Software > Computer viruses and spyware

UPS trojan

<< < (3/4) > >>

patio:
SDFix...
Sorry this has been so long. He has no web access now and OTMoveit would not run.
I'll try it today from the Admin account with all other protection disabled...


SDFix: Version 1.210
Run by Dennis on Sat 08/02/2008 at 11:37 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Program Files\TMPGEnc\TMPGEnc.exe - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk - Deleted
C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk  - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk  - Deleted



Folder C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 - Removed


Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 23:57:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20]
"ProfileLoadTimeLow"=dword:1e5619b8
"RefCount"=dword:00000000

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Firefox\\firefox.exe"="C:\\Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\ICQLite\\ICQLite.exe"="C:\\ICQLite\\ICQLite.exe:*:Enabled:ICQ Lite"
"C:\\ocerd\\Job.exe"="C:\\ocerd\\Job.exe:*:Enabled:Repro Desk"
"C:\\Documents and Settings\\Dennis\\Desktop\\Job.exe"="C:\\Documents and Settings\\Dennis\\Desktop\\Job.exe:*:Enabled:Repro Desk"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Mystic Island\\MLobby.exe"="C:\\Mystic Island\\MLobby.exe:*:Enabled:Mystic Island"
"C:\\Program Files\\MSI\\i-Speeder\\i-Speeder.exe"="C:\\Program Files\\MSI\\i-Speeder\\i-Speeder.exe:*:Enabled:i-Speeder"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"="C:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe:*:Enabled:Roxio Upnp Service"
"C:\\uTorrent\\uTorrent.exe"="C:\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 13 Oct 2004     1,694,208 A.SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 28 Jan 2008     1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008     5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008     2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri  4 Feb 2005           848 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu  5 Jun 2003         4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon  1 Jan 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Wed 10 Jan 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Wed 11 Apr 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv04.tmp"
Sat 22 Dec 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv05.tmp"

Finished!

evilfantasy:
You can manually delete those files if needed.

C:\WINDOWS\system32\drivers\SET19.tmp
C:\Temp\autorun.bin
C:\Temp\SFDNWIN.exe <- Just empty the entire Temp folder.

No Internet...

Uninstall CF: Start > Run > type combofix /u then click OK.

Delete SDFix.

----------

Most antivirus have this in their database now but without net connection it would be hard to update and run a scan.

Can you transfer over the MalwareBytes installer and let it do it's job? Malwarebytes' Anti-Malware (MBAM)

The installer should contain all current updates.

patio:
Refuses to let me run MBAM...missing .dll error.
I'm attaching last nights HJT.
In open applications the keyboard makes continous character hits making it near impossible to run anything.

[recovering disk space -- attachment deleted by admin]

evilfantasy:
OK I was trying to save you the headache but it looks like Dr Web is going to have to be used. (it can take ages to scan) http://www.snapfiles.com/get/cureit.html

Update it from a PC with internet and then put it on the infected PC.

I don't see anything in the log except for this.

O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)

There is a bunch of conflicting information on it so it's best to let an antivirus make the determination on if it is good or a rouge.

patio:
Thanx a ton again EF...

Dr. Web is no problem as i'll be staying at his place tonight as we're going on a Road Trip at the crack of Dawn tomorrow for 2 rounds of Golf....

I like playing courses i've never seen and he's like minded so even if it takes a full day to run it's a non-issue...
Seeya when we return.

patio.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version