MissD

Hi,
I first had problems the other day when a pop up appeared and I thought it looked a bit like facebook but assumed it was designed to look that way to make you click on it... but as i closed it i realised it had my facebook picture on it. SO i went onto my facebook and emails had been sent out to ppl and my status had been changed. Now i have more problems- fake windows security messages alerting me to threats and when i try to close them they redirect me to buy some software. Every google link i click on i get redirected to a site called bitlook.com yet I can enter url's and access them fine. I also keep getting my cursor turning into a red circle with a cross through it like a no smoking sign....umm whatelse... ooh I ran malwarebytes in safemode and it found 53 security threats and trojans which i deleted... but i still have major problems. Please help (sorry for the rambling..trying to give as much details as poss to help you diagnose- not sure whats relevant!!)



DDS (Ver_09-05-14.01) - NTFSx86
Run by Danielle at 23:34:33.89 on 22/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1270.719 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AirPort\APAgent.exe
C:\windows\ld08.exe
C:\windows\pp10.exe
C:\windows\freddy43.exe
C:\windows\mstre19.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\SYS32DLL.exe
C:\WINDOWS\system32\SYSDLL.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe "C:\WINDOWS\system32\aaclientp.exe"
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\Program Files\SRS Labs\WOWXT and TSXT Driver\SRS_PostInstaller.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Softex\winroute\WinRServ.exe
C:\Program Files\Softex\winroute\WinRoute.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\SYSDLL.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Danielle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: 121973 Class: {31c2a4cc-289d-442a-950c-b33b1b06522b} - c:\windows\system32\121973\121973.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SYS32DLL] SYS32DLL
uRun: [servises] c:\windows\system32\servises.exe
uRun: [SYSDLL] SYSDLL
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [sysldtray] c:\windows\ld08.exe
mRun: [pp] c:\windows\pp10.exe
mRun: [sysfbtray] c:\windows\freddy43.exe
mRun: [sysmstray] c:\windows\mstre19.exe
mRun: [servises] c:\windows\system32\servises.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uExplorerRun: [servises] c:\windows\system32\servises.exe
mExplorerRun: [servises] c:\windows\system32\servises.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: &Search
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: bmnet.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: t-mobile - {C6D89159-3467-4C2F-9918-3362DA57BCD2} - c:\progra~1\t-mobile\hotspo~1\TMOBIL~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\jikotato.dll ,
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

============= SERVICES / DRIVERS ===============

R0 RITCPT;RITCPT;c:\windows\system32\drivers\RITCPT.SYS [2006-6-1 43512]
R0 VVBackd5;VVBackd5;c:\windows\system32\drivers\VVBackd5.sys [2006-9-6 183159]
R0 WCMBusXP;WCM Enumerator and Bus Driver;c:\windows\system32\drivers\WCMBusXP.sys [2006-10-5 66816]
R0 WinRoute;WinRoute;\SystemRoot\\SystemRoot\system32\drivers\winroute.sys --> \SystemRoot\\SystemRoot\system32\drivers\winroute.sys [?]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2005-9-10 4300]
R2 FBAPI;FBAPI;c:\windows\system32\drivers\FBAPI.sys [2006-6-1 5088]
R2 SNM WLAN Service;SNM WLAN Service;c:\program files\samsung\samsung network manager\SNMWLANService.exe [2005-5-28 36864]
R2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\srs labs\wowxt and tsxt driver\SRS_PostInstaller.exe [2005-11-28 31744]
R2 WinRServ;Softex WinRoute Service;c:\program files\softex\winroute\WinRServ.exe [2006-10-6 63920]
R3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [2005-11-28 19456]
S2 EventSystemNtmsSvc;COM+ Event System EventSystemNtmsSvc;c:\windows\system32\aaclientp.exe srv --> c:\windows\system32\aaclientp.exe srv [?]
S2 gupdate1c989f8c1b58204;Google Update Service (gupdate1c989f8c1b58204);c:\program files\google\update\GoogleUpdate.exe [2009-2-8 133104]
S3 ADDMEM;ADDMEM;\??\c:\docume~1\kbf6c~1.smi\locals~1\temp\__samsung_update\addmem.sys --> c:\docume~1\kbf6c~1.smi\locals~1\temp\__samsung_update\ADDMEM.SYS [?]
S3 ADM8511;PA090 USB ETHERNET 10/100 ;c:\windows\system32\drivers\ADM8511.SYS [2006-10-5 24745]
S3 GTF32BUS;GT F32 BUS;c:\windows\system32\drivers\gtf32bus.sys [2005-9-1 32000]
S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2005-9-1 7936]
S3 GTSCSER;GT SC SER;c:\windows\system32\drivers\gtscser.sys [2005-8-29 18944]
S3 odysseyIM2;Odyssey Network Service Miniport;c:\windows\system32\drivers\odysseyIM2.sys [2003-4-29 62273]
S3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\drivers\CamDrL20.sys [2006-10-5 245760]
S3 WCMVmdXP;WCM VMODEM Driver;c:\windows\system32\drivers\WCMVmdXP.sys [2006-10-5 54656]

=============== Created Last 30 ================

2009-05-22 22:42 0 ----h--- c:\windows\f5087.dat
2009-05-22 22:40 16,896 a------- c:\windows\system32\SYSDLL.exe
2009-05-22 22:40 <DIR> --d----- c:\windows\system32\121973
2009-05-22 02:23 1 ----h--- c:\windows\msmark2.dat
2009-05-22 02:23 27,136 ----h--- c:\windows\mstre19.exe
2009-05-22 02:23 2 ----h--- c:\windows\sto452739.dat
2009-05-22 02:23 33,792 ----h--- c:\windows\freddy43.exe
2009-05-22 02:23 2 ----h--- c:\windows\sto452712.dat
2009-05-22 02:23 1 ----h--- c:\windows\f23567.dat
2009-05-22 00:23 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-05-22 00:23 13,824 ----h--- c:\windows\pp10.exe
2009-05-22 00:23 16,384 a------- c:\windows\system32\SYS32DLL.exe
2009-05-22 00:23 2 ----h--- c:\windows\sto452730.dat
2009-05-22 00:23 <DIR> --d----- c:\windows\system32\870159
2009-05-22 00:23 33,280 a------- c:\windows\system32\update1713734.exe
2009-05-22 00:23 32 a--s---- c:\windows\system32\3904846167.dat
2009-05-22 00:23 5 a------- c:\windows\system32\_id.dat
2009-05-22 00:23 50,688 ---shr-- c:\windows\system32\aaclientp.exe
2009-05-22 00:23 30,720 ----h--- c:\windows\ld08.exe
2009-05-22 00:22 18,432 a------- c:\windows\system32\digiwet.dll

==================== Find3M ====================

2009-03-30 18:43 61,440 a--sh--- c:\windows\system32\jukasedo.exe
2003-07-01 12:36 86,016 -------- c:\windows\inf\D211setup.exe
2003-07-01 12:36 3,795,891 -------- c:\windows\inf\Nokia_D211setup.exe
2003-07-01 12:36 363,459 -------- c:\windows\inf\Opt_133.exe
2003-07-01 12:36 256,378 -------- c:\windows\inf\Opt_update.exe
2008-12-30 16:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008123020081231\index.dat

============= FINISH: 23:35:34.76 ===============

Attached Files

Attach.zip (4.1 KB, 1 views)

1972vet

Greetings MissD and Welcome to the Forums,

According to the information provided, one or more of the identified infections is a Backdoor Trojan. This allows hackers to remotely control your computer, steal critical system information, and download and execute files.

To make matters even worse, there is also evidence of a Rootkit infection.

Rootkits and Backdoor Trojans are very dangerous.

This type of malicious software uses advanced techniques to bypass security mechanisms in order to gain access to computer systems...in short, your computer now belongs to someone else.

Many Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use Backdoor Trojans and Rootkits as part of an exploit to gain access to a computer and take control of it without your knowledge.

You are strongly advised to do the following immediately:

• Disconnect the infected computer from the Internet and from any networked computers until the computer can be cleaned.
• Call your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and ask them to put a watch on your accounts or change all your account numbers.
• From a clean computer, change ALL your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups.
• Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. These trojans leave a backdoor open on the system that can allow a hacker total and complete access to your computer (Remote access trojan). Hackers can operate your computer just as if they were sitting in front of it. Hackers can watch everything you are doing on the computer, play tricks, take screenshots, log passwords, start and stop programs.
• Take any other steps YOU think appropriate for an attempted identity theft.

You should also understand that once a system has been compromised by a Rootkit or Backdoor Trojan, it can never really be trusted again unless you completely reformat the hard drives and reinstall Windows anew. While this type of malicious software can sometimes be removed successfully, I cannot guarantee that your system will be completely safe to use for future financial transactions or storage of sensitive data.

It is dangerous and incorrect to assume that because this type of malware can be removed, that the computer can be secured. In some instances an infection of this type may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• "When should I re-format? How should I reinstall?"
• "Help: I Got Hacked. Now What Do I Do?"
• "Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, I will do my best to help clean the computer of any infections but cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed. Thanks!

MissD

Oh my... Ok. I have a techy friend who can reinstall my os.. I think thats the best course of action from what you've told me. I won't even bother trying to repair it. I have called my bank and changed all my passwords from my mac.
My mac should be fine right? It shares an internet connection with my infected laptop and is connected to it by a mac airPort that i used to transfer files from my laptop to my mac.

Can I just ask how you think I could have picked up such severe malware? I never open unknown emails/download from p2p/etc but I do stream videos from sites such as free-tv-video-online.info (lost is released far earlier in the states than the uk :S) ...could this be the same as downloading, could that have caused this?

Thank you for your prompt response

1972vet

There is just a myriad of possibilities. Streaming video can be just one of them. I can't say for certain that your Mac is fine either...that o/s has been on the malware authors radar screen in the recent past as well. Have your "techy friend" take a look at that as well.

Good Luck!