Tech Support Forum banner
Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
6 Posts
Discussion Starter · #1 ·
Hey there.
Earlier this morning I was trying to get the programs to make .gif's with, and I guess I downloaded a Trojan. It was "xilisoft .flv converter" but it was supposed to be the full version. I found this file on a forum and the poster had 800+ posts so I thought it was trustworthy. After I clicked the program it vanished. This is when I knew something fishy was up.

I ran spybot and tried removing the things it had found, but it didn't work at the slightest. Here's what it lists.
  • win32.delf.uc
    opachki.ru
    refpron
    win32.agent.icb
    win32.agent.wiw

This trojan forces me to log on as a User. When I start my comp it takes me to the user log in screen (which I never had previously), luckily I don't need to enter a password to get on.
It wont allow me to go into any kind of safe mode.
Spybot is unable to remove them permanently.
Earlier my desktop wouldn't load because of it, i'm surprised it loaded this time.
I'm scared to restart my computer because of these things.

The post I got it from was here:
hxxp://www.forumcraze.com/forums/applications/44988-xilisoft-flv-converter-5-1-26-0814-a.html
It's not the actual file, it's the forum post I went to. The file is linked in the post.





====
DDS:
====


DDS (Ver_09-12-01.01) - NTFSx86
Run by Michael at 19:25:13.43 on Mon 12/14/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1527 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\sm56hlpr.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
svchost.exe C:\WINDOWS\TEMP\VRT1A.tmp
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Curse\CurseClient.exe
C:\Program Files\Octoshape Streaming Services\Michael\OctoshapeClient.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Michael\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://forums.worldofwarcraft.com/index.html?sid=1
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\michael\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [CurseClient] c:\program files\curse\CurseClient.exe -silent
uRun: [Octoshape Streaming Services] "c:\program files\octoshape streaming services\michael\OctoshapeClient.exe" -inv:bootrun
uRun: [notepad] rundll32.exe c:\docume~1\michael\ntload.dll,[email protected]
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LaunchApp] Alaunch
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [ImageItEncrypt] c:\windows\system32\ImageItEncrypt.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [notepad] rundll32.exe c:\windows\system32\notepad.dll,[email protected]
dRun: [notepad] rundll32.exe c:\docume~1\locals~1\ntload.dll,[email protected]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerwl~1.lnk - c:\program files\acer wlan 11g usb dongle\ZDWlan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4E218431-2F07-40BD-A9D3-035324C1F13F} - hxxp://webserver.dyyno.com/tng/dyyno-client/DyynoCAB.CAB
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\windows\system32\curslib.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\hlr6zepu.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com (Virtus Designs)
FF - prefs.js: browser.startup.homepage - www.wowhead.com
FF - plugin: c:\documents and settings\michael\application data\mozilla\firefox\profiles\hlr6zepu.default\extensions\[email protected]\plugins\npDyyno.dll
FF - plugin: c:\documents and settings\michael\application data\mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\michael\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\dyyno\dyyno player\npvlc.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\octoshape streaming services\michael\octoprogram-l03-nms0806110_sua_900\npoctoshape.dll
FF - plugin: c:\program files\octoshape streaming services\michael\octoprogram-l03-nms0806260_sua_000\npoctoshape.dll
FF - plugin: c:\program files\octoshape streaming services\michael\octoprogram-l03-nms0810164_sua_000\npoctoshape.dll
FF - plugin: c:\program files\octoshape streaming services\michael\octoprogram-l03-nms0905250_sua_000\npoctoshape.dll
FF - plugin: c:\program files\octoshape streaming services\michael\octoprogram-l03-nms0907083_sua_000\npoctoshape.dll
FF - plugin: c:\program files\octoshape streaming services\michael\octoprogram-l03-nms0907280_sua_000\npoctoshape.dll
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 protect;protect;c:\windows\system32\drivers\protect.sys [2009-12-14 18944]
R1 unpr;Unprotector;c:\windows\system32\drivers\unpr.sys [2009-12-14 4096]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2003-3-31 62976]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-5-16 1174152]

=============== Created Last 30 ================

2009-12-15 00:05:36 44 ----a-w- c:\windows\system32\1B.tmp
2009-12-14 14:52:03 44 ----a-w- c:\windows\system32\D.tmp
2009-12-14 14:08:41 44 ----a-w- c:\windows\system32\B.tmp
2009-12-14 14:00:37 0 ----a-w- c:\windows\system32\C.tmp
2009-12-14 14:00:33 44 ----a-w- c:\windows\system32\A.tmp
2009-12-14 13:34:56 32768 ----a-w- c:\windows\system32\kzp.4e
2009-12-14 13:34:55 65024 ----a-w- c:\windows\system32\rth.gde
2009-12-14 13:34:51 155648 ----a-w- c:\windows\system32\nmklo.dll
2009-12-14 13:34:49 189440 ----a-w- c:\windows\system32\cooper.mine
2009-12-14 13:34:43 18944 ---ha-w- c:\windows\system32\drivers\protect.sys
2009-12-14 13:34:39 4096 ----a-w- c:\windows\system32\drivers\unpr.sys
2009-12-14 12:43:49 0 d-----w- c:\program files\ConvertHelper
2009-12-14 12:39:37 0 d-----w- c:\docume~1\michael\applic~1\Xilisoft Corporation
2009-12-09 08:03:02 0 d-----w- c:\documents and settings\michael\.microemulator
2009-12-09 07:39:01 0 d-----w- c:\program files\Kwyshell

==================== Find3M ====================

2009-12-14 13:34:51 577536 ----a-w- c:\windows\system32\user32.DLL
2006-06-18 03:44:10 648171 ----a-w- c:\program files\UIBackup v1.10.2 Revision G.exe
2000-02-05 01:48:12 53248 ----a-w- c:\program files\SETUP.EXE
2007-04-16 15:52:53 28160 --sha-w- c:\windows\system32\notepad.dll
2007-04-16 15:52:53 28160 --sha-w- c:\windows\system32\config\systemprofile\ntload.dll
2007-04-16 15:52:53 28160 --sha-w- c:\windows\system32\config\systemprofile\start menu\programs\startup\scandisk.dll

============= FINISH: 19:25:29.10 ===============




Hopefully I posted all the necessary information to get help.
I don't have a back up of my files and folders so I want to be very careful about this.
Any help would be greatly appreciated.

Thanks for your time.
 

Attachments

·
Registered
Joined
·
6 Posts
Discussion Starter · #2 · (Edited)
A few more things I've noticed:

Browser keeps crashing.
When I try visiting antivirus sites they just don't load. It seems to be blocking them.
When my desktop loads it pretends to be windows telling me it has blocked certain things that are crucial for the start up. (I still haven't restarted my computer in a couple hours because i'm in fear it wont let me back in).
"Google-analystiks.us" (with the k) is showing up on every site on noscript.
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top