedded in file): Adware.SyncroAd.a
File: c:\windows\config\loudcs.exe

(DELETED) Positive identification (DLL): Riskware.Downloader.SpyGame (dll)
File: c:\windows\downloaded program files\gsda.dll

(DELETED) Positive identification: TrojanDownloader.Win32.Small.uy
File: c:\program files\internet explorer\iexplorer.exe

(DELETED) Positive identification (DLL): Adware.WinAD.b1 (dll)
File: c:\program files\windows taskad\winproject.dll

(DELETED) Positive identification: Adware.WinAD.c
File: c:\program files\windows taskad\winsched.exe

(DELETED) Positive identification (DLL): Adware.SyncroAd (dll)
File: c:\program files\windows syncroad\ccomm.dll

(DELETED) Positive identification: TrojanDownloader.Win32.Dyfuca.dk
File: c:\program files\internet optimizer\optimize.exe

(DELETED) Positive identification: TrojanDownloader.Win32.Dyfuca.cr
File: c:\program files\internet optimizer\actalert.exe

(DELETED) Positive identification: Adware.BargainBuddy.n
File: c:\program files\bullseye network\bin\bargains.exe

(DELETED) Positive identification: Adware.BargainBuddy.n1
File: c:\program files\bullseye network\bin\adv.exe

(DELETED) Positive identification: Adware.BargainBuddy.n2
File: c:\program files\bullseye network\bin\adx.exe

(DELETED) Positive identification (embedded in file): Adware.SyncroAd
File: c:\documents and settings\mary\local settings\temporary internet files\content.ie5\ghuvw9yz\sbc[1].exe

(DELETED) Positive identification (embedded in file): Adware.SyncroAd.a
File: c:\documents and settings\mary\local settings\temporary internet files\content.ie5\ghuvw9yz\sbc[1].exe

(DELETED) Positive identification (DLL): Adware.180Solutions.g (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000159.dll

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Dyfuca.dc (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000171.dll

(DELETED) Positive identification: Adware.180Solutions.j
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000176.exe

(DELETED) Positive identification: Adware.BargainBuddy.n
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000178.exe

(DELETED) Positive identification: Adware.BargainBuddy.n1
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000179.exe

(DELETED) Positive identification: Adware.BargainBuddy.n2
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000180.exe

(DELETED) Positive identification: Adware.180Solutions.k
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000181.exe

(DELETED) Positive identification (DLL): Adware.180Solutions.g (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000182.dll

(DELETED) Positive identification (DLL): Adware.Exact.c (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000199.dll

(DELETED) Positive identification (DLL): Adware.Exact.c (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000200.dll

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Dyfuca.dd (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000220.dll

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Dyfuca.dc (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000221.dll

(DELETED) Positive identification: Adware.180Solutions.j
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000222.exe

(DELETED) Positive identification: TrojanDownloader.Win32.IstBar.fr2
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000242.exe

(DELETED) Positive identification (DLL): Adware.Toolbar.SideFind.a BHO (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000243.dll

(DELETED) Positive identification (DLL): Adware.ToolBar.SideFind.a (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000244.dll

(DELETED) Positive identification: TrojanDownloader.Win32.Dyfuca.dk
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000245.exe

(DELETED) Positive identification: TrojanDownloader.Win32.Dyfuca.cr
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000246.exe

(DELETED) Positive identification: TrojanDownloader.Win32.Dyfuca.cr
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000247.exe

(DELETED) Positive identification: Adware.180Solutions.k
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000248.exe

(DELETED) Positive identification (DLL): Adware.180Solutions.g (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000249.dll

(DELETED) Positive identification: Adware.BargainBuddy.i
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000253.exe

(DELETED) Positive identification: Adware.BargainBuddy.j4
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000255.exe

(DELETED) Positive identification: Riskware.PSWTool.EDialer
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000256.exe

(DELETED) Positive identification (DLL): Adware.Exact.c (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000257.dll

(DELETED) Positive identification (DLL): Adware.180Solutions.g (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000258.dll

(DELETED) Positive identification: Adware.BargainBuddy.n
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000273.exe

(DELETED) Positive identification: Adware.BargainBuddy.n1
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000274.exe

(DELETED) Positive identification: Adware.BargainBuddy.n2
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000275.exe

(DELETED) Positive identification: Adware.BargainBuddy.n4
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000277.exe

(DELETED) Positive identification (DLL): Adware.Exact.c (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000279.dll

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Dyfuca.dd (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000281.dll

(DELETED) Positive identification (DLL): TrojanDownloader.Win32.Dyfuca.dc (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000282.dll

(DELETED) Positive identification: Adware.180Solutions.j
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000283.exe

(DELETED) Positive identification: TrojanDownloader.Win32.IstBar.fr2
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000285.exe

(DELETED) Positive identification (DLL): Adware.Toolbar.SideFind.a BHO (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000286.dll

(DELETED) Positive identification (DLL): Adware.ToolBar.SideFind.a (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000287.dll

(DELETED) Positive identification: TrojanDownloader.Win32.Dyfuca.dk
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000288.exe

(DELETED) Positive identification: TrojanDownloader.Win32.Dyfuca.cr
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000289.exe

(DELETED) Positive identification: TrojanDownloader.Win32.Dyfuca.cr
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000290.exe

(DELETED) Positive identification: Adware.180Solutions.k
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000291.exe

(DELETED) Positive identification (DLL): Adware.180Solutions.g (dll)
File: c:\system volume information\_restore{fef9dae1-0326-4c6c-bb0b-f7e2db7f70e0}\rp3\a0000293.dll
  • 0

#18
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
It sure was worth the trouble. No matter how long it took.

Next thing we need to do is flush your Restore Points.

To do so:
1 Disable System Restore
2 Reboot
3 Re-enable System Restore

If you don't know how: http://service1.syma...src=sec_doc_nam

Post one more HijackThis log as a checkup, please.

Regards,

Pieter
  • 0

#19
madbomber

madbomber

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thank you very much :D Seems all good now? Here is the (hopefully) final log.

Can you explain why all this stuff infected ther comp? I dont understand why it wasnt blocked. I dont feel secure surfing the internet now. :D

Is it the big thumbs up now, or what? System seems to be clear didnt get redirected anywhere when I logged on. YAY! <_<

Logfile of HijackThis v1.98.2
Scan saved at 10:44:10 AM, on 4/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Enigma Software Group\Enigma Popup Stop\EnigmaPopupStop.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MagicKey\MagicKey.exe
C:\Program Files\MagicKey\OSD.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Nigel\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo RX510] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE /P24 "EPSON Stylus Photo RX510" /O6 "USB001" /M "Stylus Photo RX510"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [EnigmaPopupStop] C:\Program Files\Enigma Software Group\Enigma Popup Stop\EnigmaPopupStop.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [Versato] "C:\Program Files\MagicKey\MagicRun.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095064092921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
  • 0

#20
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,675 posts
Big thumb from me. <_<

Nice teamwork on this one. :D

See if you can find them a firewall they can handle.
Some free ones:
http://www.zonelabs....reeDownload.jsp
http://smb.sygate.co...pf_standard.htm
http://www.winplanet.../file/15980.htm


And for some good advice:
http://boards.cexx.o...topic.php?t=957

Regards,

Pieter
  • 0

#21
madbomber

madbomber

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
:D Great Very glad to here it. Will look into the firewalls you provided. Thankyou very much

<_< :D
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP