Thread: trojans/malware
View Single Post
Old 11-12-2008, 08:02 PM   #1 (permalink)
robmop
Registered User
 
Join Date: Nov 2008
Posts: 6
OS: xp professional


trojans/malware
Hello volunteer helpers. I've read the '"read this before posting" and I hope I do everything right. My notebook appears to be infected with one or more problems. windows open for no reason in IE or Firefox. recordings play advertising "you've been selected...." etc when no programs are running. hijack this and other malware programs see trojans, clean them, but they seem to come back. Logs attached. Thanks for your help.

DDS.txt shown below:


DDS (Version 1.0) - NTFSx86
Run by Dell User at 21:49:50.12 on Wed 11/12/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.110 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Dell User\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.cnn.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
BHO: {2c9081fb-6817-49e3-8d06-80b6abc86da0} - c:\windows\system32\hozegupo.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton antivirus\engine\16.0.0.125\IPSBHO.DLL
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AdaptecDirectCD] "c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe"
mRun: [WG511WLU] c:\program files\netgear\wg511\utility\WG511WLU.exe -hide
mRun: [nwiz] nwiz.exe /installquiet
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
AppInit_DLLs: c:\windows\system32\semajosu.dll c:\windows\system32\vowikiho.dll
SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - c:\windows\system32\upnpui.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vowikiho.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vowikiho.dll
LSA: Notification Packages = scecli c:\windows\system32\semajosu.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1000000.07d\SYMEFA.SYS
R1 BHDrvx86;Symantec Heuristics Driver;\??\c:\windows\system32\drivers\nav\1000000.07d\BHDrvx86.sys
R1 ccHP;Symantec Hash Provider;\??\c:\windows\system32\drivers\nav\1000000.07d\ccHPx86.sys
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20081110.001\IDSxpx86.sys
R3 AWINDIS5;AWINDIS5 Protocol Driver;\??\c:\windows\system32\AWINDIS5.SYS
R3 Ich;Ich;c:\windows\system32\drivers\Ich.sys
R3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\drivers\WG511ICB.sys
S4 hpt3xx;hpt3xx;

=============== Created Last 30 ================

2008-11-12 21:31 250 a------- c:\windows\gmer.ini
2008-11-12 20:57 95 a------- c:\windows\wininit.ini
2008-11-12 20:09 268 a---h--- C:\sqmdata04.sqm
2008-11-12 20:09 244 a---h--- C:\sqmnoopt04.sqm
2008-11-12 08:18 268 a---h--- C:\sqmdata03.sqm
2008-11-12 08:18 244 a---h--- C:\sqmnoopt03.sqm
2008-11-11 23:39 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-11 23:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-11 23:25 268 a---h--- C:\sqmdata02.sqm
2008-11-11 23:25 244 a---h--- C:\sqmnoopt02.sqm
2008-11-11 23:01 268 a---h--- C:\sqmdata01.sqm
2008-11-11 23:01 244 a---h--- C:\sqmnoopt01.sqm
2008-11-11 22:58 <DIR> --d--r-- c:\program files\Norton Support
2008-11-11 21:53 268 a---h--- C:\sqmdata00.sqm
2008-11-11 21:53 244 a---h--- C:\sqmnoopt00.sqm
2008-11-10 21:44 <DIR> --dsh--- C:\found.000
2008-11-09 16:04 35,888 a----r-- c:\windows\system32\drivers\SymIM.sys
2008-11-09 16:04 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-09 16:04 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2008-11-09 16:04 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-09 16:04 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-11-09 16:04 <DIR> --d----- c:\program files\Symantec
2008-11-09 16:04 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-11-09 16:03 <DIR> --d----- c:\windows\system32\drivers\NAV
2008-11-09 16:03 <DIR> --d----- c:\program files\Norton AntiVirus
2008-11-09 16:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2008-11-09 16:02 <DIR> --d----- c:\program files\NortonInstaller
2008-11-09 16:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2008-11-09 16:01 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2008-11-08 22:13 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner
2008-11-08 13:51 17,229 a------- c:\docume~1\dellus~1\applic~1\eber.dat
2008-11-08 13:51 14,575 a------- c:\docume~1\alluse~1\applic~1\axyma.dll
2008-11-08 13:51 13,875 a------- c:\windows\ijydewijyw.com
2008-11-08 13:51 12,917 a------- c:\docume~1\dellus~1\applic~1\vocih.com
2008-11-08 13:51 10,235 a------- c:\docume~1\dellus~1\applic~1\ecurahawov.bat
2008-11-08 13:51 10,224 a------- c:\windows\aqitixyjyr.com
2008-11-08 13:51 18,673 a------- c:\windows\velefygova.lib
2008-11-08 13:51 16,308 a------- c:\windows\zodicy.inf
2008-11-08 13:51 15,443 a------- c:\windows\risur.sys
2008-11-08 13:51 12,711 a------- c:\windows\wysyfil.inf
2008-11-08 13:51 11,975 a------- c:\windows\ulefy.lib
2008-11-08 13:51 10,370 a------- c:\windows\bynarem.inf
2008-11-08 10:58 <DIR> --dsh--- c:\documents and settings\dell user\PrivacIE
2008-11-08 10:53 81,920 a------- c:\windows\system32\ieencode.dll
2008-11-07 22:27 <DIR> --d----- c:\program files\Trend Micro
2008-11-07 22:09 <DIR> --d----- c:\docume~1\dellus~1\applic~1\Malwarebytes
2008-11-07 22:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-07 22:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-07 22:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-11-07 22:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-02 17:27 31,744 a------- c:\windows\system32\351aT70U.exe
2008-10-23 18:36 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2008-10-18 18:19 <DIR> --d----- C:\Daddys Europe Pics
2008-10-18 14:51 <DIR> --d----- C:\Mamas Europe Pictures
2008-10-17 18:32 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2008-10-17 18:32 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2008-10-17 18:32 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-17 18:32 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-17 18:32 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-17 18:32 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe

==================== Find3M ====================

2008-11-12 07:09 92,212 a--sh--- c:\windows\system32\zowirewa.dll
2008-11-10 20:47 <DIR> --d----- c:\program files\PokerStars
2008-11-06 20:48 <DIR> --d----- c:\program files\TMG
2008-11-06 20:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-09-26 20:30 <DIR> --d----- c:\docume~1\dellus~1\applic~1\LimeWire
2008-09-21 08:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-09-21 08:22 <DIR> --d----- c:\program files\Lavasoft
2008-09-21 08:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-09-21 08:15 <DIR> --d----- c:\docume~1\dellus~1\applic~1\Move Networks
2008-09-20 23:43 <DIR> --d----- c:\program files\MSN Messenger
2008-09-20 23:36 <DIR> --d----- c:\program files\Messenger
2008-09-20 23:33 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-09-20 23:26 <DIR> --d----- c:\program files\Windows NT
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-08-20 00:30 666,112 a------- c:\windows\system32\wininet.dll
2008-07-08 17:16 <DIR> --d----- c:\docume~1\dellus~1\applic~1\Snapfish
2007-02-18 21:51 <DIR> --d----- c:\docume~1\dellus~1\applic~1\Viewpoint
2006-12-24 16:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kodak
2008-08-07 21:13 60,928 a--sh--- c:\windows\system32\semajosu.dll

============= FINISH: 21:50:36.97 ===============
Attached Files
File Type: txt Gmer.txt (5.7 KB, 2 views)
File Type: txt Attach.txt (16.2 KB, 2 views)
Last edited by robmop; 11-12-2008 at 08:03 PM.
robmop is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here