|
Registered User
Join Date: Jun 2009
Posts: 2
OS: Win XP Media Center Edition
|
PC severely hosed due to Trojan
Working on my son's Dell Inspiron E1705 running XP Media Edition. He said it started misbehaving about a week ago. What I have observed:
1. After booting you get ViewpointService.exe application error - exception breakpoint. This happens every time you boot. It started around the time the PC went south. It is followed soon thereafter with ViewMgr crashing.
2. Most exes don't run. The computer hangs often and has to be rebooted.
3. I cannot run the McAfee command center. However, it is constantly trying to run itself and what you end up with is a whole string of McAfee icons in the sys tray, each with a red slice through it.
4. I downloaded Kapinsky, but could not run the exe. I could run the scan from within a cmd window. It found Trojan.Win32.TDSS.aekg.
5. Because his PC won't run, I'm transferring dowloads & logs via memory stick to/from my PC. Every time I insert the stick back in my PC, McAfee finds and removes "m.exe" from it, indicating that it has found "Spy-Agent.dy"
I have run the DDS.scr for this posting. It produced DDS.txt then crashed.
I tried running GMER. It shows up as a Process in Task Manager for a little while, then disappears.
DDS.Txt:
DDS (Ver_09-05-14.01) - NTFSx86
Run by CCM at 19:37:43.71 on Wed 06/24/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1581 [GMT -4:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\CCM\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearch Page = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-inc/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
mSearchAssistant = hxxp://www.google.com/ie
BHO: c:\windows\system32\gsf83iujid.dll: {b2c7b2a1-00f3-42bd-f434-00aaba2c8952} - c:\windows\system32\gsf83iujid.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [<NO NAME>]
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [services] c:\windows\services.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\ccm\startm~1\programs\startup\is-tkdrf.lnk - c:\documents and settings\ccm\desktop\virus removal tool\is-tkdrf\startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?e=1218409801429&h=458bef75a94f28e6930e068256705fbd/&filename=jinstall-6u7-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: fabbdcabbedff - c:\windows\system32\fabbdcabbedff.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\gsf83iujid.dll: {b2c7b2a1-00f3-42bd-f434-00aaba2c8952} - c:\windows\system32\gsf83iujid.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\ccm\applic~1\mozilla\firefox\profiles\9xw71w16.default\
============= SERVICES / DRIVERS ===============
R1 is-tkdrfdrv;is-TKDRFdrv;c:\windows\system32\drivers\79555032.sys [2009-6-23 148496]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-27 214024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-27 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-27 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-27 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-27 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-27 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-27 40552]
S1 a5b099f9;a5b099f9;c:\windows\system32\drivers\a5b099f9.sys [2009-6-17 0]
S2 driver;driver;c:\windows\system32\svchost.exe -k driver [2005-8-16 14336]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-17 24652]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-27 34216]
=============== Created Last 30 ================
2009-06-23 21:35 7,168 a------- c:\windows\system32\drivers\utmymta5.sys
2009-06-23 21:19 148,496 a------- c:\windows\system32\drivers\79555032.sys
2009-06-23 20:26 <DIR> --dsh--- c:\documents and settings\ccm\PrivacIE
2009-06-23 19:01 194,064 a------- c:\windows\system32\kdpini.dll
2009-06-23 18:28 312,847 -------- c:\windows\system32\fc7dd8d7cd6ef63e32fdfebc8a6f5a47.TMP
2009-06-23 18:28 312,847 -------- c:\windows\system32\0ae0e91b902504078cd05c9eec4ddec1.TMP
2009-06-22 22:03 <DIR> --dsh--- c:\documents and settings\ccm\IETldCache
2009-06-22 13:13 26,112 a------- c:\windows\9129837.exe
2009-06-22 13:12 102,784 a------- c:\windows\system32\drivers\c26b7b84.sys
2009-06-18 00:47 312,847 -------- c:\windows\system32\f987bfa988b4904e5fc7a88ed6dcf2fa.TMP
2009-06-18 00:47 312,847 -------- c:\windows\system32\2e29b07310fd6a7ca510c4cebb675b2e.TMP
2009-06-17 22:37 0 a------- c:\windows\system32\drivers\a5b099f9.sys
2009-06-17 22:37 14,336 ----h--- c:\windows\ld10.exe
2009-06-17 22:36 204,100 ac------ C:\pcwr.exe
2009-06-17 22:36 205,828 a------- c:\windows\system32\msxml71.dll
2009-06-17 22:35 2 ac------ C:\274692252
2009-06-17 22:35 10,240 ac------ C:\ddxkfhqb.exe
2009-06-17 22:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\94128116
2009-06-17 22:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\14118124
2009-06-17 22:01 10,752 a------- c:\windows\system32\iehelper.dll
2009-06-17 21:51 262,672 a------- c:\windows\sysguard.exe
2009-06-17 21:51 <DIR> --d----- c:\program files\driver
2009-06-17 21:51 1 ----h--- c:\windows\jmmark2.dat
2009-06-17 21:51 2 ----h--- c:\windows\zaponce52621.dat
2009-06-17 21:51 1 ----h--- c:\windows\bf23567.dat
2009-06-17 21:51 2 ----h--- c:\windows\zaponce52597.dat
2009-06-17 21:51 2 ----h--- c:\windows\zaponce52689.dat
2009-06-17 21:51 25,600 ----h--- c:\windows\ld09.exe
2009-06-17 01:45 <DIR> --d----- c:\program files\AIMTunes
2009-06-17 01:45 21 a------- c:\windows\atid.ini
2009-06-09 14:07 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 14:07 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 14:07 <DIR> --d----- c:\windows\ie8updates
2009-06-09 14:06 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-06-09 14:02 <DIR> -cd-h--- c:\windows\ie8
==================== Find3M ====================
2009-06-23 22:41 622,592 a------- c:\windows\system32\netcfgx.dll
2009-06-23 22:41 622,592 a------- c:\windows\system32\dllcache\netcfgx.dll
2009-06-23 18:28 312,847 -------- c:\windows\system32\fabbdcabbedff.dll
2009-06-22 22:03 80,885 a------- c:\windows\system32\nvModes.dat
2009-05-14 18:26 3,558 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 17:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-12-02 21:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120220081203\index.dat
============= FINISH: 19:40:17.21 ===============
|