PDA

View Full Version : ieupdr2.exe and possibly more


Judus
2008-01-28, 05:58
Hello, being the idiot that I am I formatted my laptop and went surfing without reinstalling av and am paying the price now .

Found ieupdr2, stopped the process and deleted it but I know there's more . Help plz !

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:58 PM, on 1/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\pegasus transtech\transflo now\transflo.client.agent.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Pegasus TransTech\TRANSFLO Now\Transflo.Notify.exe
C:\DOCUME~1\Marc\LOCALS~1\Temp\winlogan.exe
C:\WINDOWS\system32\wmedia32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Marc\LOCALS~1\Temp\winlogan.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Marc\LOCALS~1\Temp\lsass.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - C:\WINDOWS\system32\winload.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe Flash Media - {AEAB3281-9D99-A88C-376F-356243B55031} - C:\WINDOWS\system\hqttse32.dll
O2 - BHO: C:\WINDOWS\system32\J8dj3jg.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\J8dj3jg.dll
O2 - BHO: C:\WINDOWS\system32\Hfkr4g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Hfkr4g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Transflo Notify] C:\Program Files\Pegasus TransTech\TRANSFLO Now\Transflo.Notify.exe
O4 - HKLM\..\Run: [jkdfj94kgdftdf] C:\DOCUME~1\Marc\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [WMedia32] wmedia32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [jkdfj94kgdftdf] C:\DOCUME~1\Marc\LOCALS~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [Windows Recavery Adware] C:\DOCUME~1\Marc\LOCALS~1\Temp\lsass.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe
O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CB270C0-C606-4161-822A-815611FECFDB}: NameServer = 85.255.114.25,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{3205291B-35BE-4FD9-8F63-028A96DAFF3E}: NameServer = 85.255.114.25,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EF7DDA4-0A8D-44CD-89FE-C6B2956D2158}: NameServer = 85.255.114.25,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B3EF3E8-0AF4-4710-8DB8-4F8792819E34}: NameServer = 85.255.114.25,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{C36314B0-1190-486E-AF3F-863DD818AC9E}: NameServer = 85.255.114.25 85.255.112.94
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.25 85.255.112.94
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CB270C0-C606-4161-822A-815611FECFDB}: NameServer = 85.255.114.25,85.255.112.94
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.25 85.255.112.94
O17 - HKLM\System\CS2\Services\Tcpip\..\{0CB270C0-C606-4161-822A-815611FECFDB}: NameServer = 85.255.114.25,85.255.112.94
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.25 85.255.112.94
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O22 - SharedTaskScheduler: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - C:\WINDOWS\system32\winload.dll
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\J8dj3jg.dll
O22 - SharedTaskScheduler: JGhsdk393ktrfggh9dtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Hfkr4g.dll
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft P2P2 Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TRANSFLO Client Agent Service (TRANSFLOClientAgentService) - Pegasus TransTech Corp. - c:\program files\pegasus transtech\transflo now\transflo.client.agent.exe

--
End of file - 7020 bytes
Shaba
2008-01-29, 10:57
Hi Judus

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
Judus
2008-01-29, 16:21
Hello Shaba,

I'm willing to format it again and reinstall the OS. I need to be able to trust this comp so I'll do whatever I have to to make it right . Will a reformat and reinstall of the OS make it 100% safe ? If not, I'll replace the hard drive if need be .

Thank you so much for the help and I'll follow your lead on how to proceed .
Shaba
2008-01-29, 16:31
Hi

"Will a reformat and reinstall of the OS make it 100% safe ?"

Yes.

See here (http://spyware-free.us/tutorials/reformat/)
for nice reformatting guide.

Pay attention to download AV and firewall prior to reformatting and save them to eg. CD/DVD and enable windows own firewall before connecting to internet. After 3rd party firewall installation you should disable it again.
Shaba
2008-02-03, 11:33
Since this issue appears resolved ... this Topic is closed. Glad I could help.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.