Vicious Spyware

View previous topic View next topic Go down

Vicious Spyware

Post by rp4111 on 26th April 2009, 8:24 pm

I picked up some vicious spyware which has disabled my Avira from even running! When I try to run it I get a message saying the module can not be found. And when I go to re-install it tells me that the exe has been changed in the temp folder. Work of the spyware I imagine. No luck removing it with my other spyware removal programs. I also have many strange processes running. Below is the DDS log. Any help is greatly appreciated.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Taylor at 16:18:14.45 on Sun 04/26/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1022.489 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\explorer.exe
svchost.exe C:\WINDOWS\TEMP\VRT2.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Taylor\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;
uURLSearchHooks: H - No File
BHO: c:\windows\system32\jksahfo93wjfkd.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\jksahfo93wjfkd.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [dll32] dll32
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~1\mimboot.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [reader_s] c:\windows\system32\reader_s.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif 2.3\IExifCom.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: ebay.com\www
Trusted Zone: frame.crazywinnings.com
Trusted Zone: frame.crazywinnings.com
Trusted Zone: musicmatch.com\online
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {98264495-6376-443C-9340-2996038BD143} - [You must be registered and logged in to see this link.]
DPF: {99A7E374-3E8E-4C78-A054-25522DC03DA2} - [You must be registered and logged in to see this link.]
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - [You must be registered and logged in to see this link.]
DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} - [You must be registered and logged in to see this link.]
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - [You must be registered and logged in to see this link.]
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - [You must be registered and logged in to see this link.]
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
STS: c:\windows\system32\jksahfo93wjfkd.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\jksahfo93wjfkd.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\taylor\applic~1\mozilla\firefox\profiles\4cvg03nq.ryan\
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-3-7 22336]
R0 protect;protect;c:\windows\system32\drivers\protect.sys [2009-4-26 18944]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-3-7 45376]
R3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2008-2-6 14848]
R3 vCOM;vCOM;c:\windows\system32\drivers\vCOM.sys [2005-7-9 19456]
S1 b4051529;b4051529;c:\windows\system32\drivers\b4051529.sys --> c:\windows\system32\drivers\b4051529.sys [?]
S2 antivirscheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-3-7 89345]
S2 dhcpsrv;Dhcp server;c:\windows\dhcp\svchost.exe [2009-4-26 256512]
S2 MCVSRte;McAfee.com VirusScan Online Realtime Engine; [x]
S2 PIEUsb;Single Frame Film Scanner;c:\windows\system32\drivers\usbscan.sys [2008-5-27 14208]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-3-20 45132]
S3 antivirservice;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-3-7 171777]
S3 Cviat0;Cviat0; [x]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager; [x]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2004-12-10 23296]
S4 Asppho34am1.43;Asppho34am1.43; [x]
S4 Disydismw-da;Disydismw-da; [x]

=============== Created Last 30 ================

2009-04-26 15:58 0 a------- c:\windows\system32\nfr.gpref
2009-04-26 15:57 18,944 a---h--- c:\windows\system32\drivers\protect.sys
2009-04-26 15:57 61,440 a------- c:\windows\system32\6.tmp
2009-04-26 15:57 36,352 -------- c:\windows\system32\reader_s.exe
2009-04-26 15:57 0 a------- c:\windows\system32\4.tmp
2009-04-26 15:57 124 a------- c:\windows\system32\3.tmp
2009-04-26 15:56 15,000 a------- c:\windows\system32\jksahfo93wjfkd.dll
2009-04-26 15:19 --d----- c:\windows\system32\3361
2009-04-26 15:19 --d----- c:\windows\dhcp
2009-04-26 15:19 0 a------- c:\windows\system32\nfr.assembly
2009-04-26 15:19 15,000 a------- c:\windows\system32\dsfsjhfjidfdsf.dll
2009-04-26 15:18 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-04-26 15:18 35,328 ----h--- c:\windows\pp06.exe
2009-04-26 15:18 38,912 a------- c:\windows\system32\dll32.exe
2009-04-26 15:18 2 ----h--- c:\windows\t55ft2692f44.dat
2009-04-26 15:18 92,668 a------- c:\windows\system32\drivers\a1715bad.sys
2009-04-26 15:18 --d----- c:\windows\system32\179223
2009-04-26 15:18 43,520 a------- C:\pdtivk.exe
2009-04-26 15:17 2 a------- C:\-461130108
2009-04-26 15:16 290,304 a------- C:\kggi.exe
2009-04-26 15:16 39,936 ----h--- c:\windows\ld08.exe
2009-04-26 15:16 --d----- c:\docume~1\taylor\applic~1\pidle
2009-04-26 15:16 182,911 a------- c:\windows\system32\prnet.tmp
2009-04-24 17:21 1,504 a------- c:\windows\system32\stalker.sys
2009-04-24 17:21 26,286 a------- C:\ARK2.tmp

==================== Find3M ====================

2009-04-26 16:13 2,040,832 ----h--- c:\windows\system32\ntoskrnl.exe
2009-04-26 15:17 12,800 a------- c:\windows\system32\SVCHOST.EXE
2009-04-26 15:17 12,800 a------- c:\windows\system32\dllcache\svchost.exe
2009-04-26 15:16 80,384 a--sh--- c:\windows\system32\yipusipe.dll
2009-04-26 15:16 75,776 a--sh--- c:\windows\system32\defurine.exe
2009-03-17 21:10 430,080 a------- c:\windows\system32\wmpheadphones.dll
2008-08-28 14:28 3,902,784 a------- c:\documents and settings\taylor\gosetup.exe
2007-07-28 20:57 87,608 a------- c:\docume~1\taylor\applic~1\ezpinst.exe
2007-07-28 20:57 47,360 a------- c:\docume~1\taylor\applic~1\pcouffin.sys
2006-05-31 08:14 108,056 a------- c:\program files\common files\secman.dll
2006-03-11 18:09 626,176 a------- c:\program files\common files\osmax.ocx
2005-12-29 14:36 560 a------- c:\documents and settings\taylor\PCDOC.BAT
2005-01-17 15:07 523 a------- c:\documents and settings\taylor\Q584361.exe
2004-06-02 21:36 0 a------- c:\documents and settings\taylor\ub.dat
2004-01-27 14:23 3,149 a------- c:\program files\common files\remove_tools.html
1998-07-31 15:01 19,904 a------- c:\program files\_ISREG16.DLL
2005-10-06 22:59 61 ---sh--- c:\windows\cnerolf.dat
2003-12-13 14:13 523 a--sh--- c:\windows\it.bat
2003-12-13 14:13 40,960 a--sh--- c:\windows\load.exe
2005-05-27 22:32 120 a--shr-- c:\windows\Regbak.dat

============= FINISH: 16:19:23.25 ===============

rp4111
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-03-07
OS OS : Windows XP
Points Points : 28345
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Vicious Spyware

Post by Belahzur on 26th April 2009, 8:32 pm

Hello.
Can I ask how long you've been without an AV? because you have Koobface infection here, but worst than that, you also have Virut.

Virut is a file infecter, sorry, but game over here. Formatting is the only option.

Do not backup any exe/scr type files, see here for more info:
[You must be registered and logged in to see this link.]

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS).

To help you understand more, please take some time to read the following articles:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Vicious Spyware

Post by rp4111 on 26th April 2009, 10:25 pm

Ouch! This is bad. I had Avira disabled for only an hour or so while installing a few programs. Looks like that was a major mistake on my part. I have disconnected the infected computer and changed all my passwords. So any exe files on my computer are potentially infected? Are non exe files safe?

rp4111
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-03-07
OS OS : Windows XP
Points Points : 28345
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Vicious Spyware

Post by Belahzur on 26th April 2009, 10:28 pm

ALL exe files on the machine are infected. If you backup an exe file, you risk restoring the infection all over again.

The same applies to an scr type file.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Vicious Spyware

Post by rp4111 on 26th April 2009, 10:40 pm

One more question. My laptop is connected via a wireless router. Is there a way this virus can somehow jump to my laptop through my internet connection? I imagine this backdoor virus thing has my IP address? My desktop computer is no longer connected to the router.

rp4111
Novice
Novice

Posts Posts : 13
Joined Joined : 2009-03-07
OS OS : Windows XP
Points Points : 28345
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Vicious Spyware

Post by Belahzur on 26th April 2009, 11:36 pm

Collecting an IP address isn't a usual method a malware writer can use.

Sure, they use your machine to spread malware so you get caught instead of them, but just knowing an IP address isn't very useful unless they DDOS the IP.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum